PDFs: Portable documents, or perfect deliveries for phish?

PDFs: Portable documents, or perfect deliveries for phish?

/in
  • Cisco recently developed and released an update to its brand impersonation detection engine for emails. This new update enhances detection coverage and includes a wider range of brands that are delivered using PDF payloads (or attachments). 
  • A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, displaying another popular social engineering technique known as Telephone-Oriented Attack Delivery (TOAD), also known as callback phishing.  
  • Talos observed that these threat actors often use Voice over Internet Protocol (VoIP) to remain anonymous. These phone numbers are sometimes reused on consecutive days. Additionally, Talos has identified instances of Adobe platform abuse to deliver PDF attachments to victims in TOAD emails. 
  • Talos plans to collect and gather intelligence around phone numbers as an additional indicator of compromise (IOC). 
  • Talos provides new insights into the use of QR codes and PDF annotations in email threats that impersonate legitimate brands through PDF payloads.

Brand impersonation via PDF payload 

PDFs: Portable documents, or perfect deliveries for phish?

The portable document format (PDF) is a standard method for sharing information electronically. Files created in other applications (e.g., Microsoft Word) are often converted into this format, which can then be viewed using PDF rendering applications like Adobe Reader, commonly available on most OSs. Thanks to its excellent portability, this file format is widely used for the mass distribution of documents to large audiences. However, in recent months, it has also been exploited for illegitimate purposes, such as brand impersonation. 

Brand impersonation is a social engineering technique that exploits the popularity of well-known brands to persuade email recipients to disclose sensitive information. As discussed in our previous blog, adversaries can deliver brand logos and names to victims using multiple types of payloads. One of the most common methods of delivering brand logos and names is through PDF payloads (or attachments).

In some cases, the entire email, including a brand’s logo, is embedded within a PDF attachment. Figure 1 displays an example of a QR code phishing email that impersonates the Microsoft Corporation brand. The threat actor used an enticing subject line, “Paycheck Increment,” timed strategically during periods when promotions or merit changes are likely to occur in various organizations.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 1. A QR code phishing email impersonating the Microsoft brand.

In other cases, the company’s logo is included in a separate image or PDF attachment and is displayed to the victim as soon as they open the email. Below is an example of a QR code phishing email that impersonates both the Microsoft and Adobe Inc. brands. Figure 2 shows the Adobe logo attached to an email as an image file.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 2. A QR code phishing email impersonating the Microsoft and Adobe brands.

A brand’s logo may not always be present in every brand impersonation attempt. For example, the following phishing email, which impersonates the Adobe brand, does not include any logos.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 3. A phishing email impersonating the Adobe brand.

When the victim clicks on the “View the Attached online here” hyperlink, they are redirected to a phishing page impersonating a Dropbox, Inc. webpage.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 4. Phishing page impersonating Dropbox download page.
PDFs: Portable documents, or perfect deliveries for phish?
Figure 5. The final phishing page of the above email, impersonating the Dropbox brand.

Telephone-oriented attack delivery (TOAD) 

A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, displaying another popular social engineering technique: telephone-oriented attack delivery (TOAD), also known as callback phishing.  

Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction. Once the victim calls, the attacker poses as a legitimate representative and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 6. Overview of a typical TOAD attack sequence.

Phishing typically involves sending emails or messages with malicious links or attachments that direct the victim to a counterfeit website. Callback phishing, however, does not rely on fake websites or phishing links. Instead, attackers use direct voice communication to exploit the victim’s trust in phone calls and the perception that phone communication is a secure way to interact with an organization. Additionally, the live interaction during a phone call enables attackers to manipulate the victim’s emotions and responses by employing social engineering tactics. Callback phishing is, therefore, a social engineering technique rather than a traditional email threat.  

Most phone numbers found in email threats leveraging this social engineering technique are Voice over Internet Protocol (VoIP) numbers, as it is significantly harder to trace a VoIP number back to a specific individual or physical location compared to a traditional phone number. Below is an example of a TOAD attack that impersonates the McAfee LLC brand.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 6. A TOAD example impersonating the McAfee brand.

Talos has observed that phone numbers are sometimes reused on consecutive days. This could happen for multiple reasons. First, intelligence about phone numbers is collected and distributed at a slower pace compared to other artifacts like URLs and files. In most cases, phone numbers observed in emails by cybersecurity companies are not shared with third-party reputation services, or vice versa. As a result, these phone numbers often remain under the radar for several days. Second, the reuse of phone numbers provides logistical advantages for scam call centers. It enables consistent contact for multi-stage social engineering attacks, scheduling callbacks, and maintaining a credible “brand” presence with victims. Lastly, phone numbers may be reused to minimize costs, particularly if the VoIP service is not free. The plot below illustrates a case where the number +1-818-675-1874 was used in TOAD emails impersonating Best Buy’s Geek Squad brand for four consecutive days.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 7. An example of phone number reuse (+1-818-675-1874) in TOAD emails on consecutive days.

Talos has also observed several cases of e-signature service abuse on the Adobe platform between April and May 2025. Figure 8 shows an example email that impersonates the PayPal brand. In this case, the entire PDF file (i.e., the body of the email) was uploaded to Adobe and sent directly to the victim through the e-signature service.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 8. A TOAD example impersonating the PayPal brand.
PDFs: Portable documents, or perfect deliveries for phish?
Figure 9. The Adobe’s e-signature service abuse in TOAD.

QR codes in PDF payloads 

Adversaries extensively use QR codes alongside brand impersonation phishing emails, a tactic known as QR code phishing. As seen in Figures 10 – 12, attackers exploit the legitimacy of popular brands to convince users to scan the QR code, ultimately redirecting them to a phishing page, which is often protected by some form of CAPTCHA.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 10. A QR code phishing email impersonating the Docusign, Inc. brand.
PDFs: Portable documents, or perfect deliveries for phish?
Figure 11. CAPTCHA protecting the final phishing page.
PDFs: Portable documents, or perfect deliveries for phish?
Figure 12. Final phishing page.

In most QR code phishing emails with PDF payloads, the entire email body is embedded in the attachment and is rendered for the victim as soon as they open the email. This technique easily evades email filters and detection engines that rely on textual features and keywords, unless preceded by optical character recognition (OCR) analysis. However, OCR is an error-prone process and increases computational costs.

Annotations in PDF payloads 

Although the PDF format is an open standard, its structure is not straightforward to understand (this book provides an excellent explanation). PDFs can contain both visible and hidden information within their three main components: the text layer, the image layer and the internal structure (e.g., comments and annotations). This flexibility allows certain elements within a PDF to make it appear legitimate, helping it evade spam filters and detection systems. 

To make QR code phishing emails more evasive, attackers often exploit otherwise legitimate PDF annotations. For example, a phishing URL might be embedded in a text annotation, sticky note, comment, or form field within a PDF attachment. Alternatively, attackers may add irrelevant text (or “noise”) to bypass detection systems. 

Figures 13 and 14 demonstrate how multiple URLs can be embedded in a PDF attachment using annotations. In this case, the QR code may link to a legitimate web page to build the recipient’s trust, while the embedded annotation points to the actual phishing page. To further obscure the attack, attackers may use shortened URLs, making it harder for users to verify the link’s legitimacy before clicking.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 13. A QR code phishing email impersonating the Microsoft brand.
PDFs: Portable documents, or perfect deliveries for phish?
Figure 14. An example PDF attachment with a QR code; two URLs are included in this file in the form of annotations.

Trends of brand impersonation via PDF payloads 

Brand impersonation remains a prevalent social engineering tactic in phishing attacks, with Talos frequently observing PDF payloads delivering brand names or logos in recent months. 

Using Cisco Secure Email Threat Defense’s brand impersonation detection engine, we uncovered how widespread these attacks are. The plot in Figure 15, reflecting the period between May 5 and June 5, 2025, highlights the most impersonated brands detected in emails with PDF attachments. Microsoft and Docusign were among the most frequently impersonated brands in phishing emails with PDF attachments. Similarly, NortonLifeLock, PayPal, and Geek Squad were among the most impersonated brands in TOAD emails with PDF attachments.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 15. The topmost brands impersonated in emails with PDF attachments.

The map in Figure 16 indicates where brand impersonation attempts using PDF attachments originated for the above brands, both locally and internationally, during this time period.

PDFs: Portable documents, or perfect deliveries for phish?
Figure 16. The originating IP addresses of brand impersonation attempts using PDF attachments.

Protection against brand impersonation

Brand impersonation is one of the most popular social engineering techniques, and it is continuously being used by attackers in different types of email threats. Therefore, a brand impersonation detection engine plays a pivotal role in defending against cyber attacks. 

Cisco Talos relies on a wide range of systems to detect this type of threat and protect our customers, from rule-based engines to advanced machine learning-based systems. Learn more about Cisco Secure Email Threat Defense’s brand impersonation detection engine here.

Cisco Talos Blog – ​Read More