Inside the PDF Trap: QR Codes, Callback Phishing, and Brand Impersonation Unmasked

Published Date: July 8, 2025
Category: ShadowOpsIntel
Share:

Between May and June 2025, Cisco Talos and Malwarebytes Labs observed a significant surge in the abuse of PDF files as phishing payloads, particularly in brand impersonation, QR code phishing, and callback phishing (TOAD) campaigns. These campaigns pose a direct threat to small and medium-sized businesses, where brand trust and urgency are often exploited without rigorous vetting.

Severity Level: High

Threat Details

  • PDF Payloads: Adversaries deliver emails with PDF attachments impersonating trusted brands. These documents may include logos, QR codes, VoIP callback instructions, or embedded phishing links.
  • QR Code Phishing: Embedded QR codes within PDF attachments direct users to phishing sites. These sites often simulate login portals (e.g., Microsoft, DocuSign, Dropbox) and may include CAPTCHA protection to evade bots and scanning engines.
  • Callback Phishing (TOAD): PDFs include messages prompting the recipient to call a VoIP number under the pretense of resolving an issue (e.g., subscription confirmation or fraud alert). Once called, the attacker performs live social engineering to steal credentials or push malware.
  • Annotation Abuse in PDFs: Attackers embed malicious URLs inside invisible or hard-to-detect PDF components like text annotations, sticky notes, comments, or hidden form fields, bypassing basic static scanning.
  • Credential Theft: The phishing pages trick into entering corporate or personal credentials.
  • Malware Deployment: In callback cases, attackers convince victims to install remote access tools or fake “security” software.
  • VoIP Numbers: Numbers like +1-818-675-1874 reused for multiple days to impersonate brands like Geek Squad (Best Buy), McAfee, PayPal. Difficult to trace due to anonymized provisioning.
  • Deception Techniques:
    • Legitimate brand logos
    • Urgent messages (“You’ve been charged”, “Payroll update”, etc.)
    • Fake HR or invoice content
    • Embedded phone numbers and QR codes
  • Regions Targeted: Global (based on wide brand usage)

Brands Most Frequently Impersonated

BrandAbuse Type
MicrosoftQR phishing, annotation abuse
DocuSignQR phishing
PayPalTOAD + Adobe e-sign abuse
NortonLifeLockTOAD
Geek SquadTOAD via VoIP phone numbers
AdobeMultiple abuse patterns
DropboxLanding page impersonation

Recommendations:

  1. Educate users not to scan QR codes from unsolicited PDF emails or flyers.
  2. Warn users against calling support numbers in unsolicited messages.
  3. Incorporate OCR-based scanning of PDF attachments to detect embedded phishing text.
  4. Enforce brand impersonation detection engines for all inbound attachments.
  5. Prohibit execution of PDF attachments from unknown senders unless verified.
  6. Implement browser policies that warn or block shortened URLs or redirect chains often used in QR scams.
  7. Monitor for suspicious behavior post-PDF open (e.g., connection to unusual domains).
  8. Use DLP tools to detect misuse of document signing or document delivery platforms.

MITRE ATT&CK

TacticTechniqueIDDetails
Initial AccessSpearphishing AttachmentT1566.001Malicious PDF attachments sent via email that mimic invoices, HR documents, or security alerts.
Initial AccessPhishing via QR CodeT1566.002QR codes embedded in PDFs link to spoofed login portals (e.g., Microsoft, Dropbox).
Initial AccessPhishing via Voice Channel (Callback Phishing)T1598.003Targets are encouraged to call fake support numbers, leading to attacker interaction over phone.
ExecutionUser ExecutionT1204.002Victims voluntarily call, scan QR, or interact with attachments, initiating the infection chain.
PersistenceRemote Access Tools (via social engineering)T1219Attackers may instruct victims to install remote desktop tools under the guise of support.
Credential AccessPhishing for CredentialsT1556.001Spoofed login pages collect Microsoft, PayPal, and Dropbox credentials.
Credential AccessInput CaptureT1056Attackers impersonate tech support to directly solicit passwords or MFA codes over the phone.
Defense EvasionObfuscated Files or InformationT1027PDFs use blank email bodies and encoded content to avoid detection by email scanners.
Defense EvasionValid AccountsT1078Stolen credentials can be used to access legitimate services, bypassing traditional defenses.

Source:

  • https://www.malwarebytes.com/blog/news/2025/07/microsoft-paypal-docusign-and-geek-squad-faked-in-callback-phishing-scams
  • https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliveries-for-phish/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.