Phishers Are Turning PDFs and Trusted Cloud Services Into a Credential Theft Assembly Line

Security teams have spent years tuning their defenses to catch malicious links and suspicious attachments. Attackers have responded by removing the obvious signals altogether.

Forcepoint X-Labs researchers have uncovered a phishing campaign that relies on a quiet, multi-stage chain built from tools most enterprises implicitly trust: PDFs, mainstream cloud storage, and a familiar SaaS login brand. There is no malware payload, no overtly malicious URL in the email body, and no obvious red flags until the final step, when credentials are already gone.

The attack begins with a professional email that looks like routine procurement correspondence. It references a request order or tender document and asks the recipient to review an attached PDF. There are no links embedded in the message itself, which helps the email pass common authentication and filtering controls. To both users and automated scanners, it looks like another ordinary business transaction.

The PDF attachment is the real entry point. Instead of containing malware, it includes interactive elements embedded using standard PDF features that are rarely blocked outright. Clicking what appears to be a harmless “view online” prompt sends the victim to a second PDF hosted on legitimate cloud infrastructure. By staging content on well-known platforms, the attackers exploit the reputational trust that security tools often extend to popular services.

From there, the victim is redirected again, this time to a convincingly branded login page impersonating Dropbox. For users accustomed to being asked to authenticate before accessing shared documents, the request does not seem unusual. The deception is subtle enough that many never realize they have left a legitimate workflow.

Behind the scenes, the fake login page is doing more than collecting an email address and password. The page runs JavaScript that gathers additional context, including the victim’s IP address, geographic location, and device information. That data is packaged together and sent directly to a Telegram bot controlled by the attackers.

Telegram has increasingly become a favorite destination for stolen data. It is easy to automate, fast to deploy, and often overlooked by traditional command-and-control detection logic. In this case, credentials and system details are transmitted almost instantly after submission, without requiring any additional infrastructure.

To maintain the illusion, the page then simulates a login attempt. After a short delay, it displays an error message claiming the credentials were invalid. The failure is intentional and hardcoded, ensuring the victim does not successfully log in and remains unaware that anything has been compromised. Many users simply assume they mistyped their password and move on, giving attackers a clean exit.

What makes this campaign effective is not a novel exploit, but careful choreography. Each step on its own looks benign. PDFs are a standard business format. Cloud storage links are routine. Dropbox logins are familiar. Together, they form a chain that slips past defenses designed to spot single, obvious indicators of compromise.

For defenders, the campaign highlights a growing blind spot. Security controls that rely heavily on reputation, file type trust, and static link analysis struggle when attackers stay entirely within the boundaries of legitimate platforms. There is no malicious attachment to detonate and no suspicious domain to blacklist early in the chain.

The broader risk extends beyond individual account compromise. Once attackers obtain valid credentials, they can move laterally, access internal systems, and launch follow-on fraud that appears to come from trusted users. What starts as a single phishing email can quietly escalate into a much larger incident.

As phishing continues to evolve, campaigns like this underscore a difficult reality for organizations. Trust signals that once made the internet usable are now being systematically weaponized. The challenge is no longer just blocking bad content, but recognizing when familiar workflows themselves have been turned into the attack surface.