The QR code was yours. The sticker wasn’t.

The scenario:

Someone stuck a QR code on the Wi-Fi instructions in the meeting room. It looked official. The same logo. The same font.

Visitors and employees scanned it without thinking. It redirected to a credential harvesting page that looked identical to the company’s SSO portal. 14 people entered their credentials in the first week. Nobody reported it because nobody thought twice about scanning a QR code at work.

The attack:

STAGE 1: PHYSICAL ACCESS

Attacker enters the office building during business hours (no visitor badge required in the lobby).

Places professional-looking QR code stickers over existing codes in meeting rooms and common areas.

Stickers match the company’s branding. They look intentional.

STAGE 2: CREDENTIAL HARVESTING

QR codes link to a cloned SSO login page hosted on a lookalike domain.

Page requests email and password for "Wi-Fi registration" or "guest network access."

14 employees and 3 visitors enter credentials in the first 5 days.

Credentials are captured and sent to the attacker’s server in real time.

STAGE 3: ACCOUNT COMPROMISE

Attacker tests harvested credentials against Microsoft 365.

7 of 14 passwords work (reused from corporate SSO to M365).

3 accounts have no MFA enabled.

Full access to email, SharePoint, and OneDrive for those 3 accounts.

STAGE 4: DATA THEFT

Attacker downloads financial documents, client lists, and internal presentations.

Sets up forwarding rules on one executive’s mailbox.

Uses harvested contacts to launch targeted phishing against clients.

Attack discovered 3 weeks later during a physical security walkthrough.

What stopped it:

A facilities manager noticed a QR sticker that didn’t match the company’s standard print supplier. A security review confirmed the stickers were fraudulent and triggered a password reset across all affected accounts.