Even as they become ever more stealthy with AI-driven tools, threat actors are not giving up on simple, tried-and-true phishing — because it still works.
According to new research, attackers are still making mischief with PDFs, the old business standby, and are exploiting growing trust in services like Dropbox.
Forcepoint’s X-Labs team has uncovered a multi-stage phishing campaign that exploits PDF files and Dropbox storage through a layered redirection attack. After clicking on what looks like a legitimate PDF, victims are rerouted to a Dropbox logon impersonation page designed to harvest their credentials for internal access, account takeover, or other fraud.
“This is a perfect example of why phishing is still the number one way for criminals to get at organizations,” said David Shipley of Beauceron Security. “This attack works because it mimics normal business behavior.”
Anatomy of a multi-layered PDF attack
In this campaign, victims first receive a professional-sounding email that seems to be part of a normal procurement or tender process and asks them to review an attached document.
The type of wording is “commonly used in tender or procurement fraud, where urgency and legitimacy are deliberately created to encourage quick action,” wrote Forcepoint researcher Hassan Faizan.
The PDF serves as the primary malware delivery mechanism. Unbeknownst to the victim, the sender address is spoofed or associated with a compromised account. Once they click on the attachment, they are directed to a second PDF hosted on a trusted cloud service (public.blob[.]vercel-storage[.]com), which further redirects them to a fake Dropbox login page. If they take the bait, they’ll log in with their email address and password, and those credentials will be exfiltrated to attacker-controlled command and control (C2) infrastructure.
“The first [document] passed the email filter because it’s perfectly legitimate and links to a trusted service,” said Beauceron’s Shipley. “There’s no way to stop that without lots of negative business consequences.” The second one works because it’s not the trusted cloud service’s job to vet content hosted in it.
These types of email also often pass standard authentication checks such as sender policy framework (SPF), DomainKeys Identified Mail (DKIM), and domain-based message authentication, reporting, and conformance (DKIM).
“The minimal and business-like content helps avoid keyword-based detection, making the message look and feel more like a routine operational request,” Faizan wrote. Thus, attackers are able to convince victims that they need to authenticate to view the documents.
This phishing campaign is interesting in that it’s multi-faceted and has been “very well thought out,” noted Erik Avakian, technical counselor at Info-Tech Research Group. And it’s effective because “nothing looks obviously wrong to the end user at any single stage. The original email is clean and gets by most filters, the first PDF opens normally and seems to be hosted on a legitimate cloud service, and the Dropbox login page looks real.
“Each step, by itself, passes the sniff test,” he said. “The danger only becomes obvious when you zoom out and look at the entire chain, and most users don’t think about chains. They think in clicks.”
Masquerading as a safe document format
But after so many warnings about this over time — why are people still so trusting of PDFs and Dropbox?
“Because, historically, they’ve actually been trained to be,” said Avakian. PDFs are routinely used in the business world and have been positioned as a safe, read-only document format for invoices, contracts, HR forms, and statements. This applies to Dropbox, too; it’s become a mainstream business tool that employees have been encouraged to use, and has been positioned so that its services “are not some sketchy file-sharing site anymore.”
“When people see a PDF or a Dropbox logo, their guard naturally drops,” said Avakian. Familiarity and the need for speed prevent them from pausing and taking a closer look. Attackers know this, and “exploit it perfectly.”
On top of this, Avakian pointed out, cloud infrastructure has become a “shield” for attackers. Security awareness has conditioned users to be wary of shady domains, but not of reputable platforms. It’s a mental model that’s outdated, and “attackers are way ahead of it.”
‘Don’t click links’ is not enough
Hackers know that many employees tend to touch payment processes and documents, noted Lionel Menchaca, content marketing and technical writing specialist at Forcepoint, so they must be trained to verify that invoices, purchase orders (POs), and contracts are coming from confirmed vendors, affiliates, and agencies.
“If they cannot verify, they should report suspicious emails to IT or security teams,” he said.
But the precautions don’t stop there, Shipley noted. Employees must develop good e-mail processing habits, such as by taking frequent breaks; simulations can help, as they allow people to break out of routine. Many email clicks (he estimates about 40%) occur when people are on autopilot and aren’t processing at the deep thinking level, “they’re just acting on instinct.”
Avakian agreed that email security awareness training must evolve beyond “don’t click links.” Employers and leaders at all levels must understand that modern phishing is increasingly “multi-stage, cloud-hosted, brand-impersonating, and intentionally boring-looking.” PDFs are no longer “safe by default,” and cloud services are no longer “trusted by default.”
“This type of incident becomes a great example, and [an] opportunity to build more sophisticated phishing testing,” said Avakian. “The goal is not to embarrass users, but to build security minded habits as to how attacks unfold today.”
While the basics still matter, they need to be framed honestly, he said. Hover over links, but understand that cloud-hosted URLs can still be malicious; check the sender’s “from” address and domain, but recognize that compromised or look-alike domains exist; be cautious of unexpected attachments, even PDFs, especially when they lead you somewhere else; treat any login prompts as a moment to pause, “especially when they’re triggered indirectly,” Avakian advised.
“Security awareness has to grow up, just like the threats did,” he said.
Still, clicks will happen, and effective multi-layered controls limit the damage. Multi-factor authentication (MFA), conditional access, and anomaly detection are critical, and a zero-trust mindset embeds security into a culture where the “trust by default” mindset goes away, said Avakian.
“At the end of the day, PDFs and Dropbox aren’t the problem; unquestioned trust is,” he said.
No Responses