Identity, Decentralized identity and verifiable credentials, Ransomware, Email security, Phishing

PDF phishing attack leads to stolen Dropbox credentials

(Credit: monticellllo – stock.adobe.com)

(Credit: monticellllo – stock.adobe.com)

A recently uncovered phishing campaign uses PDF attachments to redirect victims to fake Dropbox login pages, Forcepoint reported Monday.

The attack begins with procurement-themed emails that do not contain any links but instead include a PDF attachment, making them more likely to bypass link-scanning email security systems.

The PDF attachment uses an AcroForm object to incorporate a link, which directs to a public[,]blob[.]vercel-storage[.]com URL. By hosting the next stage of the attack on trusted cloud infrastructure, such as Vercel Blob, the attacker further ensures security systems will not detect the attachment’s malicious nature, Forcepoint stated.

The Vercel Blob URL directs to another PDF with another link labeled “DOWNLOAD FILE HERE.” This link directs to the final phishing website, hosted on the domain tovz[.]life.

The phishing site is designed to impersonate a Dropbox login page, luring the victim to log in to view the procurement-related document.

Related reading:

JavaScript embedded in the page exfiltrates the provided email and password, along with other victim details such as IP address, location and device, to a Telegram bot using a hardcoded bot token and chat ID, Forcepoint found.

The external APIs api64[.]ipify[.]org and ipapi[.]co are used to capture the user’s IP address and estimated geolocation. After the user submits their Dropbox details, the page displays an “Invalid email or password” message after a 5-second delay.

Forcepoint emphasized that the use of links embedded in PDF attachments rather than email bodies and the hosting of a second “staging” PDF file on a legitimate cloud service make it likely that such an attack would bypass standard email security filters.

These stealth tactics necessitate greater employee vigilance when encountering links contained in PDF attachments and blocking specific indicators of compromise (IoCs) such as blocking outbound requests to the tovz[.]life domain.

IBM X-Force’s 2025 Threat Intelligence Index found that PDFs were the most common file type attached to malicious emails in 2024, making up more than 45% of malicious attachments.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Access MatrixBiometricsChallenge-Handshake Authentication Protocol (CHAP)Digital CertificateEavesdroppingEmail SpoofingInternet Message Access Protocol (IMAP)Post Office Protocol, Version 3 (POP3)SpamStore-and-Forward

You can skip this ad in 5 seconds