Phishing Attack Exploits PDFs to Impersonate Major Brands like Microsoft, DocuSign, and Dropbox

A recent spike in phishing campaigns has seen attackers exploit the PDF file format to impersonate leading brands, including Microsoft, DocuSign, and Dropbox.

According to Cisco Talos, the security research arm of Cisco, threat actors are leveraging the popularity and trust associated with these well-known companies to deceive users into divulging sensitive information or installing malicious software.

The attackers embed brand logos, names, and even entire email messages into PDF attachments to lure recipients.

In some cases, QR codes are included within these PDFs, prompting users to scan them with their smartphones, which redirects them to credential-harvesting websites often camouflaged by CAPTCHA screens.

“PDFs are perfect vessels for these attacks,” notes a Cisco Talos researcher. “They’re universally trusted and can bypass many standard email filters, especially when the payload is hidden in non-textual elements like images or QR codes.”

Telephone-Oriented Attack Delivery (TOAD) and QR Code Phishing

A particularly insidious variant of these attacks, known as Telephone-Oriented Attack Delivery (TOAD), persuades victims to call attacker-controlled numbers embedded in the PDF.

Once connected, the perpetrators impersonate customer support representatives, coaxing victims into providing their account credentials, payment details, or remote access to their devices.

Talos observed that these scam phone numbers are often routed through Voice over Internet Protocol (VoIP), which provides anonymity and allows numbers to be reused across multiple campaigns.

Cisco is now collecting phone numbers as Indicators of Compromise (IOCs) to bolster detection capabilities.

Additionally, Talos researchers have found evidence of adversaries abusing legitimate services such as Adobe’s e-signature platform to deliver malicious PDFs, further complicating the detection process.

Brand Impersonation Trends and Evasive Techniques

Brand impersonation remains a persistent threat, with Microsoft and DocuSign topping the list of most frequently abused brands in recent attacks.

Attackers are also employing sophisticated techniques, such as embedding phishing links within PDF annotations or comments areas typically overlooked by automated scanning tools.

Cisco’s latest update to its brand impersonation detection engine now widens coverage to recognize a broader range of brands and payload formats, including QR codes and stealthy PDF annotations.

Protecting against these threats requires a layered defense, including advanced email security solutions, user education on phishing red flags, and updated threat intelligence on emerging tactics such as callback phishing and PDF-based payloads.

For the latest protection strategies, Cisco recommends that organizations deploy advanced security solutions, such as its Secure Email Threat Defense platform, and educate employees about the threat posed by unexpected PDF attachments, even those appearing to come from trusted brands.