Cybercriminals Use Malicious PDFs to Impersonate Microsoft, DocuSign, and Dropbox in Targeted Phishing Attacks
Cisco’s Talos security team has uncovered a surge in sophisticated phishing campaigns leveraging malicious PDF payloads to impersonate trusted brands like Microsoft, DocuSign, and Dropbox.
According to a recent update to Cisco’s brand impersonation detection engine, these attacks have expanded in scope, targeting a broader array of well-known organizations with deceptive emails designed to exploit user trust.
The PDFs, often disguised as legitimate documents, embed brand logos, QR codes, and hyperlinks to trick recipients into divulging sensitive information or engaging with attackers directly.
Sophisticated Brand Impersonation Tactics on the Rise
Talos data revealed Microsoft and DocuSign as the most frequently impersonated brands in phishing emails with PDF attachments, while NortonLifeLock, PayPal, and Geek Squad topped the list for Telephone-Oriented Attack Delivery (TOAD) scams.
A particularly alarming trend highlighted by Talos is the use of TOAD, also known as callback phishing, where victims are lured into calling adversary-controlled phone numbers listed within PDF attachments.
Unlike traditional phishing that relies on fake websites, TOAD exploits the perceived security of voice communication.
Attackers, often using Voice over Internet Protocol (VoIP) numbers for anonymity, pose as legitimate representatives to manipulate victims into sharing confidential data or installing malware.
QR Code Deception
Talos noted instances of phone number reuse across consecutive days, likely due to slower intelligence-sharing on such indicators of compromise (IOCs) and logistical benefits for scammers.
Additionally, QR code phishing has emerged as a potent vector, with malicious codes embedded in PDFs redirecting users to phishing pages often protected by CAPTCHA mechanisms.
These PDFs evade detection by embedding content within annotations or hidden layers, bypassing email filters that lack optical character recognition (OCR) capabilities.
Talos also identified abuse of platforms like Adobe’s e-signature service, where entire malicious PDFs impersonating brands like PayPal are uploaded and sent directly to victims.
Such tactics exploit the inherent trust in widely used tools, amplifying the attack’s effectiveness.
The phishing campaigns often employ strategic timing such as subject lines like “Paycheck Increment” during promotion seasons and craft emails with embedded logos or hyperlinks leading to counterfeit pages mimicking services like Dropbox.
The multi-layered nature of PDFs, including text, image, and structural components like annotations, allows attackers to hide malicious URLs or add irrelevant “noise” to evade spam filters.
Talos observed cases where QR codes link to legitimate pages to build trust, while annotations secretly direct to phishing sites, often obscured by URL shorteners.
Cisco’s ongoing efforts to enhance its detection engine aim to counter these evolving threats by expanding coverage and collecting intelligence on phone numbers as IOCs.
As cybercriminals refine their social engineering techniques, exploiting both technical vulnerabilities and human psychology, organizations and individuals must remain vigilant.
The intersection of brand impersonation, TOAD, and QR code phishing within PDF payloads underscores the need for robust email security solutions and user awareness to mitigate these pervasive and deceptive cyber threats.