Scanception: New QR Code Phishing Campaign Bypasses Security to Harvest Credentials on Mobile

Over the past several months, researchers at Cyble Research and Intelligence Labs (CRIL) have been closely monitoring a large-scale and technically sophisticated phishing campaign known as Scanception. Its hallmark lies in the use of QR codes embedded within PDF documents, ostensibly sent on behalf of legitimate organizations, to stealthily harvest users’ credentials.

The core of the attack involves the distribution of emails containing attached PDF files. At first glance, these attachments appear to be routine business documents—HR instructions, internal policies, or financial notices. Each contains a QR code prompting the recipient to scan it. Upon scanning, the user is redirected to a counterfeit website masquerading as a legitimate login page, such as Microsoft 365.

The campaign’s ingenuity lies in shifting the point of compromise from corporate desktops to mobile devices—a tactic that effectively evades most conventional security mechanisms, including email gateways, antivirus software, endpoint detection and response (EDR) systems, and other enterprise defenses. At the time of analysis, VirusTotal failed to detect nearly 80% of these PDFs as malicious, highlighting the campaign’s stealth and sophistication.

The attackers wield an arsenal of over 600 unique PDF files, each employing various social engineering techniques. They skillfully mimic corporate tone, logos, HR jargon, and even multi-page document structures to bypass static analysis tools, which typically scan only the first page of attachments.

To obscure their true intentions, the attackers rely on trusted services and redirection techniques. They exploit platforms such as YouTube, Google, Bing, Cisco, and Medium as intermediary links, effectively disguising malicious URLs with domains that inspire confidence—circumventing reputation-based filtering systems.

The ultimate destination is an AITM (Adversary-in-the-Middle) site, designed to intercept user credentials. These phishing pages are crafted to closely resemble legitimate login portals, capturing every keystroke entered. A series of countermeasures against automated analysis is also in place, including right-click blocking, debugger detection, and redirection to safe pages upon suspicious activity—making forensic analysis and detection even more challenging.

Data collection unfolds in multiple stages. First, the site performs browser fingerprinting to gather information about the user’s device and environment. This data is then transmitted to pre-generated endpoints via JavaScript libraries. Particularly alarming is the real-time interception of multi-factor authentication codes. This means that even one-time passwords (OTP) or email confirmations can be relayed to the attackers in time to complete the login on behalf of the victim.

Once credentials are stolen, the victim is typically redirected to a legitimate website, minimizing suspicion and complicating incident response. The campaign spans more than 50 countries and targets over 70 industries, including technology, healthcare, manufacturing, and financial services.

Scanception represents a convergence of social engineering, exploitation of trusted services, and technical subterfuge—all aimed at bypassing defenses and deceiving users. In light of this evolving threat, the vulnerability of mobile devices—often beyond the reach of corporate IT oversight—becomes a pressing concern.

Experts urge organizations to invest in staff training, raise awareness of emerging threats, and implement Mobile Device Management (MDM) solutions to safeguard corporate data beyond the traditional network perimeter.