Nothing spectacular here
Two of these attacks were empty messages containing a branded PDF.
The PDFs contained very appreciative messages:
Examples:
"We are pleased to inform you that, effective 01 January 2026, your base salary will be adjusted. This adjustment recognizes your valuable contributions to the company and reflects our commitment to maintaining fair, market-aligned compensation."
"Thank you for your hard work and continued commitment. Your dedication has not gone unnoticed, and as a reflection of your contributions, we’re pleased to acknowledge this with a salary increment. Your efforts truly make a difference, and we’re excited to move forward into a new month with fresh goals, continued teamwork, and shared success"
Sidenote: I think many HR departments could learn from the wording used.
Follow by the instructions to review this through the include QR code and to keep the message confidential.
Sidenote: Secrecy is a common technic used by attackers to increase the success rate. A review by a second pair of eyes would improve the chance to encounter a "Wait, this looks too good to be true" revelation.
The QR code was split into two images to hide it from content filters. They would need to stich the images correctly before they could detect the URL hidden in the QR code
The green bar stating that "E-mail was scanned by mail security and is believed to be clean." is also a nice psychological touch. What could possibly go wrong if the email was checked by security 😬
![Screenshot of a PDF
Green Bar: E-mail was scanned by mail security and is believed to be clean.
Please Scan the QR code to review
[Obfuscated QR Code]
Dear XXX,
We are pleased to inform you that, effective 01 January 2026, your base salary will be adjusted. This adjustment recognizes your valuable contributions to the company and reflects our commitment to maintaining fair, market-aligned compensation.
To review the details of your updated salary, please scan the QR code provided.
Confidentiality Notice: This information is strictly confidential and must not be disclosed or discussed with colleagues or external parties.
Thank you for your continued dedication and excellent work.
This notice serves as confirmation of our agreement moving forward.
We look forward to achieving new goals together with the same spirit of collaboration and commitment that has always defined our partnership.
Best regards,](https://media.infosec.exchange/infosec.exchange/media_attachments/files/115/707/115/618/500/719/original/33f2b19970c6b2dc.png)
![An image looking like a docusign request
You have a pending document that requires your signature
ACCESS PENDING DOCUMENT
[obfuscated]
2025 Q4 payments, End of the year bonus and Employee benefit agreement.
All parties need to complete with DocuSign: Payment application & approval process.pdf
To review and electronically sign the payment document, proceed to click on "ACCESS PENDING DOCUMENT" and use the secured link to append your signature.
Powered by docusign
Do Not Share This Email
This email contains a secure link to DocuSign. Please do not share this email, link, or access code with others.
Alternate Signing Method
Visit DocuSign.com, click 'Access Documents', and enter the security code:
312D20FE4FDA4639ADE2D47F39BD4EED4
About Docu Sign
Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe -- DocuSign provides a professional trusted solution for Digital Transaction Management™.
...](https://media.infosec.exchange/infosec.exchange/media_attachments/files/115/707/295/247/585/379/original/0f7b9241461a93ce.png)
