A new phishing campaign uncovered by Kaspersky has raised the bar for social engineering attacks. Disguised as legitimate HR policy updates, the campaign targeted employees with highly customized emails that included the recipient’s name, job role, and a personalized PDF attachment. The aim was to steal corporate email credentials by directing victims to a fraudulent login page.
The deceptive emails appeared to come from verified senders and featured familiar language regarding remote work policies and benefits revisions. However, the entire email body was a cleverly embedded image—making it difficult for traditional email filters to detect the malicious content. The attached PDF, labeled “Employee Handbook,” included customized content and a QR code directing users to a phishing site.
The attackers exploited psychological cues such as urgency, personal relevance, and official formatting to increase trust and prompt user action. According to Kaspersky researchers, this level of individualized document creation indicates the use of automated tools capable of scaling personalized attacks across organisations.
Embedded QR codes and image-based emails bypass filters
What makes this phishing campaign particularly dangerous is its multi-layered evasion strategy. The PDF attachment included a table of contents with sections allegedly changed, a dedicated greeting for the employee, and a final page containing a QR code that led to a credential-stealing site.
The QR code trick allowed attackers to bypass traditional endpoint protection, which often scans email links but not embedded QR codes. Victims who scanned the code with their phones were taken to a spoofed corporate login page, prompting them to enter their credentials.
Also read: Mamona Ransomware Infects Offline Systems via USB
Since the QR code did not directly appear in the email, the phishing payload successfully avoided standard security scans.
Experts urge new protections beyond traditional detection
Kaspersky’s security team warns that this campaign reflects a new phase in phishing evolution—one that blends automation with deep personalization. The attackers likely used scraped employee directories and data enrichment techniques to create documents tailored to each recipient.
To counter this, experts recommend deploying email gateway protections that can scan attachments and embedded media, alongside advanced training programs to help employees spot subtle cues of deception. Image-based email content, personalized documents, and QR code redirects are now part of the phishing playbook, and organizations must adapt accordingly.
