The PDF was titled "_Agreement_Project2026.pdf" and the subject line addressed the recipient's organization by name. It looked like a routine contract ready for electronic signature. Open the file, scan the QR code, sign the agreement. Simple.
Except the QR code already contained the recipient's email address, encoded in base64 and embedded in the URL fragment. Before the target ever opened the attachment, the phishing page was pre-loaded with their identity. That is not how legitimate e-signature platforms work.
This attack is a textbook example of why QR code phishing (quishing) continues to evade traditional email security. There are no clickable links in the email body. No embedded forms in the PDF. No JavaScript. The entire payload lives inside a single image, invisible to any scanner that only reads text.
The email arrived from Javier@concretejsl[.]com, a domain registered through GoDaddy on November 19, 2024. The domain's WHOIS record was sparse (privacy-protected with no public registrant details), a common pattern for domains created specifically for phishing campaigns. According to the FBI IC3 Internet Crime Report, BEC and related contract fraud schemes accounted for over $2.9 billion in reported losses in 2024 alone.
The subject line used the recipient's company name directly: "Completed: Please sign your requested Agreement ID-Ny2xjvrNqj9uQJr9cThi." The random-looking agreement ID adds a veneer of legitimacy. It mimics the format that real document-signing platforms use to track contracts.
The email body itself was minimal. The PDF attachment did the heavy lifting, instructing the recipient to "scan the QR code provided" to review and sign the agreement.
Decoding the QR code revealed this URL:
hxxps://werkmastercom[.]userfocusedtech[.]de/yskuH/#Y3dpbHNvbkBpcm9uc2NhbGVzLmNvbQ==
The fragment after the # is a base64-encoded string. Decoded, it resolves to the recipient's exact email address. This means the phishing landing page receives the victim's identity as a URL parameter the moment they scan the code. The credential harvesting page can then pre-populate the email field, making the fake login form look like a natural continuation of the "contract signing" workflow.
This technique is significant for two reasons. First, URL fragments (everything after #) are not transmitted to the server in HTTP requests, which means proxy-based URL scanners inspecting server-side traffic may never see the encoded email. Second, the personalization makes the phishing page dramatically more convincing. According to the Verizon 2024 Data Breach Investigations Report, social engineering attacks that incorporate personal details have meaningfully higher success rates than generic campaigns.
The landing domain, userfocusedtech[.]de, sat behind Cloudflare nameservers, obscuring the true origin infrastructure. The subdomain pattern (werkmastercom.userfocusedtech[.]de) and short path (/yskuH/) are consistent with campaign-tracking structures commonly used in phishing kits.
The sending infrastructure told a clear story. The message originated from IP 104[.]168[.]56[.]196, which resolves to a ColoCrossing hosting provider in Buffalo, New York. This is not a legitimate mail server or known email security gateway.
SPF failed at the initial hop. The domain concretejsl[.]com does not authorize 104[.]168[.]56[.]196 as a permitted sender. However, after the message was injected into Microsoft's Exchange Online Protection pipeline, a subsequent SPF check against the Outlook protection relay passed. That pass reflects Microsoft's own infrastructure re-sending the message internally. It does not validate the original sender.
DMARC returned "bestguesspass" because the domain had no published DMARC record. DKIM was absent entirely. In other words, every authentication mechanism that could have flagged this message either failed or was not configured. According to the Microsoft Digital Defense Report 2024, email authentication gaps remain one of the most exploited weaknesses in enterprise email security.
See Your Risk: Calculate how many threats your SEG is missing
The PDF contained no AcroForm fields, no JavaScript, and no embedded executables. A static file analysis would have found nothing actionable. The malicious content exists only as a rendered QR code image within the PDF, which requires image analysis or QR code decoding to identify.
This is the core evasion technique behind modern quishing campaigns. Legacy Secure Email Gateways (SEGs) parse text, scan embedded URLs, and evaluate attachment metadata. A QR code bypasses all three because the URL never appears as text. According to CISA guidance on phishing, organizations should treat image-based payloads with the same scrutiny as traditional link-based attacks.
Themis flagged the attachment as malicious with a risk score of 0.88 and a confidence rating of 0.90. The message was quarantined across all affected mailboxes within seconds of delivery, before anyone had a chance to open the PDF, let alone scan the QR code. The combination of first-time sender signals, SPF failure at the origin IP, and image-based payload analysis enabled detection where text-based scanning could not.
What makes this attack particularly concerning is how easily it scales. The base64 fragment is trivially customizable. An attacker with a list of email addresses can generate thousands of unique QR codes, each pre-loaded with the target's identity, and embed them in identical-looking PDF attachments. Every recipient gets a "personalized" contract that feels like it was meant specifically for them.
This maps to MITRE ATT&CK T1566.001 (Spearphishing Attachment) for the delivery mechanism and T1204.002 (User Execution: Malicious File) for the required user interaction (scanning the QR code). The masquerading technique T1036.005 also applies: the PDF file name ("_Agreement_Project2026.pdf") mimics a legitimate business document.
Security teams reviewing their credential harvesting defenses should ask a simple question: can your email security stack decode a QR code inside a PDF attachment? If the answer is no, every employee with a phone camera is a potential victim. According to IBM's 2024 Cost of a Data Breach Report, stolen credentials remain the most common initial attack vector, with an average breach cost of $4.88 million.
| Type | Indicator | Context |
|---|---|---|
| Domain | concretejsl[.]com | Sender domain (registered 2024-11-19, GoDaddy) |
| IP | 104[.]168[.]56[.]196 | Sending IP (ColoCrossing, Buffalo, NY) |
| URL | hxxps://werkmastercom[.]userfocusedtech[.]de/yskuH/#[base64-redacted] | QR code destination (credential harvesting) |
| Domain | userfocusedtech[.]de | Landing page domain (Cloudflare nameservers) |
| Hash (MD5) | 4c61313575a456669695711353bb03f5 | Malicious PDF attachment |
| Filename | _Agreement_Project2026.pdf | Attachment filename |