Everyone trusts PDFs – and that’s exactly why cybercriminals are so obsessed with them.
The portable document format, more commonly known as PDF, is distributed millions of times daily. Everything from tax documents and resumes to invoices, digital brochures, or any other piece of information is sent via email with an attached PDF.
PDFs are simple, cross-platform, and universally trusted. They can contain images, clickable links, and official-looking logos. This makes them perfect for attackers who want to blend in, which is exactly why hackers are obsessed with them right now.
Over the last few months, cybersecurity analysts have seen a sharp spike in phishing attacks delivered via PDF files. These PDFs are designed to mimic legitimate communication from tech giants and service providers to trick victims into giving away credentials or downloading malware.
According to insights from Cisco Talos, between May 5th and June 5th, 2025, brand impersonation using PDF attachments surged. The most impersonated brands are Microsoft and DocuSign. While NortonLifeLock, PayPal, and Geek Squad were among the most impersonated brands in Telephone-oriented attack delivery (TOAD) emails with PDF attachments.
The phishing campaigns are global, with many originating from IP addresses based in the US and Europe.
How do attackers exploit PDFs?
One recent attack impersonated Microsoft using a bait subject line like “Paycheck Increment,” timed strategically during periods when promotions or merit changes are likely to occur in various organizations.
The PDF looked like a standard HR document, just believable enough to get a victim to scan the QR code that redirected them to a credential-stealing site. Dropbox is also often used as a platform to distribute malicious PDFs.
Then there are TOAD attacks. These phishing PDFs don’t want the victim to simply click a link – they phish them via telephone call. Scammers often drop messages about billing errors, suspicious activity, or subscription renewals and include a “customer support” number.
Most phone numbers used in these email scams are Voice over Internet Protocol (VoIP) numbers, which are much harder to trace back to a real person or physical location than standard phone lines.
Scammers are also abusing legit platforms like Adobe’s e-signature service. Between April and May 2025, Talos spotted PDFs sent through Adobe’s system, impersonating brands like PayPal.
PDFs are also a great container for QR code phishing, which is currently having a major moment. These codes often impersonate companies like Microsoft or Adobe.
Then there’s another dangerous tactic of abusing annotations in PDF files. PDFs can hide links in places like comments, sticky notes, or form fields. All these areas are ignored by many scanners.
Attackers also flood files with irrelevant text to confuse detection engines. In some cases, they embed two URLs: one that looks clean (to build trust) and a hidden one that takes you to the real phishing page.
Your email address will not be published. Required fields are markedmarked