Using a multistage obfuscation technique, a new phishing scheme seeks to fool companies into disclosing their Dropbox logins. Research on an email-based social engineering campaign seen in the wild was released on Monday by data security vendor Forcepoint. It often follows this pattern: The threat actor emails the target, asking them to open a linked PDF so they can examine a fake "request order."

The PDF contains a link to a convincing but phony Dropbox phishing website. The target is instructed to use their work email address to log in and review the "order," with the assurance that the email sender will receive a response as soon as they do.

The threat actor harvests the target's Dropbox credentials and location data, while the phishing site spits back a "incorrect username/password" message. The fact that there is no traditional malware of any kind in the PDF, email, or phishing website is one feature that sets this campaign apart. The ultimate goal is credential theft.

This and other factors paint a picture of an unexpectedly clever plan, even though that might (reasonably) lead one to ask, "So what?" Additionally, it's a scheme worth being aware of if they can get past security checks and access employee inboxes.

Related:Fortinet Firewalls Hit With Malicious Configuration Changes ## What Makes This Fake Dropbox Phishing Campaign So Effective A brief message and a link inviting the target to view the full PDF are included in the email lure's attachment. When the target clicks the link, a blurry PDF hosted on a reputable cloud service appears, resembling some sort of order form or invoice, with a hyperlink over it that says, "Your PDF is ready" and instructs the user to "click here." The phony Dropbox login is accessible via this second link.

The lure looks simple and professional, and it doesn't contain any malware.

It also comes from an internal email address (either spoofed or compromised), making the request seem routine while passing email authentication checks (including, the blog post points out, SPF, DKIM, and DMARC). The initial PDF link, which sends users to that second pre-phish document, is hosted on Vercel (a legitimate cloud hosting provider) and by extension includes a URL in line with that platform. That also fosters trust.

In order to mimic an authentic login, the website has a built-in five-second delay before informing the user that their email address or password is incorrect. An attacker-controlled Telegram bot receives credentials, user system information, and location data.

According to Prashant Kumar, a security researcher at Forcepoint X-Labs, these credentials allow "further misuse such as account takeover, internal access or additional follow-on fraud," as stated in the blog post. Related: Calendar Turned by Google Gemini Flaw Invites an Attack For more details, Vector Dark Reading got in touch with Forcepoint. ## Strategies for Organizations to Safeguard Theirself In addition to noting that its products are shielded from this campaign, Forcepoint's blog post highlights signs of compromise.

Many phishing best practices remain useful here. If you can't be certain that a PDF attachment originated from a reliable source, don't open it. Before opening any untrusted attachment or getting a suspicious email, get verbal or visual secondary confirmation from the person that sent it (such as via a phone call) or a relevant decisionmaker from within the organization.

If you are given an urgent call to action to do something like log in to a website via your business credentials, take a moment to evaluate the request critically.