As cyber threats continue to evolve, attackers are exploiting even the most trusted file formats for nefarious purposes. In its latest research, Cisco Talos Intelligence Group highlights how PDF files are increasingly being used as delivery mechanisms for brand impersonation and callback phishing campaigns.
The findings stem from recent enhancements to Cisco’s brand impersonation detection engine within its Secure Email Threat Defense platform which improved detection of malicious PDFs attached to phishing emails, especially those leveraging Telephone-Oriented Attack Delivery (TOAD) tactics.
PDF Payloads
PDFs (Portable Document Format), long considered a safe and universal means of digital communication, are widely used across organizations due to their platform-agnostic nature and consistent formatting. But this same ubiquity has made them a favorite weapon for attackers.
Cisco Talos observed an uptick in phishing emails containing PDF attachments impersonating well-known brands and often including corporate logos or familiar layouts embedded within the PDF to give a sense of legitimacy.
In many cases, victims are lured into clicking links within the PDF that lead to fake login pages or, increasingly, prompted to call a phone number listed inside the document—a method that avoids traditional link-based detection altogether.
TOAD: Callback Phishing Goes Mainstream
TOAD, or Telephone-Oriented Attack Delivery, unlike conventional phishing, doesn’t rely on fraudulent websites. It instead prompts victims to call adversary-controlled phone numbers, often using VoIP lines to maintain anonymity. Once connected, attackers impersonate customer service representatives and manipulate victims into sharing sensitive information or installing malware.
Abuse of Adobe and QR Code Tactics
The research also uncovered abuse of Adobe’s e-signature platform, where entire phishing PDFs were uploaded and distributed to victims under the guise of legitimate Adobe documents.
In parallel, QR code phishing is becoming more sophisticated. Attackers embed QR codes within PDFs, often hiding phishing URLs inside PDF annotations, such as sticky notes or form fields. These attacks are especially effective because they bypass traditional email filters, unless Optical Character Recognition (OCR) or advanced parsing is used—tools that are both error-prone and resource-intensive.
Cisco Talos’ detection data reveals that brands most frequently impersonated via PDF payloads include Microsoft, DocuSign, PayPal, NortonLifeLock, and Geek Squad
These impersonations often align with promotional or financial themes (e.g., “Paycheck Increment”), exploiting corporate cycles and user expectations to improve click-through and call rates.
Telemetry data showed that PDF phishing attacks originated from a broad range of IP addresses, indicating a globally distributed threat infrastructure leveraging cloud services and anonymization tools to mask their activities and maintain persistence.
To combat this growing threat, Cisco has bolstered its brand impersonation detection engine with enhanced coverage for PDF-based phishing helping identify malicious indicators embedded in documents, including logos, phone numbers, annotations, and QR codes.
The weaponization of PDFs in phishing campaigns underscores the adaptability of cybercriminals and the need for continuous innovation in threat detection. As techniques like TOAD and QR phishing gain traction, defenders must look beyond traditional indicators and embrace context-aware, content-based analysis to stay ahead.
Leave a Reply