Do email spam filters scan image content and QR codes?

Key findings

• Evasion: QR codes embedded in images are highly effective at bypassing many anti-spam filters because these filters are not designed to recognize or process content within images.
• Resource Intensity: Scanning images for malicious content, especially extracting and analyzing QR codes, is a computationally expensive process that not all filter providers can afford to implement broadly.
• Trust Exploitation: Scammers exploit legitimate, DMARC-passing platforms (like Eventbrite) to send phishing emails with malicious QR codes, leveraging the platforms' good sender reputation to bypass initial checks. You can read more about how DMARC works in our simple guide to DMARC, SPF, and DKIM.
• Evolving Detection: While many traditional filters struggle, advanced security solutions (such as Microsoft Defender for Office 365) are increasingly incorporating capabilities to detect and block QR code-based phishing attacks. Microsoft has blocked millions of such emails.
• Image-to-text Ratio: While QR codes present a specific challenge, a high image-to-text ratio in emails can generally increase spam scores and affect deliverability.

Key considerations

• User Education: Since filters may not catch all QR code scams, educating recipients about the risks of scanning unknown QR codes is crucial. The FTC provides guidance on QR code scams.
• Platform Responsibility: Email sending platforms that allow users to embed images and QR codes should implement stronger content due diligence to prevent abuse.
• Layered Security: Relying solely on email filters is insufficient. Browser-based security warnings for malicious websites also serve as a vital last line of defense.
• Holistic Deliverability: While image content scanning is a factor, overall email deliverability is influenced by sender reputation, authentication (SPF, DKIM, DMARC), and engagement metrics. Understanding why your emails are going to spam requires a comprehensive approach.

Key opinions

• Varied Scanning: Some email marketers believe that while some filters scan images, it's not a universal or consistently effective practice.
• QR Code Effectiveness: Many marketers note that QR codes are surprisingly effective at bypassing filters, often leading to legitimate-looking phishing attempts.
• Platform Abuse: There's concern among marketers about how easily scammers can exploit established sending platforms like Eventbrite or Quickbooks to send malicious emails, even with proper email authentication like BIMI in place.
• Cost Barrier: The sentiment is that extensive image scanning for malicious content is likely too expensive for many email providers to implement widely.
• Focus on Text: Marketers often observe that emails with significant image content, especially if lacking accompanying text, are more prone to being flagged than text-based emails, suggesting filters still prioritize text analysis. For more on this, check out our guide on whether images in emails cause spam.

Key considerations

• Sender Reputation: Maintaining a strong sender reputation is paramount. Even if image content isn't fully scanned, a poor reputation can lead to emails being blocklisted or sent to spam. Learn about understanding your email domain reputation.
• Content Balance: Marketers should strive for a healthy balance between image and text content to optimize deliverability, as image-only emails can raise red flags for spam filters.
• Beyond the Inbox: The ultimate mitigation for QR code scams might occur at the browser level, where warnings prevent users from accessing malicious sites even if the email got through.
• Vigilance for New Threats: The emergence of quishing (QR code phishing) underscores the need for marketers to stay informed about evolving spam and phishing tactics.

Key opinions

• Diverse Scanning Methods: Experts confirm that images are indeed scanned, but through various methods, indicating a complex and evolving approach to visual content analysis.
• Cost vs. Benefit: The consensus is that deep image scanning is expensive, which means many email providers prioritize other, less resource-intensive filtering methods.
• QR Code Blind Spot: Many filters are not natively designed to parse QR codes, making them a significant blind spot for traditional detection mechanisms.
• Reputation's Role: For senders with high volume and strong email authentication (like DMARC), filters may perform less granular content analysis, trusting the sender's established reputation. Read about how to safely transition your DMARC policy.
• Evolving Threats: The rise of QR code phishing highlights the continuous 'cat-and-mouse' game between attackers and security providers, necessitating constant adaptation in detection strategies.

Key considerations

• Integrated Security: A robust security posture involves multiple layers of defense. Even if an email filter misses a malicious QR code, other systems (like web browsers) can still intervene to protect the user.
• Vender Accountability: Email sending platforms have a responsibility to implement stronger content vetting, especially for user-generated content that could host malicious QR codes or images.
• Beyond Content Analysis: While image content is a factor, broader deliverability issues often stem from sender reputation, proper email authentication (SPF, DKIM, DMARC), and adherence to sending best practices. Our Email Deliverability Issues article explores this further.
• Adapting Strategies: Email marketers must adapt their strategies to account for the limitations of current filters and the ingenuity of attackers. This might include favoring more text-based content or clearly labeling images.

Key findings

• Inherent Blindness: Many email filters are not designed to read (parse) QR codes or other image content, making them highly effective for bypassing traditional security checks.
• Rendering Requirement: QR codes are only readable after being rendered, which means they are opaque to filters in the mail flow until a user interacts with them, making proactive detection difficult.
• Advanced Solutions Emerge: Despite the challenges, leading security providers are developing and deploying advanced technologies capable of detecting and blocking QR code-based phishing attacks. Learn more about general technical solutions for boost email deliverability.
• Shifting Attack Vector: The move to QR code phishing (quishing) signifies attackers adapting to bypass traditional text and link analysis.
• Initial Appearance Deceptive: A QR code initially appears as a benign image without suspicious text or links, making it challenging for rule-based filters to flag. You can also review if specific keywords trigger spam filters.

Key considerations

• Continuous Innovation: Security providers must continuously innovate their detection capabilities to keep pace with new evasion techniques, especially those leveraging visual content.
• Integrated Security Layers: Organizations should implement multi-layered security solutions that combine email filtering with endpoint protection and browser-based safeguards.
• AI and Machine Learning: Advanced solutions increasingly rely on AI and machine learning to analyze image content and detect anomalies that traditional filters miss.
• Threat Intelligence: Staying updated on the latest threat intelligence, including emerging phishing trends like QR code attacks, is crucial for both security vendors and end-users.