PDFs have long been considered one of the safest and most professional ways to share documents—but that trust is now being weaponized. A growing wave of phishing attacks is using PDF attachments to impersonate major tech and financial brands, exploiting the universal trust placed in this file format to deceive victims.
PDF-Based Phishing Attacks Are on the Rise
From tax documents to job applications, PDFs are part of everyday digital communication. But their legitimacy, design flexibility, and cross-platform compatibility make them ideal vehicles for phishing. According to data from Cisco Talos, between May 5 and June 5, 2025, brand impersonation through malicious PDF attachments surged globally.
The most impersonated brands include:
- Microsoft
- DocuSign
- PayPal
- Geek Squad
- NortonLifeLock
While most attacks arrived via email, many were part of TOAD (Telephone-Oriented Attack Delivery) campaigns—a growing phishing technique that uses telephone numbers instead of links.
How Attackers Are Abusing PDFs
PDF phishing attacks are evolving and now use a wide variety of tricks to bypass security tools and fool recipients:
- Fake HR Documents: One attack mimicked a Microsoft HR message with the subject “Paycheck Increment.” The attached PDF contained a QR code that redirected users to a credential harvesting site.
- TOAD Phishing Tactics: Scammers send PDFs warning of billing errors or suspicious transactions and include a VoIP customer support number, which users are urged to call. These numbers are harder to trace and often lead to convincing social engineering attempts.
- QR Code Exploits: PDFs now commonly include malicious QR codes impersonating companies like Microsoft or Adobe. These codes redirect to phishing websites disguised as login portals.
- Abuse of Trusted Platforms: Attackers have used legitimate services like Dropbox and Adobe’s e-signature system to send malicious PDFs. Between April and May 2025, Talos analysts spotted phishing PDFs disguised as PayPal invoices sent via Adobe’s own platform.
- Hidden Links and Annotations: Phishing links are sometimes buried in sticky notes, comment fields, or form annotations—sections often overlooked by automated scanners.
- Dual-Link Strategy: Some PDFs embed two URLs—one legitimate-looking to gain trust and a hidden one that redirects to the malicious payload.
- Text Obfuscation: Attackers overload PDFs with irrelevant text or whitespace to trick detection tools, ensuring the payload is missed during automated analysis.
Global Scope and Persistent Threat
The phishing campaigns originate from various regions, including the U.S. and Europe, and show no signs of slowing down. These attacks target organizations of all sizes and are increasingly effective because:
- PDFs are often allowed through email filters
- Users are trained to trust official-looking documents
- The design flexibility of PDFs makes impersonation easier
The threat is especially relevant for enterprises relying on digital invoicing, HR communication, or cloud storage platforms to share documents.
As PDF-based phishing grows more sophisticated, businesses must remain vigilant about email hygiene, endpoint protection, and employee training. Ensuring that your organization can recover quickly in the event of a successful breach is just as critical.
