New Phishing Scam Exploits Trusted PDFs and Cloud Services to Steal Credentials
Cybersecurity researchers at Forcepoint have uncovered a sophisticated phishing campaign that bypasses traditional email filters by leveraging clean-looking business emails and multi-stage deception. The attack begins with a seemingly legitimate message often referencing a "tender" or "procurement" deal containing a harmless PDF attachment. Unlike typical phishing attempts, the email itself contains no malicious links, relying instead on the PDF to initiate the scam.
The PDFs exploit technical features like AcroForms and FlateDecode to embed hidden clickable buttons, tricking users into interacting with what appears to be a standard document. Once clicked, the victim is redirected to a second file hosted on Vercel Blob storage, a legitimate cloud service that helps the attackers evade security blocks. This file then directs users to a fake Dropbox login page, meticulously designed to mimic the real platform.
Behind the scenes, a script harvests email credentials, passwords, IP addresses, device types, and geolocation data, transmitting the stolen information to a private Telegram channel controlled by the attackers. To avoid suspicion, the fake login page displays an error message, making victims believe they simply mistyped their password.
Forcepoint has since updated its defenses to detect and block these files, but the campaign highlights how attackers are increasingly abusing trusted formats and cloud infrastructure to bypass security measures. The incident underscores the risks of assuming routine business documents are safe without verifying their origin.
Source: https://hackread.com/phishing-scam-emails-pdfs-steal-dropbox-logins/
Dropbox TPRM report: https://www.rankiteo.com/company/Dropbox
Vercel TPRM report: https://www.rankiteo.com/company/vercel
"id": "Drover1770065567",
"linkid": "Dropbox, vercel",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Businesses (potentially across industries)'}],
'attack_vector': 'Email with malicious PDF attachment',
'data_breach': {'data_exfiltration': 'Yes (transmitted to private Telegram '
'channel)',
'file_types_exposed': 'PDF (malicious)',
'personally_identifiable_information': 'Yes (email '
'credentials, '
'geolocation data, '
'device types)',
'sensitivity_of_data': 'High (personally identifiable '
'information, authentication '
'credentials)',
'type_of_data_compromised': ['Email credentials',
'Passwords',
'IP addresses',
'Device types',
'Geolocation data']},
'description': 'Cybersecurity researchers at Forcepoint have uncovered a '
'sophisticated phishing campaign that bypasses traditional '
'email filters by leveraging clean-looking business emails and '
'multi-stage deception. The attack begins with a seemingly '
"legitimate message often referencing a 'tender' or "
"'procurement' deal containing a harmless PDF attachment. The "
'PDFs exploit technical features like AcroForms and '
'FlateDecode to embed hidden clickable buttons, tricking users '
'into interacting with what appears to be a standard document. '
'Once clicked, the victim is redirected to a second file '
'hosted on Vercel Blob storage, which then directs users to a '
'fake Dropbox login page. A script harvests email credentials, '
'passwords, IP addresses, device types, and geolocation data, '
'transmitting the stolen information to a private Telegram '
'channel controlled by the attackers.',
'impact': {'data_compromised': 'Email credentials, passwords, IP addresses, '
'device types, geolocation data',
'identity_theft_risk': 'High'},
'initial_access_broker': {'entry_point': 'Malicious PDF attachment in email'},
'investigation_status': 'Ongoing (Forcepoint has updated defenses)',
'lessons_learned': 'Attackers are increasingly abusing trusted formats (PDFs) '
'and cloud infrastructure (Vercel Blob storage) to bypass '
'security measures. Routine business documents should not '
'be assumed safe without verifying their origin.',
'motivation': 'Credential theft, data exfiltration',
'post_incident_analysis': {'corrective_actions': 'Forcepoint updated defenses '
'to detect and block these '
'files. Organizations should '
'enhance email filtering, '
'user education, and '
'monitoring for cloud '
'service abuse.',
'root_causes': 'Exploitation of trusted PDF '
'features (AcroForms, FlateDecode) '
'and abuse of legitimate cloud '
'services (Vercel Blob storage) to '
'evade security measures.'},
'recommendations': 'Enhance email filtering to detect malicious PDFs, educate '
'users on verifying document origins, monitor for abuse of '
'legitimate cloud services, and implement multi-factor '
'authentication to mitigate credential theft risks.',
'references': [{'source': 'Forcepoint'}],
'response': {'containment_measures': 'Forcepoint updated defenses to detect '
'and block these files',
'third_party_assistance': 'Forcepoint (cybersecurity '
'researchers)'},
'title': 'New Phishing Scam Exploits Trusted PDFs and Cloud Services to Steal '
'Credentials',
'type': 'Phishing',
'vulnerability_exploited': 'AcroForms, FlateDecode (PDF features), abuse of '
'legitimate cloud services (Vercel Blob storage)'}