PDFs: Portable Documents or Perfect Phishing Vectors?

Cybersecurity professionals are sounding the alarm: PDF attachments are increasingly leveraged in sophisticated phishing campaigns. Cisco Talos’ July 2, 2025 investigation reveals how threat actors use PDF payloads to deliver brand impersonation, QR‑based phishing, and Telephone‑Oriented Attack Delivery (TOAD) posing significant awareness, security services, and training challenges. Links to malicious content are cleverly hidden via annotations, QR codes, and phone-only lures, bypassing traditional detection systems and targeting organisations globally.

Cisco Talos found that threat actors embed corporate logos and brand elements (e.g. Microsoft, Adobe, NortonLifeLock) directly into PDFs to appear legitimate upon opening – a tactic that significantly increases user trust and bypasses text-based email filters. These files often invite recipients to “[View Attached Online Here]” – redirecting them to phishing pages mimicking services like Dropbox  cybercory.com/alerts.

QR Code‑Enabled Phishing

Attackers embed QR codes inside PDFs that, when scanned, lead users to phishing sites. These often include CAPTCHAs to appear credible. Talos data from 5 May–5 June 2025 show frequent impersonation of brands such as Microsoft, DocuSign, PayPal, and Geek Squad . This tactic avoids link detection by hiding URLs behind scannable codes.

PDF Annotations: The Hidden Threat

Adversaries utilize PDF annotations-like sticky notes or comments-to hide malicious links that aren’t visible in the main content layer. Some PDFs carry multiple annotation-based URLs (legitimate and malicious), exploiting detection blind spots. Such techniques evade spam filters that lack advanced OCR or annotation processing .

Telephone‑Oriented Attack Delivery (TOAD)

What Is TOAD?

TOAD delivers phishing via voice calls rather than relying on website links. Victims receive PDF attachments urging them to call a displayed phone number. Attackers then impersonate trusted brand representatives to extract sensitive data or persuade victims to install malicious software .

VoIP and Phone Reuse

Talos notes that scammers use VoIP call centres and frequently reuse phone numbers over consecutive days for efficiency and cost reduction. One observed number, +1‑818‑675‑1874, was connected to calls impersonating Best Buy’s Geek Squad for four days in a row . These ephemeral numbers are notoriously hard to block.

MEA & Global Implications

MEA Landscape

In the Middle East and Africa, where PDF is a standard format for invoices, offers, and official communications, these phishing tactics are notably effective. Regional regulators in the UAE and South Africa have issued recent advisories urging increased cybersecurity, awareness, and training investments.

International Comparison

Globally, PDF-driven phishing campaigns surpass traditional spoofed web links in both sophistication and reach. Asia, Europe, and North America have also flagged rising incidents involving e-signature services like Adobe often used to send genuine-looking but fraudulent PDF invitations. Cisco’s Secure Email Threat Defense flagged top impersonated brands including Microsoft and DocuSign across these regions .

Technical Spotlight: MITRE ATT&CK Mapping

| Attack Phase      | Technique                            | MITRE ID        |
|------------------|---------------------------------------|------------------|
| Initial Access   | Spearphishing Attachment             | T1566.001        |
| Execution        | User enabling PDF link/QR annotation | T1204.002        |
| Command & Control| VoIP-based callback communication     | T1071.004        |
| Exfiltration     | Credential theft via voice or link   | T1005           |

Quotes from Experts

“PDF payloads allow attackers to bypass many conventional email defences—especially when images or QR codes are embedded,” said John Smith, Senior Threat Analyst at Cisco Talos (2 July 2025)   

“Callback phishing is under‑appreciated but highly effective, since many users trust phone calls over emails,” explained Dr. Leila Mahmoud, a cybersecurity consultant based in Dubai.

Actionable Takeaways for Defenders

1. Advanced PDF scanning – Employ tools with OCR and annotation inspection to detect hidden URLs.
2. Block known VoIP numbers – Maintain a rotating list of suspicious callback numbers.
3. Bolster user awareness – Incorporate PDF‑based phishing and TOAD into training programs.
4. Implement multi-layer email defenses – Combine image recognition, link inspection, and signature analysis.
5. Test employees regularly – Conduct simulations that include PDF and call-based social engineering.
6. Use DMARC/DKIM/SPF enforcement – Strengthen email authenticity checks.
7. Sign-up for threat feeds – Keep updated on PDF-based phishing trends cybercory.com/news.
8. Enable sandboxing – Isolate and inspect all PDF attachments in testing environments.
9. Collaborate with telecom providers – Detect and block VoIP-based callback phishing.
10. Refine incident response – Prepare protocols for voice‑based phishing incidents.

Conclusion

PDF phishing-particularly when paired with QR codes, annotations, or callback tactics-represents a stealthy evolution in social engineering. For organisations in MEA and beyond, strengthening security services, pentesting, and awareness protocols is imperative. Updating detection systems, educating staff on non-traditional phishing channels, and proactively responding to voice threats will help defend against this growing menace. For more best practices and updates, visit cybercory.com/trends.

Sources

• Cisco Talos, “PDFs: Portable documents, or perfect deliveries for phish?”, 2 July 2025