Enterprise users know by now that they shouldn’t click on suspicious-looking links or download strange files. But what about innocuous, ever-present PDFs?
Researchers at security company Varonis have uncovered a crafty new Gmail phishing attack that not only masquerades as a PDF attachment, but automatically prompts victims to open it.
The MatrixPDF toolkit fools victims by using blurred content and overlays, and embeds JavaScript to bypass filters and fetch malicious payloads without user knowledge.
“The .pdf file type has become ubiquitous in personal and business use,” said Erik Avakian, a technical counselor at Info-Tech Research Group. “This leads to trust. People see a .pdf and assume it’s safe. It doesn’t really raise the same red flags as other attachment file types might, such as .exe or .zip.”
Why MatrixPDF works
MatrixPDF embeds fake prompts, JavaScript actions, and automatic redirecting into seemingly legitimate PDF files. Malicious actors can specify the external link the PDF directs to when victims click on a prompt, modify the document’s appearance so it appears convincing (incorporating a padlock icon or corporate logo, for example), and blur documents to conceal their content.
The Varonis researchers identified two ways attackers use MatrixPDF: In the first, they exploit Gmail’s preview function. The PDF they generate can slip past security safeguards and filters because it only contains scripts and an external link, not a standard URL hyperlink typically associated with malware.
The PDF renders normally, but document text is blurred, and users get a prompt to “Open Secure Document,” which is essentially a phishing lure. When the victim clicks the button, an external site opens in their browser. Researchers even found one example where the embedded link pointed to a download for a legitimate SSH client hosted on a public site.
The method evades Gmail’s security because malware scanning finds nothing “incriminating,” the researchers point out; malicious content is only fetched when the user actively clicks, which Gmail interprets as user-initiated and therefore not dangerous. Further, the file download occurs outside the email platform’s antivirus sandbox, so security filters can’t intervene.
The technique reveals how attackers can split an attack across an email (the delivery) and the web (the payload retrieval) to avoid detection, according to the researchers.
The second MatrixPDF method uses PDF-embedded JavaScript; the victim downloads or opens the PDF in a desktop reader (like Adobe Acrobat) or a browser-native viewer, executing the script. The PDF then automatically connects to the payload URL and fetches a file.
Typically, PDF readers display a security warning alerting users that a document is attempting to access an external resource, the researchers note. But this method configures the PDF to reach out to a short URL that seems “vaguely legitimate,” and the victim gets a pop-up permission request. When they click “allow,” the script fetches the malicious payload and initiates a download; the document is then saved to the user’s device and malware is executed.
This method is successful because the user doesn’t have to click on a link; it does, however, hinge on the user granting permission to access it, according to the researchers.
“Weaponized PDFs in phishing e-mails have been a longstanding pain,” said David Shipley of Beauceron Security. “What this tool does is make it dirt simple for cybercriminals to create them.”
Personal email use increases enterprise risk
Employees are increasingly accessing personal email accounts from corporate machines; it is commonplace in hybrid and remote work environments. But considering that hackers have access to easily-usable tools like MatrixPDF, experts advise enterprises to be more vigilant.
CISOs and CIOs should consider opportunities to either restrict access to personal webmail when on corporate infrastructure, or identify where it is legitimately needed, said InfoTech’s Avakian. Personal email simply doesn’t have the same safeguards as corporate email security services.
PDFs don’t raise the same red flags as other attachment files such as .exe or .zip, he noted. “The bad guys know this and prey upon this type of psychological norm,” said Avakian. When successful, they can gain access to a network and move laterally, further escalate privileges, and plant more malware.
This new email attack vector is a “dangerous evolution of social engineering,” noted Ensar Seker, CISO at threat intel company SOCRadar.
“[It turns] the endpoint into the weakest link in the kill chain,” he said. “Once compromised, a single device can become a pivot point for lateral movement, credential theft, or initial access for ransomware deployment.”
How enterprises can arm themselves
The good(ish) news, however, according to Beauceron’s Shipley, is that of the various types of phishes, from link-based, to attachment-based, to QR-code scanning, attachments tend to have a lower success rate. This is because they require additional cognitive effort and steps performed by the user, versus just clicking on a link in an e-mail.
Organizations should balance investment in email filters with security awareness training that’s done “frequently and effectively,” he noted. Ultimately, employees have to be motivated to remain vigilant.
CISOs must go beyond technical defenses and establish clear guardrails, advised SOCRadar’s Seker. This means blocking known-bad file types, deploying robust attachment sandboxing, and using endpoint detection to monitor suspicious file behavior post-delivery.
Enterprises should also enforce policies that prohibit employees from accessing personal email on corporate devices, he said. Educating employees on how these attacks work is especially important in an era where “[even] a benign-looking PDF can be the tip of a spear phishing campaign.”
Seker added: “Ultimately, layered defense must include not just zero trust for users, but zero assumption for file safety.”
Info-Tech’s Avakian agreed, saying the MatrixPDF type of attack provides a “fantastic opportunity,” particularly during Cybersecurity Awareness Month, to bake in awareness measures and training with simple visualizations and real-world “What-If” scenarios. Enterprises should also support a “Think Before You Click” culture and make it easy for employees, the first line of defense, to report suspicious emails.
Just as importantly, he advised organizations to make a point of “catching people doing this right.”
“Recognition goes a long way,” said Avakian. “By recognizing employees who spot and report phishing attempts, security leaders can incrementally improve awareness and enable a security-minded culture.”
No Responses