A sophisticated phishing campaign dubbed “Scanception” has emerged as a significant threat to enterprise security, leveraging QR codes embedded in PDF attachments to bypass traditional email security measures and harvest user credentials. This stepwise approach enables complete session hijacking and account takeover, allowing attackers to maintain long-term persistence within compromised Microsoft 365 environments while successfully bypassing modern security controls through real-time credential relay to legitimate authentication services. What makes this attack particularly insidious is its strategic placement of malicious QR codes on the final pages of multi-page PDF documents, a technique that effectively circumvents automated security scanners which typically analyze only the initial pages of attachments. The campaign’s multi-factor authentication bypass capability represents its most concerning aspect, as the infrastructure maintains an open communication channel to prompt victims for additional authentication data including 2FA tokens, email verification codes, and SMS-delivered one-time passwords. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Once victims scan the embedded codes, they are redirected through a complex network of legitimate redirect services including YouTube, Google, Bing, and Cisco platforms, which masks the malicious intent behind trusted domains. The campaign operates through a multi-stage attack chain that begins with carefully crafted phishing emails containing PDF attachments designed to mimic legitimate business communications. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The site continuously monitors for the presence of security research tools such as Selenium, PhantomJS, or Burp Suite using JavaScript functions that execute every 100 milliseconds. Stolen credentials are exfiltrated via POST requests to dynamically generated endpoints created using the randroute() function combined with the randexp.min.js library from GitHub, enabling randomized URL paths that reduce signature-based detection effectiveness. Upon reaching the fake Office 365 login portal, the malicious website employs sophisticated detection mechanisms to identify automated analysis tools. The attack represents a concerning evolution in social engineering tactics, specifically targeting the growing reliance on mobile devices for quick access to digital resources through QR code scanning. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. These documents, often masquerading as HR handbooks or corporate announcements, contain professionally formatted content complete with authentic-looking logos and organizational branding to establish trust with potential victims. Cyble analysts identified over 600 unique phishing PDFs associated with this campaign within just three months, with nearly 80% showing zero detections on VirusTotal at the time of analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 19 Jul 2025 09:25:14 +0000