Cybercriminals are starting a risky phishing campaign that poses as Dropbox in order to trick users into divulging their login information This article explores pdf attachment malicious. . This attack circumvents content scanners and email security checks using a multi-stage method.

The threat actors build a deception chain that directs victims to a phony login page intended to steal their credentials by taking advantage of reliable cloud platforms and innocuous-looking PDF files. The attack begins with a business email that looks authentic and is connected to procurement procedures. These emails ask recipients to review request orders by logging in with their credentials and include a PDF attachment. Because there are no malicious links in the email body, it can pass authentication checks like SPF, DKIM, and DMARC without raising red flags, which is what makes this campaign effective.

An embedded link that takes the victim to another PDF stored on Vercel Blob storage, a reputable cloud infrastructure service, appears when the victim opens the PDF attachment. Staging PDF (Source: Forcepoint) This staging layer takes advantage of users' faith in well-known platforms. Forcepoint analysts discovered that the PDF conceals clickable elements while appearing innocuous to scanning tools by using specialized techniques like AcroForm objects and FlateDecode compression.

After that, victims are redirected by the cloud-hosted document to a phony website that mimics Dropbox and has a recognizable login interface. The phony page imitates the real Dropbox layout to trick users into entering login information in order to access critical files.

Attack using social engineering (Source: Forcepoint) As soon as victims enter their email address and password, the data is instantly recorded and sent to attackers via Telegram's infrastructure. The Mechanism of Credential Theft There is hidden JavaScript code on the phony Dropbox page that carries out a number of nefarious tasks. The script verifies the email format and gathers the password without requiring a minimum length when the victim inputs their credentials.

After that, it uses external APIs to obtain the victim's IP address and geolocation information, such as city, region, country, and internet service provider. Using a hardcoded bot token and chat ID, all of this gathered information is bundled into a message and sent to a Telegram bot.

In order to trick victims into thinking they simply typed their credentials incorrectly while attackers already have the stolen data, the script mimics a login process with a five-second delay before displaying an error message. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.