Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems.
Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents. Victims are prompted to scan these codes using their mobile devices, a tactic that cleverly shifts the attack vector to endpoints that lie outside organizational visibility, such as personal smartphones.
This approach allows attackers to bypass security systems like secure email gateways (SEGs) and endpoint detection tools, which often do not scrutinize mobile device traffic. The attack typically begins with a phishing email that includes a PDF file mimicking official corporate communication. These decoys are crafted to resemble HR notifications, employee handbooks, or onboarding documents, complete with logos, tables of contents, and multiple pages to avoid signature-based detection tools.
Scanception Quishing Campaign: Over 600 Unique Lures in Three Months
CRIL’s analysis over three months uncovered over 600 distinct phishing PDFs and emails tied to the Scanception campaign. Shockingly, nearly 80% of these files had zero detections on VirusTotal at the time of their discovery. These documents are not randomly distributed; instead, they are precision-targeted based on industry verticals, geographic location, and user roles.
This quishing campaign has a global reach throughout the tracking period, affecting organizations in over 50 countries, with high activity concentrations in North America, EMEA (Europe, the Middle East, and Africa), and the APAC region. The sectors most impacted include technology, healthcare, manufacturing, and BFSI (banking, financial services, and insurance), industries known for their data sensitivity and high-value targets.
Credential Theft via AITM Phishing Infrastructure
The end goal of Scanception is credential harvesting. The embedded QR codes lead to adversary-in-the-middle (AITM) phishing pages, often designed to impersonate Microsoft Office 365 login portals. These pages collect user credentials in real-time and use advanced techniques to bypass security measures such as multi-factor authentication (MFA).
Once credentials are entered, the attacker’s infrastructure captures the data using tools like randroute and randexp.min.js, which dynamically generate URLs to evade signature-based detection. The phishing pages also employ browser fingerprinting and detect debugging tools like Selenium and Burp Suite. If such tools are identified, the attack immediately halts by redirecting to a blank or legitimate webpage.
This dynamic infrastructure maintains an open communication channel with the attacker, potentially prompting for secondary authentication details like 2FA codes or one-time passwords (OTPs), enabling full session hijacking and long-term access to compromised accounts.
Abuse of Trusted Platforms and Redirection Techniques
One of Scanception’s most insidious strategies involves the abuse of trusted redirection services and reputable cloud-hosting platforms. The campaign has misused services such as YouTube, Google, Bing, Cisco, Medium, and even email protection vendors to host or relay phishing infrastructure. This tactic not only masks the attack behind seemingly legitimate URLs but also helps in evading content and reputation-based security filters.
Examples include:
- Redirect URLs embedded in Google search links
- Medium articles containing hidden redirect links
- Cisco-secure URLs redirecting to phishing pages
- Email security links that lead victims to fake login portals
By embedding malicious payloads behind such domains, attackers bypass security measures that typically whitelist these platforms.
Evolution of Tactics and Continued Activity
Scanception is not a static operation; it is adapting and changing rapidly. Initial versions of the decoy PDFs were single-page documents. Newer versions now include multiple pages, structured content, and advanced visual designs to enhance credibility. Some phishing pages now feature multi-stage harvesting and dynamic evasion techniques, including right-click disablement and real-time debugging detection.
Scanception is a new and advanced player in phishing, blending social engineering with technical evasion to exploit QR codes, trusted platforms, and unmanaged mobile devices. With over 600 unique lures identified in just 90 days, most undetected by threat engines, it highlights how attackers bypass security and target users beyond traditional perimeters.
