QR Code Phishing: How Attackers Are Using PDF Attachments to Steal Microsoft 365 Credentials

Published: 21 May 2026
Threat type: Phishing / credential harvesting
Severity: Medium
MITRE ATT&CK mapping: Spearphishing Attachment — T1566.001

Executive Summary

Secure X has observed a coordinated QR code phishing campaign targeting multiple South African organisations. The campaign used compromised business email accounts to send PDF attachments containing embedded QR codes. When scanned, the QR codes redirected users through several web services before presenting a credential-harvesting page designed to steal Microsoft 365 login details.

This type of attack is often called QR code phishing or “quishing.” It is effective because the malicious link is hidden inside an image rather than placed directly in the body of the email. This can make it harder for traditional email security controls to inspect the destination URL before the message reaches a user. Microsoft has also noted that QR code phishing became a significant enough threat that Defender for Office 365 added specific URL extraction and detection improvements for QR codes.

What Happened

On 20 May 2026, Secure X identified a phishing campaign affecting multiple customers across at least three organisations. The emails were sent from compromised South African business email accounts and contained PDF attachments with QR codes. The campaign used subject lines such as “URGENT” and “DOCUMENT” to encourage users to open the attachment quickly.

The QR codes led users through a multi-stage redirect chain involving a link-wrapping or obfuscation layer, a URL shortener, and a final credential-harvesting website. In one observed case, the phishing page redirected users to a legitimate-looking public website after credentials were entered, which is a common tactic used to make victims believe nothing unusual happened.

The campaign also showed signs of anti-analysis behaviour. When tested in a sandbox environment, the phishing chain triggered evasion techniques, indicating that the attacker’s infrastructure may be able to detect automated security analysis.

Why QR Code Phishing Is Difficult to Detect

Most users are trained to be cautious of suspicious links in emails. QR code phishing changes the pattern. Instead of clicking a link on a protected corporate device, the user may scan a QR code with a mobile phone. This can move the interaction away from the organisation’s monitored email, endpoint, browser, and network controls.

CISA’s phishing guidance highlights that phishing remains a common initial access method and recommends layered controls, including user reporting, secure configuration, and rapid response processes. (CISA) MITRE classifies malicious email attachments used for initial access under T1566.001 — Spearphishing Attachment, which aligns with campaigns where attackers send weaponised or deceptive attachments to users. (MITRE ATT&CK)

In this campaign, the PDF itself was not the final destination. It was a delivery mechanism for the QR code, which then sent users through the attacker-controlled web chain.

Attack Flow

A typical attack in this campaign followed this pattern:

A user receives an email from what appears to be a legitimate South African business contact.
The email contains a PDF attachment with a QR code.
The user opens the PDF and scans the QR code.
The QR code redirects through one or more intermediary services.
The user lands on a fake login page designed to harvest credentials.
The attacker attempts to use the captured credentials to access the user’s account.
Where MFA blocks access, the attacker moves on to other accounts.

Key Findings from the Campaign

Secure X observed the following:

The same or similar PDF attachments appeared across multiple customers.
Different compromised sender accounts were used, suggesting the attacker had access to more than one Microsoft 365 tenant.
Some messages were successfully quarantined by Microsoft Defender for Office 365, while others were delivered without generating an alert.
Multiple users downloaded the PDFs, but in the reviewed cases there was no evidence that most users scanned the QR codes or completed credential entry.
In one related incident, a user scanned the QR code after receiving what appeared to be expected meeting notes from a trusted third-party contact, resulting in credential compromise.
MFA prevented several attempted account takeovers.
The attacker used an initial login path associated with a US-based ISP and then pivoted to South African VPN infrastructure, making the activity appear more local.

What Customers Should Watch For

Customers should treat the following as suspicious:

Emails with short, urgent subjects such as “URGENT,” “DOCUMENT,” “Invoice,” “Statement,” or “Meeting Notes.”
PDF attachments that contain only a QR code or minimal text.
QR codes that request Microsoft 365, VPN, payroll, finance, or document portal credentials.
Emails from known suppliers or partners that feel unusual in tone, timing, or format.
Login prompts that appear after scanning a QR code from an email attachment.
Sign-in attempts from unfamiliar ISPs, VPN providers, countries, devices, or impossible-travel patterns.
A trusted sender does not guarantee a safe email. In this campaign, attackers used compromised legitimate business accounts to improve credibility.

NOTE: These might mutate over time and might take over other forms since the publishing of this article.

Recommended Actions for Users

Do not scan QR codes from unexpected email attachments.
Open shared documents through known business systems, not through QR codes in PDFs.
Report suspicious emails to your IT or security team, especially if the email asks you to scan a QR code to view a document.
Never enter Microsoft 365 credentials after scanning a QR code unless you are certain the destination is legitimate.
If you scanned a suspicious QR code or entered credentials, report it immediately. Fast reporting allows security teams to revoke sessions, reset passwords, review sign-in activity, and contain the incident.

Recommended Actions for IT and Security Teams

Security teams should take the following steps:

Block known malicious domains, sender addresses, and file hashes associated with the campaign.
Review mailboxes for related subjects, sender addresses, file names, and attachment hashes.
Search sign-in logs for suspicious activity following delivery of the phishing emails.
Revoke active sessions and reset passwords for users who entered credentials.
Confirm MFA status for affected users.
Monitor for logins from unusual ISPs, VPN providers, foreign IPv6 addresses, and unfamiliar South African VPN infrastructure.
Review Defender for Office 365 Safe Links, Safe Attachments, anti-phishing, and impersonation protection settings.
Ensure QR code phishing is included in user awareness training and phishing simulations.
Microsoft notes that Safe Links protection is designed to help protect users from malicious URLs across supported Microsoft 365 scenarios, but link wrapping, redirection, and QR-based delivery can complicate URL inspection and enforcement.

Indicators of Compromise

The following indicators were associated with the observed campaign and should be treated as malicious or suspicious.

Domains

mailinblack[.]com
dub[.]sh
coxpjrsairmemory[.]vu

File Hashes

6493B0548BA2178A6C0C54C3BF4BBBDD966E94731C18B6AAA5B3E76740B3305A
1FD8D032F99B0823231D0254C56EA3E27387F9CA9EDA83405B4923A772B7DAEB

Observed URL Chain

hxxps[://]mibc-fr-03[.]mailinblack[.]com/securelink/?url=hxxps[://]dub[.]sh&key=<base64_token>
hxxps[://]dub[.]sh/Q36mVk5
hxxps[://]cloudnewworldsystemstarsoutherncaliforni[.]coxpjrsairmemory[.]vu/?v=a0d6&ref=…

Conclusion

QR code phishing is a practical example of how attackers adapt when traditional email security improves. By hiding malicious URLs inside PDF-based QR codes and using compromised trusted senders, attackers increase the likelihood that users will interact with the message.

The strongest defence is layered: email filtering, endpoint protection, identity monitoring, MFA, user awareness, rapid reporting, and fast incident response. MFA was an important control in this campaign and successfully blocked several attempted account takeovers.

Share the Post:

The Evolution of Phishing: How Encrypted PDFs Are Slipping Past Your Defences

Social engineering remains one of the most expansive and effective attack surfaces in cybersecurity. At its core, it exploits a simple truth: every organisation depends on people to function. And wherever there are people, there is human vulnerability.

The 2026 Cybersecurity Frontier: Navigating the Intersection of Agentic AI, Quantum Readiness, and Geopolitical Fragmentation

The cybersecurity landscape of February 2026 is defined by a volatile intersection of agentic AI, the mandatory transition to post-quantum cryptography, and intensifying geopolitical fragmentation.