In a recent blog post, KnowBe4 reported that it has “uncovered an emerging advanced phishing campaign targeting Microsoft 365 users globally to steal their credentials. The attackers are wielding a powerful new tool that’s completely changing the game for cybercriminals—turning what used to be complex, technical phishing setups into simple one-click launches that can bypass certain technical controls.”

The tool is called “Quantum Route Redirect” KnowBe4 has observed attacks using Quantum Route Redirect since August 2025, and a new phishing kit is for sale that “comes with a pre-configured set up and phishing domains that significantly simplifies a once technically complex campaign flow, further ‘democratizing’ phishing for less skilled cybercriminals.”

The threat actors start the campaign with a phishing email using:

  • Docusign and other service agreement impersonation;
  • Payroll impersonation;
  • Payment notification emails;
  • “Missed voicemail messages”; and
  • QR code phishing (quishing)

Once the victim clicks on the malicious message, the threat actors download Quantum Route Redirect to host credential harvesting pages to attempt to steal credentials from users to be used to attack the victim company. As of the date of the blog post, KnowBe4 had identified approximately 1,000 domains hosting the tool.

One important observation is that there will soon be an upgrade for the kit “that will include QR code generation capabilities to enable Quantum Route Redirect users to significantly scale quishing attacks linked to the campaign.” We have been warning readers about malicious QR code attacks for several years, and these attacks continue to be effectively used by threat actors. KnowBe4’s prediction that threat actors will be able to “significantly scale” QRishing attacks using the Quantum Route Redirect tool emphasizes the continued need to educate users on the risk of QR codes and the technology behind QR codes so users will understand to never click on a QR code presented in an email.

The KnowBe4 blog post outlines the details of how threat actors are effectively using Quantum Route Redirect, which is helpful in developing user education materials. It is a good reminder to all of us to continue to be vigilant about suspicious requests contained in emails.