Between May and June 2025, Cisco Talos and Malwarebytes Labs observed a significant surge in the abuse of PDF files as phishing payloads, particularly in brand impersonation, QR code phishing, and callback phishing (TOAD) campaigns. These campaigns pose a direct threat to small and medium-sized businesses, where brand trust and urgency are often exploited without rigorous vetting.
Severity Level: High
Threat Details
- PDF Payloads: Adversaries deliver emails with PDF attachments impersonating trusted brands. These documents may include logos, QR codes, VoIP callback instructions, or embedded phishing links.
- QR Code Phishing: Embedded QR codes within PDF attachments direct users to phishing sites. These sites often simulate login portals (e.g., Microsoft, DocuSign, Dropbox) and may include CAPTCHA protection to evade bots and scanning engines.
- Callback Phishing (TOAD): PDFs include messages prompting the recipient to call a VoIP number under the pretense of resolving an issue (e.g., subscription confirmation or fraud alert). Once called, the attacker performs live social engineering to steal credentials or push malware.
- Annotation Abuse in PDFs: Attackers embed malicious URLs inside invisible or hard-to-detect PDF components like text annotations, sticky notes, comments, or hidden form fields, bypassing basic static scanning.
- Credential Theft: The phishing pages trick into entering corporate or personal credentials.
- Malware Deployment: In callback cases, attackers convince victims to install remote access tools or fake “security” software.
- VoIP Numbers: Numbers like +1-818-675-1874 reused for multiple days to impersonate brands like Geek Squad (Best Buy), McAfee, PayPal. Difficult to trace due to anonymized provisioning.
- Deception Techniques:
- Legitimate brand logos
- Urgent messages (“You’ve been charged”, “Payroll update”, etc.)
- Fake HR or invoice content
- Embedded phone numbers and QR codes
- Regions Targeted: Global (based on wide brand usage)
Brands Most Frequently Impersonated
| Brand | Abuse Type |
| Microsoft | QR phishing, annotation abuse |
| DocuSign | QR phishing |
| PayPal | TOAD + Adobe e-sign abuse |
| NortonLifeLock | TOAD |
| Geek Squad | TOAD via VoIP phone numbers |
| Adobe | Multiple abuse patterns |
| Dropbox | Landing page impersonation |
Recommendations:
- Educate users not to scan QR codes from unsolicited PDF emails or flyers.
- Warn users against calling support numbers in unsolicited messages.
- Incorporate OCR-based scanning of PDF attachments to detect embedded phishing text.
- Enforce brand impersonation detection engines for all inbound attachments.
- Prohibit execution of PDF attachments from unknown senders unless verified.
- Implement browser policies that warn or block shortened URLs or redirect chains often used in QR scams.
- Monitor for suspicious behavior post-PDF open (e.g., connection to unusual domains).
- Use DLP tools to detect misuse of document signing or document delivery platforms.
MITRE ATT&CK
| Tactic | Technique | ID | Details |
| Initial Access | Spearphishing Attachment | T1566.001 | Malicious PDF attachments sent via email that mimic invoices, HR documents, or security alerts. |
| Initial Access | Phishing via QR Code | T1566.002 | QR codes embedded in PDFs link to spoofed login portals (e.g., Microsoft, Dropbox). |
| Initial Access | Phishing via Voice Channel (Callback Phishing) | T1598.003 | Targets are encouraged to call fake support numbers, leading to attacker interaction over phone. |
| Execution | User Execution | T1204.002 | Victims voluntarily call, scan QR, or interact with attachments, initiating the infection chain. |
| Persistence | Remote Access Tools (via social engineering) | T1219 | Attackers may instruct victims to install remote desktop tools under the guise of support. |
| Credential Access | Phishing for Credentials | T1556.001 | Spoofed login pages collect Microsoft, PayPal, and Dropbox credentials. |
| Credential Access | Input Capture | T1056 | Attackers impersonate tech support to directly solicit passwords or MFA codes over the phone. |
| Defense Evasion | Obfuscated Files or Information | T1027 | PDFs use blank email bodies and encoded content to avoid detection by email scanners. |
| Defense Evasion | Valid Accounts | T1078 | Stolen credentials can be used to access legitimate services, bypassing traditional defenses. |
Source:
- https://www.malwarebytes.com/blog/news/2025/07/microsoft-paypal-docusign-and-geek-squad-faked-in-callback-phishing-scams
- https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliveries-for-phish/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.