PDFs exploited in phishing scams

Hackers abuse PDFs in new phishing scam

Cybersecurity researchers at Cisco Talos have uncovered a new wave of phishing campaigns where attackers are weaponising PDFs to impersonate trusted brands like Microsoft, PayPal, and DocuSign. These campaigns reflect how phishing tactics are evolving and becoming increasingly difficult to detect.

Rather than relying on suspicious links or poorly written messages, attackers now embed their malicious intent within seemingly legitimate PDF attachments. The content might look like an invoice, an HR document, or a security notice — but it is all part of the deception.

What appears to be a harmless file can instead lead to stolen credentials, malware infections, or direct contact with fake support lines designed to manipulate the victim.

Why PDFs are the perfect phishing tool

PDFs are universally accepted as safe and professional. They are used to send contracts, receipts, signatures, reports, and more. They work across devices and are trusted by individuals and businesses alike.

That level of trust makes PDFs ideal for phishing. They can contain clickable links, images, logos, and even QR codes. Some attackers use these features to hide malicious links or redirect users to fake websites. In many cases, the body of the email is empty, making it harder for email filters to detect anything suspicious. The real threat is buried inside the PDF.

Impersonating trusted brands

Between May and June 2025, cybersecurity researchers observed a surge in phishing campaigns using PDF attachments to impersonate major brands. Microsoft, DocuSign, and PayPal were among the most frequently spoofed. Other brands targeted in similar attacks include Norton, Adobe, and Geek Squad.

These campaigns use different tactics. Some PDFs contain fake invoices, while others claim to be official HR messages. A common trick is to include a QR code that leads to a phishing site designed to steal login credentials. Another variation uses a fake customer support number that connects the victim to a scammer.

The attacks are designed to look familiar and urgent. The message might mention an overdue payment, a suspicious login, or a pending document review. In every case, the goal is to get the victim to scan a code, click a link, or make a phone call.

The rise of callback phishing

Many of these attacks rely on a technique known as Telephone-Oriented Attack Delivery, also called callback phishing. Instead of using a malicious link, the attacker includes a phone number in the PDF. Victims are encouraged to call the number to resolve a fake issue or verify account activity.

Once the victim calls, they speak to a scammer who pretends to be from customer service. Using social engineering, the scammer may guide the victim to install remote access software or share sensitive information. Some attackers even use background noise, hold music, and scripts to make the call feel legitimate.

These calls are often conducted through internet-based phone services, which makes it difficult to trace the attacker’s identity or location. If you are interested in learning more about how callback phishing works, you can read our in-depth article about callback phishing here.

Hidden threats inside the document

Cybercriminals have also started to abuse PDF features like comments, annotations, and form fields. These areas can be used to hide malicious URLs that are difficult for scanners to detect. Some attackers embed two links in the same file: one that looks legitimate and one that secretly leads to a phishing site.

They may also flood the PDF with random or irrelevant text to confuse detection tools and increase the chances of bypassing security filters.

The result is a file that appears professional and safe, even to experienced users.

Real-world example

In one recent phishing campaign, a PDF appeared to come from Microsoft’s HR department with the subject line "Paycheck Increment." The document included a QR code that, when scanned, led to a fake Microsoft login page designed to harvest credentials. If you are unsure what credentials are or why they are valuable to attackers, you can read our blogpost on credentials here.

In another example, a PDF was sent through Adobe’s document service, impersonating a DocuSign message. The file encouraged the recipient to review and sign a document, leading instead to a phishing portal.

How to stay protected

Awareness is the first line of defense. Here are a few signs that a PDF email might be part of a phishing scam:

• The email message creates urgency, fear, or confusion.

• The sender is unknown, or the email address looks suspicious.

• The email contains a PDF attachment you were not expecting.

• The PDF includes a QR code or customer service number.

If you receive a message like this, do not take action right away. Instead, verify the request through official company websites or trusted contacts.

For businesses, it is important to implement strong email filters, conduct regular phishing awareness training, and use advanced threat detection tools that can analyze PDF contents.

Final thoughts

PDFs are a trusted format, and that is exactly why attackers are abusing them. These files no longer just carry documents. In the hands of cybercriminals, they become tools of deception designed to trick people into handing over personal information, installing malware, or calling a fake support line.

Understanding how these attacks work helps prevent them. At Moxso, we believe that knowledge is just as important as technology when it comes to cybersecurity. By staying alert and informed, individuals and organizations can protect themselves from the growing threat of PDF phishing.