Hackers are increasingly leveraging PDF attachments in email-based phishing campaigns to impersonate trusted brands like Microsoft and DocuSign, as well as others such as NortonLifeLock, PayPal, and Geek Squad. The primary technique being used is known as callback phishing or Telephone-Oriented Attack Delivery (TOAD), where victims are persuaded to call phone numbers controlled by the attackers.
Key characteristics of these campaigns
• PDF Payloads: Emails contain PDF attachments that appear to be from legitimate brands. These PDFs may include branding elements from Microsoft, DocuSign, or Adobe to enhance credibility.
• Callback Phishing: The PDF often instructs the recipient to call a phone number, where threat actors then attempt to extract sensitive information or guide the victim through further malicious steps.
• QR Code Phishing: Some PDFs embed malicious QR codes—sometimes hidden within annotations, sticky notes, or form fields. Scanning these codes can lead victims to fake login pages or phishing sites that mimic services like Microsoft or Dropbox.
• Credential Harvesting: The ultimate goal is typically to steal login credentials. For example, DocuSign-themed emails may prompt users to scan a QR code or click a link, leading to a fake login page where credentials are captured.
• Brand Impersonation: Attackers exploit the trust users have in well-known brands, often mimicking legitimate communication styles and using urgent language (e.g., requesting immediate document signing) to prompt action.
Recent Trends and Tactics
Attackers are abusing legitimate services (like DocuSign) to deliver multi-stage attacks, sometimes involving several redirects that ultimately land on fake Microsoft login pages. QR codes are increasingly used to bypass email security filters and obfuscate the destination URL, making detection more difficult. The quality and tactics of these phishing attempts can vary, but the core principle is exploiting user trust and lack of familiarity with how legitimate services operate.
These campaigns are widespread and have targeted thousands of individuals and organizations, particularly focusing on Microsoft 365 users and those accustomed to receiving electronic documents for signature. The sophistication of impersonation and the use of trusted brands make these attacks particularly dangerous, as recipients may not suspect malicious intent.
