In order to obtain credentials, cybercriminals are using a sophisticated phishing campaign that imitates standard business procedures This article explores delivery phishing emails. . The victims are sent a polished email that looks like a request for a tender or procurement, asking them to review a purchase order that is attached and log in using their work credentials.

This tactic builds urgency and trust, common in business fraud, while evading email filters. The email is delivered via a PDF attachment rather than direct malicious links. It evades SPF, DKIM, and DMARC checks thanks to its professional, concise content. In order to blend the message into regular operations, attackers frequently use spoof sender addresses or take control of authentic accounts.

Methods for PDF Attachments That Avoid Link Detection Compressed streams via /FlateDecode and /AcroForm objects, which embed clickable elements without obvious red flags, are revealed when the PDF is opened.

A hidden link to a cloud-hosted PDF at hxxps://nte2srryro7jecki.public.blob.vercel-storage.com/ProductLists.pdf is revealed when you hover over "View specification online Here:." Delivery of phishing emails (Source: Forcepoint) This takes advantage of the trustworthy public.blob.vercel-storage.com infrastructure of Vercel, where users implicitly trust well-known cloud platforms. The fraudulent website hxxps://tovz.life/bid-doc2026.php/?ai=xd is then redirected by the secondary PDF.

With a convincing login page, this recently registered domain poses as Dropbox and deceives users into entering login information under the pretense of document access. Because Dropbox is so well-known, defenses are weakened and deception becomes credential theft. Once entered, JavaScript on the fake page springs into action.

It takes the email address and password from the form fields (#email, #password), verifies them with a simple email regex (no real password check), and extracts additional information such as IP address via api64.ipify.org and geolocation (city, region, country, ISP) from ipapi.co. PDF staging (Source: Forcepoint) The script bundles the device information, IP address, timestamp, and credentials into a message and sends it to a Telegram bot at hxxps://api.telegram.org/bot6141034733:AAH-FLm9XyFjiV6F7jq6UHBXcVZTq7rZbP0/sendMessage using a hardcoded token and chat ID. This exfiltrates stolen information for lateral movement or account takeovers.

Since success is hardcoded to false, it always displays "Invalid email or password" after a 5-second pause to mimic a failed login and allay suspicions. Because PDFs are essential for business and are rarely thoroughly scanned, this multi-stage chain prospers.

The brand impersonation seals the trap, and the cloud hop avoids reputation-based blocks. It begins with a reliable email and progresses through layers of evasion to impact. Safety and Signs of Compromise By classifying the dropper PDF, flagging the redirect URL, blocking the lure email and PDF by hash, and neutralizing C2 calls, Forcepoint protects users at critical points.

Be alert: Check procurement emails for attachments, hover over links before clicking, and compare domains to official ones. Routine for retrieving passwords and emails (Source: Forcepoint) Use tools that unpack PDFs and examine cloud redirects, train employees on brand impersonation, and enable multi-factor authentication (MFA) everywhere.

Details of the IOC Type Subject e-Tender (Your acceptance is required for the Operating Unit's Standard PO) Lure PDF Name: 2026_PO_I0I_Jan_25_LGXZ.pdf Lure PDF SHA1 56ba0c54f9f02c182a46461dc448868fc663901c Secondary PDF Name ProductLists.pdf Secondary PDF SHA1 88e542b163d1de6dedbbc85b1035a2b2d3b88bb8 Dropper URL: hxxps://nte2srryro7jecki.public.blob.vercel-storage.com/ProductLists.pdf Redirect URL: hxxps://tovz.life/bid-doc2026.php/?ai=xd C2 URL: hxxps://api.telegram.org/bot6141034733:AAH-FLm9XyFjiV6F7jq6UHBXcVZTq7rZbP0/sendMessage Report sightings to your security team and immediately block these IOCs. This campaign demonstrates how hackers use trusted vectors like email, PDFs, the cloud, and brands to obtain covert advantages.