An email arrives that looks like a multi-factor authentication prompt or a shared document notification. It contains a benign-looking QR code. The user is trained to check URLs—but a QR code hides the destination. They scan it with their personal phone, which lacks the corporate email security filter. The phone opens a perfect replica of the Microsoft 365 login page. The user enters their credentials. The attacker now has them.
Instead of sending a phishing email, they send a Teams message, a Slack DM, a LinkedIn InMail, or even a voicemail (vishing). They know that many organizations’ security awareness training is email-centric. By shifting to collaboration tools or phone calls, the attacker exploits a training gap. The user has been conditioned to suspect strange emails but has no framework for the urgent SMS from “IT Support” asking for their MFA code. This channel outflank renders the entire email simulation library irrelevant. A core tenet of Terranova training is: Don’t click links in unsolicited emails. Attackers now craft lures with no links at all . outflank terranova security
End of feature.
But in cybersecurity, no fortress is impregnable. Attackers have stopped trying to break down the front door. Instead, they are learning to outflank the very assumptions Terranova’s training is built upon. An email arrives that looks like a multi-factor
Instead, the email says: “Please reply to this message to confirm your approval for invoice #4421.” The user replies. The attacker then engages in a conversational, low-and-slow confidence scam, eventually extracting credentials or payment details via a clean, manually typed URL. Because there was no initial malicious link, the simulation never happened. The attacker didn’t need to trick the click; they tricked the conversation. Perhaps the most elegant outflank of Terranova’s desktop-focused training is the rise of QR code phishing . They scan it with their personal phone, which