Executive summary

CRIL has been closely tracking a widespread and ongoing quishing campaign, which we have dubbed “Scanception”. This campaign leverages QR code-based delivery mechanisms to distribute credential-harvesting URLs. The attack chain typically begins with a phishing email containing a PDF lure that urges recipients to scan an embedded QR code.

This technique effectively bypasses traditional email security and endpoint protection controls by shifting the attack surface to unmanaged personal mobile devices that typically fall outside the organization’s security perimeter.

A factor to note is that this campaign remains active at the time of publishing and continues to evolve, with new variants and lure themes regularly emerging across multiple sectors.

Over the past three months alone, CRIL has identified over 600 unique phishing PDFs and associated emails, many of which are crafted to mimic legitimate enterprise workflows. At the time of analysis, nearly 80% of the quishing PDFs we observed had zero detections on VirusTotal.

Key Takeaways

• Sophisticated social engineering: The quishing lures are crafted with highly convincing pretexts that closely mirror legitimate enterprise communications. This elevates the credibility of these decoys, further increasing the likelihood of user interaction.
• Precision targeting at scale: Scanception campaign spans a large volume of victims, selectively chosen based on industry vertical, geographic region, and user roles. This tailored approach amplifies the success rate of the credential-harvesting attempts.
• Global campaign with sectoral focus: The campaign exhibits broad geographic reach across North America, EMEA, and APAC, with a marked concentration of activity against organizations in the Technology, Healthcare, Manufacturing, and BFSI (Financial) sectors. This indicates a deliberate focus on high-value industries.
• Abuse of trusted Services, open redirectors, and perimeter evasion: Scanception leverages legitimate cloud-hosting platforms and open redirectors to host or relay malicious content. Platforms such as YouTube, Google, Bing, Cisco, and Medium were abused to host or relay phishing infrastructure.This abuse of reputable infrastructure significantly bypasses reputation-based detection systems and traditional email filtering mechanisms.
• Additionally, the use of QR code-based payload delivery shifts the attack surface to unmanaged personal mobile devices. These devices operate beyond enterprise visibility and control, enabling adversaries to bypass both email gateways and endpoint defenses.
• Credential Harvesting via AITM Infrastructure: The ultimate objective of the campaign is credential theft, achieved through adversary-in-the-middle (AITM) phishing pages that mimic legitimate login portals. These pages are often equipped with evasion techniques to bypass automated threat detection and utilize a multi-stage credential harvesting process.

Technical Analysis

Email attack

The attack typically begins with the target receiving an email containing a PDF attachment that closely mimics legitimate business communication.

One of the initial samples analysed was a PDF masquerading as an employee handbook, purportedly sent from the organization’s HR department (see Figure 1).

Once the victim opens the attached PDF decoy, they are shown what appears to be a legitimate document featuring the organization’s official logo, crafted to build trust. The document contains 4 pages with a professional-looking Table of Contents with sections grouped under HR-related topics such as Recruitment & Onboarding, Attendance & Work Policies, Employee Records, Performance & Conduct, and Health & Safety (see Figure 2).

At the final page, the victim is instructed to scan a QR code to access detailed information (see Figure 3).

This placement of the document with 4 pages helps evade detection engines, which typically scan only the initial pages. At the time of analysis, the website was down and not serving any content.

Similar themed attack – Phishing site analysis

As we continued our analysis and hunting using similar artefacts, we identified a PDF decoy with an active phishing site using the same themed Quishing document with the QR code link: ilbls-Contempobuilder[.]qkipikpp[.]es/Ok1WCgX6w!gHNR/*YWxlc3NhbmRyb0Bjb250ZW1wb2J1aWxkZXIuY29t

After successfully completing Cloudflare’s “turtle challenge,” the victim is redirected to a URL with an appended client ID, in the following format: ilbls-contempobuilder.qkipikpp[.]es/3at1parnkqz?common/oauth2/v2.0/authorize?client_id=<>&locales=en. The resulting webpage impersonates the Office 365 sign-in portal (see Figure 4).

Evasive techniques

The phishing page detects the presence of automation tools such as Selenium, PhantomJS, or Burp Suite. If any of these tools or actions are identified, the site immediately redirects the user to “about:blank”, effectively halting the attack chain. The page also disables right-click functionality and continuously monitors debugging activity every 100 milliseconds. If such activity is detected, the site immediately redirects the user to a randomly generated legitimate URL, effectively evading further analysis (see Figure 5).

The phishing page utilizes a multi-stage credential harvesting process.

• It collects additional data, including browser fingerprinting information, which is sent to the threat actor. (see Figure 6)

• A function named sendAndReceive orchestrates real-time communication with the attacker-controlled infrastructure. Once the victim submits their email and password, these credentials are exfiltrated via a POST request to dynamically generated endpoints. These endpoints are programmatically created using the randroute function in combination with the randexp.min.js library (github[.]com/fent/randexp.js), enabling randomized URL paths that reduce signature-based detection. (see Figure 7)

After the initial credential submission, an open channel with the adversary’s backend is maintained to receive further instructions. Depending on the victim’s account configuration, the infrastructure may prompt the phishing page to request additional authentication data—such as time-sensitive 2FA tokens, email-based verification codes, or SMS-delivered OTPs. This stepwise approach enables the threat actor to bypass multi-factor authentication and achieve full session hijacking or account takeover.

This is a classic case of an ‘Adversary-in-the-Middle’ (AITM) technique to relay the credentials to the actual Microsoft login portal in real time, successfully authenticating and gaining access to the victim’s Microsoft 365 account. This method not only enables long-term persistence but also allows the attacker to perform further malicious activities within the compromised environment.

Finally, after successfully harvesting credentials through the AiTM attack, the threat actor redirects the victim to a legitimate website to avoid raising suspicion (see Figure 8)

Operational Scope of the Scanception campaign

The Scanception campaign has likely been active for an extended period. During this time, it has exhibited a wide range of permutations in its delivery techniques and lure formats. Its Tactics, Techniques, and Procedures (TTPs) share notable similarities with Palo Alto Networks’ Unit 42 research on QR code phishing campaigns and ElectriqIQ’s analysis of the ONNX Store Phishing-as-a-Service (PhaaS) platform. This highlights a convergence in tradecraft across modern phishing ecosystems.

CRIL’s investigation revealed over 600 unique phishing PDFs and emails tied to the Scanception campaign spanning just three months. This reflects a high volume of tailored lures in a short timeframe. A significant portion of these artifacts were meticulously crafted to replicate authentic enterprise workflows ranging from HR notifications to financial approvals. Our analysis of early-stage decoy PDFs revealed that they initially contained only a single page. This was later evolved to include two or more pages.

At the time of analysis, nearly 80% of the quishing PDFs we observed (in three months) had zero detections on VirusTotal.

A Tale of Twisted Redirects

Given that any social engineering attack primarily relies on exploiting the human element of a victim’s security infrastructure, the redirection strategy is of particular note in this campaign.

As part of the Scanception campaign’s evasion and delivery strategy, we observed the systematic abuse of trusted web redirection services. The attackers embedded open redirect URLs from reputable platforms to relay victims to the final phishing pages, effectively masking their malicious intent behind domains that are often implicitly trusted by users and security filters legitimate traffic flows. While some of the redirector URLs may have since been remediated or fixed, we believe it’s important to highlight their usage as part of this campaign’s tactics.

Some examples of the redirection abuse involving popular services such as YouTube, Google, Bing, Cisco, Medium, and several others as shown below:

• Sophisticated social engineering:
-The quishing lures are crafted with highly convincing pretexts that closely mirror legitimate enterprise communications. This elevates the credibility of these decoys, further increasing the likelihood of user interaction.
• Precision targeting at scale:
-Scanception campaign spans a large volume of victims, selectively chosen based on industry vertical, geographic region, and user roles. This tailored approach amplifies the success rate of the credential-harvesting attempts.
• Global campaign with sectoral focus:
-The campaign exhibits broad geographic reach across North America, EMEA, and APAC, with a marked concentration of activity against organizations in the Technology, Healthcare, Manufacturing, and BFSI (Financial) sectors. This indicates a deliberate focus on high-value industries.
• Abuse of trusted Services, Open redirectors, and perimeter evasion:
-Scanception leverages legitimate cloud-hosting platforms and open redirectors to host or relay malicious content. Platforms such as YouTube, Google, Bing, Cisco, and Medium were abused to host or relay phishing infrastructure. This abuse of reputable infrastructure significantly bypasses reputation-based detection systems and traditional email filtering mechanisms.
-Additionally, the use of QR code-based payload delivery shifts the attack surface to unmanaged personal mobile devices. These devices operate beyond enterprise visibility and control, enabling adversaries to bypass both email gateways and endpoint defenses.
• Credential Harvesting via AITM Infrastructure:
-The ultimate objective of the campaign is credential theft, achieved through adversary-in-the-middle (AITM) phishing pages that mimic legitimate login portals. These pages are often equipped with evasion techniques to bypass automated threat detection and utilize a multi-stage credential harvesting process.

Note – The email_base64 field contains the email address encoded in base64 format to conceal the identifier.

As of this analysis, the Scanception campaign demonstrates a broad and active operational footprint, with targeting observed across more than 50 countries. Notably, the campaign shows concentrated activity in North America, EMEA, and APAC, indicating a globally coordinated strategy with region-specific targeting and lure customization (see Figure 9).

Entities within the Technology, Healthcare, Manufacturing, and BFSI (Financial) industries have emerged as the primary targets of this campaign, which has so far impacted organizations across more than 70 distinct sectors (see Figure 10).

This geographic spread, coupled with sector-specific enterprise workflow lure themes and URL redirection abuse, illustrates the campaign’s evolving nature and the threat actors‘ strategic focus on high-value organizational environments.

Conclusion

The Scanception campaign underscores a broader shift in phishing tradecraft – moving away from traditional perimeter-bound attack surfaces. What makes Scanception particularly dangerous is not the novelty of QR-based delivery alone. The strategic use of multi-layered evasion techniques, social engineering, and infrastructure abuse erodes the trust boundaries users rely on.

From fake HR workflows to redirection through legitimate platforms like YouTube, Medium, and email security services, the attackers have crafted a multidimensional attack chain that evades both technology and intuition, seeking to bypass traditional security measures a well as exploit the human element of vigilance in this campaign.  

As Social Engineering campaigns continue to evolve in sophistication, Scanception serves as a wake-up call: attackers are abusing trusted services, targeting personal mobile devices, and bypassing multi-factor authentication through advanced Adversary-in-the-Middle (AITM) tactics.

Finally, we’d like to emphasise that this is an ongoing campaign at the time of publishing, with minimal flags at this point, as indicated by our curated findings over the past three months. Therefore, we advocate that our readers exercise caution, as the human element is the key target of most social engineering campaigns. In the following section, we’ve listed some tips on securing yourself and your organization from these threats.

General Recommendations

CRIL recommends the following measures to strengthen organizational defenses

• Deploy advanced email security solutions capable of inspecting attachments and embedded QR codes.
• Expand security beyond the perimeter to detect anomalous behavior originating from unusual devices or locations
• Monitor for domains and URLs using AITM phishing kits, particularly those that mimic authentication flows and request MFA tokens.
• Integrate threat intelligence into SIEM/SOAR workflows to support faster triage and response.
• Emphasize the dangers of QR-based lures, impersonated HR/payroll emails, and mobile-first attacks
• Update security awareness programs to include real-world phishing examples

The need for a proactive cyberdefense stance

The current threat landscape includes a multitude of potent threats, including several examples of Social Engineering campaigns like Scanception, which blend trusted infrastructure abuse with social engineering and AITM tactics. Security teams need more than reactive controls to keep ahead of these.

Solutions such as Cyble Vision deliver operational intelligence that enables defenders to stay ahead of adversaries through early detection, campaign-level visibility, and infrastructure mapping.

Cyble Vision specifically empowers security teams to move beyond isolated detection, gaining the strategic insight required to anticipate threats, monitor adversary movements, and respond with precision at every stage of the attack lifecycle. Security teams can take necessary preventive action with the help of:

• Real-Time IOC Monitoring
  Enable continuous tracking of indicators tied to QR-based phishing, adversary-in-the-middle infrastructure, phishing kit deployment, and redirector abuse—ensuring threats are surfaced before they reach end users.
• Redirect Chain Intelligence
  Analyze the abuse of legitimate redirect services, including platforms like YouTube, Medium, Cisco, and Microsoft, to reveal multi-stage phishing paths that often evade traditional detection.
• PDF Lure Surveillance
  Identify and monitor phishing-laced PDF files across email campaigns, dark web forums, and malware sharing channels—providing early warning of new lure templates and delivery tactics.
• Credential Phishing Infrastructure Mapping
  Map attacker-controlled infrastructure, including fake authentication portals, dynamic exfiltration endpoints, and backend logic designed to capture MFA tokens and session cookies.
• Brand and Executive Impersonation Monitoring
  Detect domain spoofing and impersonation attempts targeting internal functions such as HR and Finance—often used to increase trust and exploit user familiarity.
• Deep and Dark Web Visibility
  Surface chatter, leaked credentials, and phishing toolkits from deep/dark web sources, offering early insight into attacker preparation and target selection.
• Global Targeting Intelligence
  Track phishing activity across global regions—including North America, EMEA, and APAC—as well as over 70 industry sectors, providing defenders with contextual understanding of targeting patterns.
• Threat Actor Attribution and TTP Correlation
  Associate infrastructure, techniques, and behavioral patterns with known threat actors, empowering security teams to prioritize response based on adversary capability and intent.

MITRE Tactics, Techniques & Procedures

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.