Cyber criminals are increasingly using PDF attachments to impersonate major brands for phishing campaigns, according to new research from Cisco Talos.
The PDFs are used to entice victims to phone numbers purportedly belonging to brands including Microsoft, DocuSign, Dropbox, PayPal, and Adobe in what's known as Telephone-Oriented Attack Delivery (TOAD).
Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction.
The attacker then poses as a legitimate representative of the firm and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.
In a blog post detailing the campaign, Omid Mirzaei, security research lead at Cisco Talos, said this particular attack method, described as ‘callback phishing’ does not rely on traditional techniques such as using fake websites or phishing links.
It’s this, combined with the impersonation of trusted brands, that makes it a particular concern for enterprises.
"Attackers use direct voice communication to exploit the victim's trust in phone calls and the perception that phone communication is a secure way to interact with an organization,” he explained.
“Additionally, the live interaction during a phone call enables attackers to manipulate the victim's emotions and responses by employing social engineering tactics."
In one example, the threat actor used the enticing subject line, 'Paycheck Increment', strategically timed for periods when promotions or merit changes were likely to occur in various organizations.
The threat actors often use Voice over Internet Protocol (VoIP) to remain anonymous, Cisco Talos warned.
"Using Cisco Secure Email Threat Defense’s brand impersonation detection engine, we uncovered how widespread these attacks are," said Mirzaei.
"Microsoft and Docusign were among the most frequently impersonated brands in phishing emails with PDF attachments. Similarly, NortonLifeLock, PayPal, and Geek Squad were among the most impersonated brands in TOAD emails with PDF attachments."
In many cases, QR codes were used, redirecting victims to a phishing page which is often protected by some form of CAPTCHA.
In most phishing emails with PDF payloads, researchers said the entire email body is embedded in the attachment and is rendered for the victim as soon as they open the email.
This technique easily evades email filters and detection engines that rely on textual features and keywords, unless preceded by optical character recognition (OCR) analysis.
PDF threat campaign highlights importance of staff training
Javvad Malik, lead security awareness advocate at KnowBe4, said the campaign exploits people’s tendency to comply with authority figures, which highlights the importance of robust staff training and awareness.
Notably, the use of these techniques aligns with research conducted by the firm into social engineering practices in recent years. A study from the cybersecurity firm showed attackers “consistently exploit trusted platforms and brand”.
“The 2025 Phishing Threat Trends Report reveals that 62.6% of phishing attacks now use brand display impersonation to establish credibility," he said.
"What's particularly concerning is how these attacks exploit mobile device limitations, where reduced screen visibility makes scrutiny more difficult.”
Statistics published in the phishing report showed that 76.4% of attacks now employ “polymorphic features” to evade detection, Malik said, and the PDF-based impersonations represent another key tactic.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
AWS CEO Matt Garman just said what everyone is thinking about AI replacing software developersNews Junior developers aren’t going anywhere, according to AWS CEO Matt Garman
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malware
News Researchers say the tool is already achieving the “gold standard” in malware classification
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
-
Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update nowNews Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
-
Cyber teams are struggling to keep up with a torrent of security alertsNews Fragmented identity security processes are creating blind spots, and the proliferation of tools doesn't help
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWSNews The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
-
UK telecoms firm takes systems offline after cyber attackNews The Warlock ransomware group said it was selling a million stolen documents
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
