QR code phishing has ramped back up after tapering off during the final weeks of 2024. QR code attacks have been popular over the last several years as they help attackers to avoid business security solutions and switch targets from protected environments to their own personal devices, where security controls may be lacking. However, some recent attacks went the extra mile to add personalization to their attacks in the hopes of tricking the recipient into believing the message was a valid internal communication from their own HR team.

These attackers are constantly innovating, and, in this campaign, they went as far as to scrape recipients profile pictures from LinkedIn and inserted them into the message and the attached PDF to lend credibility to the attack. This campaign utilizes an employee benefits theme which is common in QR code phishing attacks and spoofs “Admin HR” and the recipient’s domain in the filename. To further entice the user the message promises a bonus distribution has been made for the targeted employee.

The PDF is shown below which prompts the user to scan the embedded QR code regarding employee benefits and it includes the same photo of the employee.

The QR code when scanned leads to a Microsoft Office 365-themed login page, which prefills the users email address.