Microsoft QR Code Scam: What It Is and What to Do

How the Microsoft QR code scam works

Attackers impersonate Microsoft through three primary channels. Each exploits the trust people place in Microsoft's software and brand — and each uses a QR code to bypass the URL-scanning filters that catch ordinary phishing links.

1. Phishing emails impersonating Microsoft 365

The most common variant is an email that looks exactly like a Microsoft 365 security alert or subscription notice. The subject line might read "Action required: re-authenticate your account" or "Your Microsoft 365 subscription payment failed." Instead of a clickable link — which email filters often catch — the message contains a QR code with instructions to scan it to resolve the issue.

Scanning the code opens a convincing Microsoft login page in your phone's browser. When you enter your email and password, the attacker captures those credentials instantly. With your Microsoft account compromised, they can access Outlook, OneDrive, Teams, and any Microsoft 365 apps tied to that login — including, in a work context, your entire organization's shared files and email.

2. Microsoft Teams messages from compromised accounts

Teams is increasingly used as a phishing channel because messages from external contacts look official and employees expect to receive links and files there. Attackers — often using accounts compromised at another organization — send a Teams message to employees at a target company. The message claims to be from IT support or a Microsoft partner and asks the recipient to scan a QR code to verify their identity, complete multi-factor authentication setup, or access a shared document.

Because the message arrives inside a tool people already use for work, and because it may appear to come from a real (if unfamiliar) colleague at an external organization, recipients are less likely to question it. Scanning the QR code leads to a fake Microsoft login page or installs a remote-access tool on the victim's phone.

3. Fake Windows Defender browser pop-ups

A browser window suddenly fills the screen with a warning styled like Windows Security or Microsoft Defender. It claims the computer is infected, that personal data is being stolen, or that the Microsoft account has been compromised. The pop-up displays a QR code with instructions to scan it to reach Microsoft support — or a phone number to call immediately.

This is scareware. Microsoft Defender never communicates through browser pop-ups, and Microsoft support never initiates contact this way. Scanning the QR code typically opens a page that installs remote-access software (such as AnyDesk or TeamViewer), hands the attacker control of the victim's computer, and leads to a demand for payment to "fix" the fabricated problem. This is the hallmark of the tech support QR code scam.

Why QR codes make this scam more effective

Traditional phishing links are caught by email security gateways and browser filters. A QR code displayed in an email image bypasses those tools entirely — the filter sees a picture, not a URL. The victim's phone, which may have weaker security controls than a corporate laptop, processes the code and opens the destination. By shifting the attack to the phone, the attacker also sidesteps endpoint detection software running on work computers.

Security researchers call this technique "quishing" — QR phishing. It is one of the fastest-growing attack vectors in corporate environments precisely because it bypasses filters that catch ordinary phishing attempts.

What to do right now

Act quickly. The window to limit damage is short.

1. Change your Microsoft account password immediately. Go to account.microsoft.com by typing the address directly — do not click any links in the suspicious message. Change your password before the attacker locks you out.
2. Review recent sign-in activity. In your Microsoft account, go to Security → Sign-in activity. Look for sessions from unfamiliar locations or devices and sign them out. For Microsoft 365 work accounts, contact your IT department immediately — they have tools to revoke sessions across all apps.
3. Enable or strengthen multi-factor authentication. Go to account.microsoft.com → Security → Advanced security options and enable an authenticator app if you haven't already. An SMS code is better than nothing, but an authenticator app (Microsoft Authenticator, Google Authenticator) is significantly stronger.
4. If a pop-up told you to call a number, do not call it. Close the browser. If the window won't close, press Ctrl+Shift+Esc to open Task Manager and end the browser process. Run a scan with Windows Security (the real one, from the Start menu) to check for any software installed during the interaction.
5. If you installed remote-access software, disconnect immediately. If you downloaded and ran anything — AnyDesk, TeamViewer, Quick Assist, or similar — disconnect from the internet, uninstall the program, and have an IT professional review the machine before using it again for anything sensitive.
6. Report the phishing attempt. Forward the email to phish@office365.microsoft.com or use the "Report" button in Outlook. Report the scam to the FTC at reportfraud.ftc.gov.

How to protect yourself going forward

• Microsoft never sends QR codes for account security. Any QR code in a message claiming to be from Microsoft — for login, payment, security alerts, or IT support — is fraudulent. For real account issues, type account.microsoft.com directly into your browser.
• Check the sender's email domain. Legitimate Microsoft email comes from microsoft.com domains. Addresses like "microsoft-support@outlook.com" or domains with hyphens and extra words are spoofed.
• Be suspicious of Teams messages from external contacts. If an unknown external contact asks you to scan a QR code or click an urgent link, verify with your IT department before acting. Legitimate Microsoft partners don't initiate IT support via unsolicited Teams messages.
• Scan QR codes with QRsafer before opening them. QRsafer inspects the destination URL for phishing signals and gives you a Safe, Risky, or Dangerous verdict — so you know what a code leads to before it loads in your browser.

Frequently asked questions