Hackers are using PDFs to impersonate big brands like Microsoft and PayPal in a new threat campaign
The new threat campaign highlights the importance of robust staff training, experts told ITPro


Cyber criminals are increasingly using PDF attachments to impersonate major brands for phishing campaigns, according to new research from Cisco Talos.
The PDFs are used to entice victims to phone numbers purportedly belonging to brands including Microsoft, DocuSign, Dropbox, PayPal, and Adobe in what's known as Telephone-Oriented Attack Delivery (TOAD).
Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction.
30% off Keeper Security's Business Starter and Business plans
Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?
The attacker then poses as a legitimate representative of the firm and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.
In a blog post detailing the campaign, Omid Mirzaei, security research lead at Cisco Talos, said this particular attack method, described as ‘callback phishing’ does not rely on traditional techniques such as using fake websites or phishing links.
It’s this, combined with the impersonation of trusted brands, that makes it a particular concern for enterprises.
"Attackers use direct voice communication to exploit the victim's trust in phone calls and the perception that phone communication is a secure way to interact with an organization,” he explained.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“Additionally, the live interaction during a phone call enables attackers to manipulate the victim's emotions and responses by employing social engineering tactics."
In one example, the threat actor used the enticing subject line, 'Paycheck Increment', strategically timed for periods when promotions or merit changes were likely to occur in various organizations.
The threat actors often use Voice over Internet Protocol (VoIP) to remain anonymous, Cisco Talos warned.
"Using Cisco Secure Email Threat Defense’s brand impersonation detection engine, we uncovered how widespread these attacks are," said Mirzaei.
"Microsoft and Docusign were among the most frequently impersonated brands in phishing emails with PDF attachments. Similarly, NortonLifeLock, PayPal, and Geek Squad were among the most impersonated brands in TOAD emails with PDF attachments."
In many cases, QR codes were used, redirecting victims to a phishing page which is often protected by some form of CAPTCHA.
In most phishing emails with PDF payloads, researchers said the entire email body is embedded in the attachment and is rendered for the victim as soon as they open the email.
This technique easily evades email filters and detection engines that rely on textual features and keywords, unless preceded by optical character recognition (OCR) analysis.
PDF threat campaign highlights importance of staff training
Javvad Malik, lead security awareness advocate at KnowBe4, said the campaign exploits people’s tendency to comply with authority figures, which highlights the importance of robust staff training and awareness.
Notably, the use of these techniques aligns with research conducted by the firm into social engineering practices in recent years. A study from the cybersecurity firm showed attackers “consistently exploit trusted platforms and brand”.
“The 2025 Phishing Threat Trends Report reveals that 62.6% of phishing attacks now use brand display impersonation to establish credibility," he said.
"What's particularly concerning is how these attacks exploit mobile device limitations, where reduced screen visibility makes scrutiny more difficult.”
Statistics published in the phishing report showed that 76.4% of attacks now employ “polymorphic features” to evade detection, Malik said, and the PDF-based impersonations represent another key tactic.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
26 million CVs were exposed when a recruiting software firm left a misconfigured Azure container open
News TalentHook left a misconfigured Azure Blob storage container open, researchers said, leaving jobseekers open to phishing attempts
-
Rackspace just launched a new private cloud service – and it’s open source
News Rackspace OpenStack Business expands on the company's existing private cloud offerings, with a particular focus on cost efficiency and security.
-
Developers face a torrent of malware threats as malicious open source packages surge 188%
News Researchers have identified more than 16,000 malicious open source packages across popular ecosystems
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Using WinRAR? Update now to avoid falling victim to this file path flaw
News WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
A major ransomware hosting provider just got hit US with sanctions
News Aeza Group's services were being used for ransomware, infostealers, and disinformation
-
UK firms are 'sleepwalking' into smart building cyber threats
News The convergence of operational technology and IT systems is posing serious risks for property firms.
-
5 Steps to Prioritize Based on Risk with Snyk
-
Beyond the Vulnerability Backlog: Building Risk-Based AppSec Programs
-
Why the Fastest Technology Companies choose Snyk Cheat Sheet