Hackers Use Malicious PDFs to Impersonate Microsoft, DocuSign & More via “Callback Phishing”
Hackers have stepped up a new phishing method that uses malicious PDF attachments to impersonate well-known companies like Microsoft and DocuSign. These fake PDFs encourage recipients to call phone numbers controlled by the attackers, pretending to be customer support representatives. This technique, called callback phishing or Telephone-Oriented Attack Delivery (TOAD), is becoming increasingly common.
During a recent one-month period, security researchers noticed a sharp increase in these campaigns. Attackers send emails with PDF files that often include QR codes or links disguised with annotations to direct victims to fake login pages or fraudulent websites mimicking trusted services. When users open the PDF, they are urged to call a provided phone number for assistance.
Once on the call, the attackers pose as legitimate support staff. Using Voice over IP (VoIP) technology, spoofed caller IDs, and professional scripts complete with hold music, they build trust and manipulate victims. Their aim is to steal sensitive credentials or convince users to install malicious software like banking trojans or remote access tools.
This approach exploits the natural trust people place in phone calls from recognized brands. Live interaction allows attackers to use psychological tactics, exploiting emotions and vulnerabilities. Past warnings from law enforcement agencies have highlighted how cybercriminal groups use similar callback scams to gain network access and install malware.
Adding to the threat’s sophistication, attackers have begun exploiting features in popular email platforms to spoof internal communications. This makes phishing emails appear more legitimate and helps bypass traditional email security filters.
To protect yourself, it’s important to be cautious with unexpected PDF attachments, especially those claiming to offer urgent help or support. Avoid calling phone numbers included in emails or PDFs and instead use official contact information. Never scan QR codes from unknown sources, and carefully verify email sender addresses beyond just their display names. Enabling multi-factor authentication and keeping antivirus or endpoint security software up to date are also crucial defenses against these attacks.
