HR Bonus-Themed QR Code Phishing Campaign Exploiting Year-End Corporate Processes

21 November 2025

Subscribe to receive threat intel notifications

Key Points

Threat Type: Credential harvesting via QR code phishing
Brand Impersonated: DocuSign, company HR departments
Primary Vector: Compromised email accounts sending PDF attachments with embedded QR codes

Campaign Overview

The Mimecast Threat Research team has identified an active credential harvesting campaign leveraging compromised email accounts to distribute HR-themed phishing messages impersonating DocuSign and company specific HR departments. This campaign demonstrates operational maturity through its use of geographically distributed compromised accounts, mobile device filtering, and CAPTCHA bypass techniques to evade detection.

Timely Exploitation of Year-End Business Processes

This campaign is particularly concerning due to its strategic timing and exploitation of legitimate business workflows. As organizations enter the final quarter of the year, HR departments across industries typically initiate bonus allocation, year-end performance reviews, and benefits enrollment processes. Employees expect to receive legitimate communications about compensation, making them more susceptible to HR-themed phishing lures. The threat actors have weaponized this expectation by crafting convincing messages that align with normal year-end corporate activities. The urgency implied in subject lines such as "Let's Wrap Up the Year Right – Complete Your Bonus Form!" exploits both the time-sensitive nature of year-end processes and employees' financial interest in bonus information. This psychological manipulation significantly increases the likelihood of user interaction with malicious content.

Attack Chain

The campaign operates through a multi-stage process:

1. Initial Delivery: Emails originate from compromised accounts, primarily using sender addresses associated with legitimate services and business domains
2. Social Engineering: Messages impersonate HR communications regarding bonus forms or year-end documentation
3. PDF Attachment: The email contains a PDF attachment displaying the targeted organization's logo and HR branding to establish legitimacy
4. QR Code Redirect: The PDF contains a QR code directing users to a credential harvesting portal
5. Mobile Targeting: Some variants employ filtering to ensure connections originate from mobile devices, where security controls may be less robust
6. Credential Harvesting: Users are redirected to a fake authentication page designed to capture corporate credentials

Some of the examples identified are shown below

HR Bonus-1.png

HR Bonus 2.png

Once a user scans the QR code with their mobile device they are redirected a human verification step to add legitimacy.

HR Bonus 3.png

Users are then requested to insert their credentials

HR Bonus-4.png

Technical Infrastructure

Analysis of one variant of the campaign's backend infrastructure reveals a credential collection mechanism. The phishing pages utilize JavaScript-based harvesting with the following characteristics:

Multiple submission attempts: The script allows up to three failed authentication attempts before redirecting to a legitimate Microsoft Office portal, creating the illusion of a temporary service issue
Error handling: Implements basic validation to ensure users submit credentials before proceeding
Data exfiltration: Captured credentials are transmitted via POST request to attacker-controlled infrastructure at https://jafaclink.net/nbm/sharethepoint/point/res.php
Evasion techniques: Some variants implement CAPTCHA challenges specifically designed to bypass automated security scanning tools

Mimecast Protection

The Mimecast Threat Research team has developed and deployed detection rules to identify and block this campaign. We continue to monitor this threat operation for tactical evolution and infrastructure changes.

Targets

Global organizations

Indicators of Compromise (IOC's)

HR Bonus 5.png

Recommendations

User Awareness Training:

Educate users to verify HR and bonus themed lures rather than scanning QR codes
Educate users on the risks of scanning QR codes from unexpected sources, particularly in email attachments
Train users to exercise heightened caution when accessing work-related content on mobile devices, where security indicators may be less visible
Conduct phishing simulations incorporating QR code scenarios

Threat Hunting:

Search email receipt logs and URL logs for technical indicators associated with these campaigns