Scanception: Global QR Code Phishing Campaign Bypasses Enterprise Security, Steals Credentials at Scale

Cyble Research and Intelligence Labs (CRIL) has uncovered an ongoing global phishing campaign that weaponizes QR codes to bypass traditional security boundaries and target high-value industries. Dubbed “Scanception”, the campaign merges psychological manipulation with technical ingenuity to harvest credentials at scale.

“This campaign leverages QR code-based delivery mechanisms to distribute credential-harvesting URLs,” CRIL warns in its report.

The campaign begins innocently—with an email. But instead of a malicious link, the email contains a PDF attachment that appears to be from HR, finance, or another internal department. Inside is a professionally designed document often titled something like Employee Handbook, featuring branding, tables of contents, and corporate logos.

The final page encourages recipients to scan a QR code to access more information. And here lies the twist—this subtle shift from clicking to scanning moves the attack surface to personal mobile devices, which are typically unmanaged and unmonitored by enterprise security tools.

“This technique effectively bypasses traditional email security and endpoint protection controls by shifting the attack surface to unmanaged personal mobile devices,” the report notes.

CRIL’s investigation revealed that Scanception is targeted, yet expansive. Over just three months, they identified more than 600 unique phishing PDFs crafted to reflect real enterprise workflows, and nearly 80% of these PDFs had zero detections on VirusTotal at the time of analysis.

“Scanception campaign spans a large volume of victims… selectively chosen based on industry vertical, geographic region, and user roles,” the report disclosures.

Primary targets include the Technology, Healthcare, Manufacturing, and Financial Services sectors. Geographic analysis indicates a deliberate focus on North America, EMEA, and APAC, pointing to a globally coordinated effort.

The attackers behind Scanception understand trust. They manipulate it expertly by abusing legitimate services like YouTube, Google, Bing, Cisco, Medium, and even email security platforms to redirect victims.

“Scanception leverages legitimate cloud-hosting platforms and open redirectors… to host or relay malicious content,” the report explains.

These trusted domains act as cloaks for redirection URLs, helping attackers slip past reputation-based filters and exploit the implicit trust users place in familiar platforms.

After scanning the QR code, victims are led to phishing pages that impersonate legitimate login portals like Microsoft Office 365. But this is no ordinary credential theft—Scanception uses Adversary-in-the-Middle (AITM) techniques.

These phishing pages are loaded with evasion features:

• They detect automation tools like Selenium or Burp Suite and abort if found.
• They disable right-clicks, monitor debugging activity, and randomly redirect if suspicious behavior is detected.

“If any of these tools or actions are identified, the site immediately redirects the user to ‘about:blank’, effectively halting the attack chain,” the report explains.

Once the victim submits credentials, the phishing infrastructure opens a real-time channel to capture 2FA codes, OTPs, and other secondary authentication factors—effectively bypassing MFA protections.

After stealing the credentials, Scanception completes its deception by redirecting the victim to a legitimate website, making the entire interaction appear harmless in hindsight.

CRIL found evidence of Scanception in over 50 countries and 70 sectors, with tailored decoy documents spanning HR announcements, compliance notices, and more.

The report highlights that Scanception’s tactics closely mirror those of known phishing platforms like ONNX Store and trends identified by Unit 42. This suggests a consolidation of phishing innovation, where techniques like QR-based payloads and multi-stage redirect chains are becoming standard practice.

Related Posts:

• QR Codes Coming to Linux Kernel Panics with 6.12 Release
• The Hidden Danger of PDF Files with Embedded QR Codes, Researchers Warn
• QR Code Phishing Attacks Escalate: Sophisticated Campaign Targets Chinese Citizens
• Browser Isolation Bypassed: QR Codes Used in Novel C2 Attacks
• “Unicode QR Code Phishing”: The New Threat You Need to Know