{"id":15595,"date":"2026-02-03T02:33:59","date_gmt":"2026-02-03T02:33:59","guid":{"rendered":"https:\/\/newestek.com\/?p=15595"},"modified":"2026-02-03T02:33:59","modified_gmt":"2026-02-03T02:33:59","slug":"new-phishing-attack-leverages-pdfs-and-dropbox","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15595","title":{"rendered":"New phishing attack leverages PDFs and Dropbox"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Even as they become ever more stealthy with AI-driven tools, threat actors are not giving up on simple, tried-and-true phishing \u2014 because it still works.<\/p>\n

According to new research, attackers are still making mischief with PDFs, the old business standby, and are exploiting growing trust in services like Dropbox.<\/p>\n

Forcepoint\u2019s X-Labs team has uncovered a multi-stage phishing campaign<\/a> that exploits PDF files and Dropbox storage through a layered redirection attack. After clicking on what looks like a legitimate PDF, victims are rerouted to a Dropbox logon impersonation page designed to harvest their credentials for internal access, account takeover, or other fraud.<\/p>\n

\u201cThis is a perfect example of why phishing is still the number one way for criminals to get at organizations,\u201d said David Shipley<\/a> of Beauceron Security. \u201cThis attack works because it mimics normal business behavior.\u201d<\/p>\n

Anatomy of a multi-layered PDF attack<\/h2>\n

In this campaign, victims first receive a professional-sounding email that seems to be part of a normal procurement or tender process and asks them to review an attached document.<\/p>\n

The type of wording is \u201ccommonly used in tender or procurement fraud, where urgency and legitimacy are deliberately created to encourage quick action,\u201d wrote Forcepoint researcher Prashant Kumar<\/a>.<\/p>\n

The PDF serves as the primary malware delivery mechanism. Unbeknownst to the victim, the sender address is spoofed or associated with a compromised account. Once they click on the attachment, they are directed to a second PDF hosted on a trusted cloud service (public.blob[.]vercel-storage[.]com), which further redirects them to a fake Dropbox login page. If they take the bait, they\u2019ll log in with their email address and password, and those credentials will be exfiltrated to attacker-controlled command and control (C2) infrastructure.<\/p>\n

\u201cThe first [document] passed the email filter because it\u2019s perfectly legitimate and links to a trusted service,\u201d said Beauceron\u2019s Shipley. \u201cThere\u2019s no way to stop that without lots of negative business consequences.\u201d The second one works because it\u2019s not the trusted cloud service\u2019s job to vet content hosted in it.<\/p>\n

These types of email also often pass standard authentication checks such as sender policy framework (SPF), DomainKeys Identified Mail (DKIM), and domain-based message authentication, reporting, and conformance (DKIM).<\/p>\n

\u201cThe minimal and business-like content helps avoid keyword-based detection, making the message look and feel more like a routine operational request,\u201d Kumar wrote. Thus, attackers are able to convince victims that they need to authenticate to view the documents.<\/p>\n

This phishing campaign is interesting in that it\u2019s multi-faceted and has been \u201cvery well thought out,\u201d noted Erik Avakian<\/a>, technical counselor at Info-Tech Research Group. And it\u2019s effective because \u201cnothing looks obviously wrong to the end user at any single stage. The original email is clean and gets by most filters, the first PDF opens normally and seems to be hosted on a legitimate cloud service, and the Dropbox login page looks real.<\/p>\n

\u201cEach step, by itself, passes the sniff test,\u201d he said. \u201cThe danger only becomes obvious when you zoom out and look at the entire chain, and most users don\u2019t think about chains. They think in clicks.\u201d<\/p>\n

Masquerading as a safe document format<\/h2>\n

But after so many warnings about this over time \u2014 why are people still so trusting of PDFs and Dropbox?<\/p>\n

\u201cBecause, historically, they\u2019ve actually been trained to be,\u201d said Avakian. PDFs are routinely used in the business world and have been positioned as a safe, read-only document format for invoices, contracts, HR forms, and statements. This applies to Dropbox, too; it\u2019s become a mainstream business tool that employees have been encouraged to use, and has been positioned so that its services \u201care not some sketchy file-sharing site anymore.\u201d<\/p>\n

\u201cWhen people see a PDF or a Dropbox logo, their guard naturally drops,\u201d said Avakian. Familiarity and the need for speed prevent them from pausing and taking a closer look. Attackers know this, and \u201cexploit it perfectly.\u201d<\/p>\n

On top of this, Avakian pointed out, cloud infrastructure has become a \u201cshield\u201d for attackers. Security awareness<\/a> has conditioned users to be wary of shady domains, but not of reputable platforms. It\u2019s a mental model that\u2019s outdated, and \u201cattackers are way ahead of it.\u201d<\/p>\n