The malicious link in this attack was never visible to a scanner. It was encoded inside a QR code, printed into an image, embedded in a PDF, and attached to what looked like a routine quarterly invoice.
A recipient at a financial services organization received an email purporting to carry a 1Q26 invoice. The sender was a long-established investment advisory firm, a domain registered in 2009 with clean DKIM, SPF, and DMARC results by the time the message reached the recipient's inbox. The firm appears to have had its email environment compromised; the sending domain is a victim, not attacker infrastructure. The message body was sparse: "Please see the attached 1Q26 invoice." A signature block followed, complete with a Houston office address and a phone number. The PDF was the entire payload.
The attached PDF, roughly 18 KB, was image-only. No extractable text. No machine-readable URLs. From a text-based scanner's perspective, the document was blank: a raster image of a page rather than a document with parseable content. That is not an accident. Image-only documents are a deliberate construction designed to defeat the class of scanners that operate on extracted text and link enumeration.
Inside that image was a quishing payload: a qrco.de QR shortcode. The qrco.de domain is a legitimate QR code shortening service that, like any URL shortener, can be weaponized to redirect scan targets to arbitrary destinations. In this case, the shortcode qrco[.]de/GGarciaCNBC was flagged malicious by the link scanner. OCR was not available in the sandbox environment at scan time, meaning the scanner could not rasterize the PDF and decode the QR region. The malicious determination came from prior intelligence on that specific qrco.de path, not from decoding the QR in real time.
MITRE ATT&CK T1566.001 covers spearphishing via attachment. The attachment here was not a macro-bearing Office document or a PDF with an /OpenAction trigger. It was an image embedding a QR code, a mechanism that routes the actual threat delivery to a mobile device camera rather than a desktop link click. T1204.002 (user execution: malicious file) applies when the victim scans the QR code; at that point, the phone's default browser opens the shortcode destination, entirely outside the corporate email security perimeter. T1036 (masquerading) covers the invoice pretext that makes the attachment look like a legitimate business document.
The relay path included us2.smtp.exclaimer.net, an Exclaimer email signature management relay. Exclaimer rewrites outbound messages to append standardized corporate signatures, and that rewrite can alter the message envelope in ways that cause intermediate authentication checks to record an SPF permerror and a DMARC fail at that hop. Those are exactly the results seen in the intermediate X-MS-Exchange-Authentication-Results header.
The downstream authentication picture is different. ARC sealing preserved the upstream authentication chain, DKIM passed against the sending domain's selector, and the final Authentication-Results recorded SPF pass, DKIM pass, and DMARC pass. The intermediate errors are Exclaimer's expected side effect, not evidence of spoofing.
This matters because defenders monitoring authentication failures in mail flow logs may see those intermediate results and either dismiss them as noise (correct in isolation) or incorrectly conclude the message is clean because the final result passed (incorrect conclusion when the attachment contains a QR payload). Authentication tells you about the message envelope's integrity. It tells you nothing about a QR shortcode printed into a rasterized PDF page.
See Your Risk: Calculate how many threats your SEG is missing
The analysis flagged one phone number discrepancy in the signature block. The number in the email differed slightly from the number listed on the firm's public contact page. Small contact-data mismatches like this are a recurring signature of phishing kits assembled from older template data or automated mail merges that pull stale records. The discrepancy alone is not decisive, but paired with an image-only PDF and a malicious QR shortcode, it is consistent with a compromised account being used to distribute a pre-built lure.
The image-based phishing technique has expanded beyond simple screenshot emails to encompass rendered PDFs, embedded images in HTML bodies, and now QR-bearing document attachments. In each variant, the attacker's goal is the same: present a visually convincing artifact while ensuring there is no text-layer representation of the malicious element for scanners to process.
Defending against this requires detection that operates at the image and document rendering layer, not just text extraction. IRONSCALES detects behavioral signals including first-time external sender patterns, mismatches between signature data and public records, and attachment-type anomalies that deviate from an organization's communication baselines. The platform's Adaptive AI also flags the combination of a sparse email body with a heavyweight attachment from an unverified sender relationship as a risk signal independent of any URL verdict.
Invoice fraud attempts using compromised legitimate sending domains are particularly difficult to block at the gateway level. The sending domain passes authentication, the body contains no alarming text, and the attachment's malicious payload is invisible to text-based analysis. Behavioral and image-layer analysis closes that gap.
| Type | Indicator | Context |
|---|---|---|
| Malicious QR shortcode | qrco[.]de/GGarciaCNBC | Embedded in image-only PDF; flagged malicious; destination not resolved at scan time |
| Attachment | DOC_2026040517112627.pdf (~18 KB) | Image-only PDF; no extractable text; contains QR shortcode; upstream scanner verdict: clean |
| Relay | us2.smtp[.]exclaimer[.]net (104.209.35.28) | Legitimate Exclaimer signature management relay; creates transient SPF/DMARC errors at intermediate hop |
| Sender domain | Long-established investment advisory domain (name withheld; victim) | Registered 2009; DKIM pass; SPF pass; DMARC pass at final hop; appears compromised |
| Attachment (secondary) | 285951f7-7152-496d-a841-0a112dd2e147.jpg | MIME/extension mismatch (filename .jpg, declared image/png); marketing badges; no payload |
| Attack | What happened |
|---|---|
| The QR Code That Knew Your Email Address Before You Scanned It | A phishing PDF embeds a QR code with the recipient's email pre-encoded in base64. |
| The Reply-To Was One Letter Off: How a Typosquat Domain Turned a Gmail BEC Into a Payment Diversion | A Gmail-authenticated BEC used a typosquat Reply-To domain and a hidden HTML mailto mismatch to impersonate a steel distributor's credit manager. |
| The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It | A canceled PayPal invoice for $50 arrived with perfect SPF, DKIM, and DMARC authentication because PayPal's own infrastructure sent it. |
| The Graduation Sash Invoice That Every Security Check Approved | A $3,645 invoice for 55 custom graduation sashes arrived at a school district, sent through Shopify's legitimate email infrastructure. |
| The Workplace Email That Passed Every Authentication Check and Hid Its Payload in a Shortened QR Link | A routine workplace email about saving uploaded items passed SPF, DKIM, DMARC, and composite authentication with a perfect score. |