Scanception: QR Code Phishing Campaign Bypasses Email Security to Target Enterprises Globally
Cyble Research & Intelligence Labs (CRIL) has uncovered an ongoing, highly targeted QR code-based phishing campaign dubbed “Scanception.” This quishing (QR phishing) operation exploits the growing trust in QR codes to deliver credential-harvesting URLs through seemingly harmless PDF attachments.
The attack begins with a phishing email containing a PDF lure that urges recipients to scan an embedded QR code. Once scanned, the code redirects victims to malicious login pages that mimic legitimate enterprise portals, ultimately capturing user credentials. This approach sidesteps traditional email security gateways and endpoint detection systems by targeting unmanaged mobile devices, which often fall outside corporate security perimeters.
CRIL has identified over 600 unique phishing PDFs and emails associated with the Scanception campaign in just the last three months. Notably, 80% of these PDFs had zero detections on VirusTotal, reflecting the campaign's stealth and sophistication.
Key Highlights of the Scanception QR Phishing Campaign:
Highly Convincing Social Engineering:
Attackers use well-crafted lures that mimic enterprise workflows, making them appear legitimate and increasing the likelihood of user interaction.
Precision Targeting at Scale:
The campaign spans global regions—including North America, EMEA, and APAC—and targets specific sectors such as Technology, Healthcare, Manufacturing, and BFSI, indicating a high-value, targeted approach.
Abuse of Trusted Platforms:
Scanception abuses reputable domains and cloud services like YouTube, Google, Bing, Medium, and Cisco as redirectors or hosts, allowing them to bypass reputation-based security filters.
Credential Theft via AITM Pages:
The phishing infrastructure utilizes Adversary-in-the-Middle (AITM) techniques, creating multi-stage fake login portals designed to bypass automated threat detection and steal credentials.
Scanception reflects the evolving nature of phishing campaigns—combining social engineering, mobile redirection, and abuse of trusted platforms—making it one of the most evasive and dangerous quishing attacks in circulation.
