Fake Dropbox Phishing Campaign via PDF and Cloud Storage
Summary:
X-Labs recently uncovered a multi-stage credential-phishing campaign designed to evade email and content scanning by utilizing harmless-looking PDF files and layered redirection. The attack initiates with a procurement-themed business email that contains no malicious links in the message body and instead delivers a PDF attachment as the primary lure. The PDF uses AcroForm objects and compressed streams to embed a clickable element that redirects the victim to a second PDF hosted on legitimate cloud infrastructure (Vercel Blob), exploiting implicit trust in well-known platforms. This PDF is then used to direct the victim to a newly registered website impersonating Dropbox, prompting the victim to authenticate in order to view the document. In the event that credentials are entered, the client-side JavaScript collects the victim’s email and password, which is then transmitted to the attacker’s Telegram, enabling account takeover and potential lateral movement.
Security Officer Comments:
Attackers continue to impersonate known brands and services like Dropbox to trick unsuspecting end users into giving up credentials or downloading malicious executables. On top of that, actors are changing up their tactics to bypass traditional email defenses. The use of PDF files in emails removes the need for clickable URLs in the email body, effectively preventing secure email gateways from extracting and reputation-checking a link at delivery time. These PDFs also allow links to be embedded in ways that are harder to statically analyze. In the case of the latest campaign, the attackers used AcroForm objects and compressed streams to hide the clickable element. Since many scanners do not fully parse interactive PDF objects, this makes the malicious link less likely to be detected during scanning.
Suggested Corrections:
https://www.forcepoint.com/blog/x-labs/dropbox-pdf-phishing-cloud-storage
X-Labs recently uncovered a multi-stage credential-phishing campaign designed to evade email and content scanning by utilizing harmless-looking PDF files and layered redirection. The attack initiates with a procurement-themed business email that contains no malicious links in the message body and instead delivers a PDF attachment as the primary lure. The PDF uses AcroForm objects and compressed streams to embed a clickable element that redirects the victim to a second PDF hosted on legitimate cloud infrastructure (Vercel Blob), exploiting implicit trust in well-known platforms. This PDF is then used to direct the victim to a newly registered website impersonating Dropbox, prompting the victim to authenticate in order to view the document. In the event that credentials are entered, the client-side JavaScript collects the victim’s email and password, which is then transmitted to the attacker’s Telegram, enabling account takeover and potential lateral movement.
Security Officer Comments:
Attackers continue to impersonate known brands and services like Dropbox to trick unsuspecting end users into giving up credentials or downloading malicious executables. On top of that, actors are changing up their tactics to bypass traditional email defenses. The use of PDF files in emails removes the need for clickable URLs in the email body, effectively preventing secure email gateways from extracting and reputation-checking a link at delivery time. These PDFs also allow links to be embedded in ways that are harder to statically analyze. In the case of the latest campaign, the attackers used AcroForm objects and compressed streams to hide the clickable element. Since many scanners do not fully parse interactive PDF objects, this makes the malicious link less likely to be detected during scanning.
Suggested Corrections:
- Harden email defenses beyond basic filtering by inspecting PDF attachments and embedded links, and enforcing SPF, DKIM, and DMARC to reduce spoofed and look-alike emails.
- Enforce MFA on all cloud and enterprise services, prioritizing phishing-resistant methods and conditional access for malicious sign-ins.
- Increase user awareness by training employees to be suspicious of unsolicited PDFs and document-based login requests, even when they appear to come from trusted entities.
- Monitor for abnormal login behavior and rapidly disable, reset, and audit accounts suspected of credential compromise.
https://www.forcepoint.com/blog/x-labs/dropbox-pdf-phishing-cloud-storage