Remember when the biggest worry about PDFs was whether they’d format correctly when you printed them? Unfortunately, those days are long gone. Cybercriminals are weaponizing one of the most trusted file formats in business, turning innocent-looking PDFs into phishing weapons.
Research from Cisco Talos reveals a troubling trend: attackers are increasingly using PDF attachments to impersonate trusted brands like Microsoft, DocuSign, PayPal, and Geek Squad in what’s known as Telephone-Oriented Attack Delivery (TOAD) or callback phishing campaigns.
Unlike traditional phishing that tries to steal credentials through malicious links, these attacks take a different approach: they convince you to pick up the phone.
What Makes PDF Phishing So Effective?
The brilliance (and danger) of PDF-based phishing lies in its psychological manipulation. PDFs feel safe. They’re everywhere in business communication, from invoices to contracts to official notices. When you see a PDF attachment from what appears to be Microsoft or your antivirus provider, your guard naturally drops.
These attacks leverage brand impersonation as one of the most popular social engineering techniques, with threat actors often using Voice over Internet Protocol (VoIP) to remain anonymous. The PDF is crafted to trigger urgency and fear, often claiming your account is compromised, your subscription is about to renew, or immediate action is required.
The Anatomy of a Modern PDF Phishing Attack
Here’s how these campaigns typically unfold:
Step 1: The Delivery
You receive an email with a PDF attachment that looks like it’s from a company you know and trust. The branding is spot-on, the language feels authentic, and the sense of urgency is carefully calibrated.
Step 2: The Hook
The PDF contains alarming information: “Your Microsoft 365 account has been compromised” or “Your GeekSquad subscription will auto-renew for $299.99.” But instead of asking you to click a link, it provides a phone number to call “immediately.”
Step 3: The Conversation
When you call, you’re connected to someone who sounds professional and knowledgeable. They know just enough about the brand they’re impersonating to seem legitimate. This live interaction enables attackers to manipulate the victim’s emotions and responses by employing social engineering tactics.
Step 4: The Payload
During the call, the attacker guides you to download remote access software like TeamViewer or AnyDesk “to fix the problem.” Once they have access to your computer, they can steal credentials, install malware, or even initiate financial transfers.
The Most Targeted Brands
Analysis of phishing emails with PDF attachments between May and June 2025 revealed Microsoft and DocuSign as the most impersonated brands, with NortonLifeLock, PayPal, and Geek Squad among the most impersonated brands in TOAD emails. These brands are attractive targets because:
- They have massive user bases
- They regularly send legitimate security notifications
- Users expect to receive urgent communications from them
- They offer services that people are willing to pay to protect
QR Codes: The New Frontier
The latest evolution in PDF phishing involves QR codes embedded within the documents. These codes might be hidden in PDF annotations, sticky notes, or form fields, making them harder for automated security systems to detect. One recent example involved a phishing email that resembled a voicemail notification and included a PDF attachment containing a QR code directing recipients to a Microsoft 365 credentials harvesting page.
QR codes are particularly dangerous because they bypass many traditional security measures. When you scan a code with your phone, you’re often not on your corporate network or protected by the same security tools that might catch a malicious link in an email.
The Microsoft 365 Direct Send Problem
Recent campaigns have found a new vulnerability to exploit: Microsoft 365’s Direct Send feature, which has been used to target more than 70 organizations since May 2025, allowing attackers to spoof internal users and deliver phishing emails without compromising an account. This makes the emails appear to come from inside the victim’s organization, significantly increasing their apparent legitimacy.
Protecting Your Organization
The rise of PDF-based callback phishing requires a multi-layered defense strategy:
Email Security
Implement advanced email filtering that can analyze PDF contents, not just scan for known malicious attachments. Look for solutions that can detect brand impersonation and suspicious callback numbers within documents.
User Education
Train your team to be skeptical of urgent communications, especially those requesting phone calls. Establish clear policies about when legitimate vendors might call and how they would authenticate themselves.
Access Controls
This is where robust privilege management becomes critical. Even if an attacker tricks someone into calling them, proper access controls can limit the damage. Admin By Request’s EPM solution ensures that even if malware gets onto a system, it can’t automatically gain administrative privileges to cause widespread damage.
Verification Procedures
Establish out-of-band verification procedures. If someone calls claiming to be from Microsoft, hang up and call Microsoft directly using a number you find independently (not one provided in the email or by the caller).
The Bottom Line
PDF-based callback phishing represents a concerning development in social engineering attacks. By combining the trusted nature of PDF documents with the psychological pressure of live phone interaction, attackers are finding new ways to bypass both technical defenses and human intuition.
Remember: legitimate companies don’t operate with the urgency that these scammers try to create. If something feels too urgent, too alarming, or too convenient, it probably is. When in doubt, verify through official channels, and never let anyone you don’t know access your computer remotely.
