Hackers are using PDFs to impersonate big brands like Microsoft and PayPal in a new threat campaign

PDF concept image in a cartoon style showing a man working on a laptop downloading a PDF.

(Image credit: Getty Images)

Cyber criminals are increasingly using PDF attachments to impersonate major brands for phishing campaigns, according to new research from Cisco Talos.

The PDFs are used to entice victims to phone numbers purportedly belonging to brands including Microsoft, DocuSign, Dropbox, PayPal, and Adobe in what's known as Telephone-Oriented Attack Delivery (TOAD).

Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction.

The attacker then poses as a legitimate representative of the firm and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.

In a blog post detailing the campaign, Omid Mirzaei, security research lead at Cisco Talos, said this particular attack method, described as ‘callback phishing’ does not rely on traditional techniques such as using fake websites or phishing links.

It’s this, combined with the impersonation of trusted brands, that makes it a particular concern for enterprises.

"Attackers use direct voice communication to exploit the victim's trust in phone calls and the perception that phone communication is a secure way to interact with an organization,” he explained.

“Additionally, the live interaction during a phone call enables attackers to manipulate the victim's emotions and responses by employing social engineering tactics."

In one example, the threat actor used the enticing subject line, 'Paycheck Increment', strategically timed for periods when promotions or merit changes were likely to occur in various organizations.

The threat actors often use Voice over Internet Protocol (VoIP) to remain anonymous, Cisco Talos warned.

"Using Cisco Secure Email Threat Defense’s brand impersonation detection engine, we uncovered how widespread these attacks are," said Mirzaei.

"Microsoft and Docusign were among the most frequently impersonated brands in phishing emails with PDF attachments. Similarly, NortonLifeLock, PayPal, and Geek Squad were among the most impersonated brands in TOAD emails with PDF attachments."

In many cases, QR codes were used, redirecting victims to a phishing page which is often protected by some form of CAPTCHA.

In most phishing emails with PDF payloads, researchers said the entire email body is embedded in the attachment and is rendered for the victim as soon as they open the email.

This technique easily evades email filters and detection engines that rely on textual features and keywords, unless preceded by optical character recognition (OCR) analysis.

PDF threat campaign highlights importance of staff training

Javvad Malik, lead security awareness advocate at KnowBe4, said the campaign exploits people’s tendency to comply with authority figures, which highlights the importance of robust staff training and awareness.

Notably, the use of these techniques aligns with research conducted by the firm into social engineering practices in recent years. A study from the cybersecurity firm showed attackers “consistently exploit trusted platforms and brand”.

“The 2025 Phishing Threat Trends Report reveals that 62.6% of phishing attacks now use brand display impersonation to establish credibility," he said.

"What's particularly concerning is how these attacks exploit mobile device limitations, where reduced screen visibility makes scrutiny more difficult.”

Statistics published in the phishing report showed that 76.4% of attacks now employ “polymorphic features” to evade detection, Malik said, and the PDF-based impersonations represent another key tactic.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.