|

Hackers Are Weaponizing PDFs to Impersonate Microsoft, DocuSign, and More: How Callback Phishing Campaigns Are Evolving

ByInnoVirtuoso

Imagine opening your inbox and spotting an urgent email from Microsoft or DocuSign. You trust these brands, so you open the attached PDF and—before you know it—you’re on the phone with “support,” unknowingly handing over sensitive information to a scammer. Sound far-fetched? Unfortunately, this exact scenario is playing out in inboxes around the globe right now.

Welcome to the world of PDF-based callback phishing, a rapidly evolving cyber threat that blends fake branding, clever PDFs, and social engineering to compromise even the most vigilant professionals. If you’re wondering how hackers are weaponizing PDFs and what you can do to stay safe, you’re in the right place.

Let’s pull back the curtain on these sophisticated phishing campaigns, explore the latest tactics, and arm you with actionable tips to protect yourself and your organization.

The Rise of PDF-Based Brand Impersonation in Phishing Attacks

Phishing isn’t new. But attackers are getting bolder, smarter, and far more convincing. Their latest weapon of choice? The humble PDF file—often branded with the logos and “look” of trusted giants like Microsoft, DocuSign, NortonLifeLock, PayPal, and Geek Squad.

Why PDFs?

PDFs fly under the radar for several reasons: – Trust Factor: PDFs are ubiquitous in business. People are used to receiving them and rarely suspect foul play. – Bypass Email Filters: Unlike malicious links or executable files, PDFs can sneak past many email security measures. – Brand Camouflage: Attackers can easily insert logos, colors, and layouts that mimic legitimate correspondence.

But here’s where things get even trickier: hackers aren’t just luring you to click a malicious link—they’re convincing you to call them.

What Is Callback Phishing (TOAD) and Why Is It So Effective?

You may have heard terms like callback phishing, Telephone-Oriented Attack Delivery (TOAD), or even vishing (voice phishing). All of these describe a devious twist on traditional phishing:

  1. The Setup: You get an email with a PDF attachment branded as Microsoft, DocuSign, or another trusted service. It warns of an urgent problem—maybe a suspicious login or a pending account action.
  2. The Hook: Instead of a clickable link, the PDF instructs you to call a phone number to resolve the issue.
  3. The Sting: When you call, you reach a convincing “support agent”—actually a scammer using call center tactics, hold music, and even spoofed caller IDs.
  4. The Scam: The “agent” tricks you into revealing personal info, access credentials, or even installing remote access software or malware.

Let me explain why this works so well:

  • People believe phone calls are safer than email links.
  • Real-time conversation enables manipulation. Skilled scammers can pressure or comfort you as needed, using your reactions to steer the conversation.
  • Brand trust is leveraged ruthlessly. The logos and workflow seem authentic, eroding skepticism.

According to Cisco Talos’s latest research, callback phishing via PDFs has been surging from May to June 2025, with Microsoft and DocuSign the most frequently impersonated brands. Read more about TOAD from Cisco Talos.

How Attackers Use PDF Attachments for Social Engineering

Attackers aren’t just slapping a logo on a PDF and hoping for the best. They’re getting creative:

  • Embedded QR Codes: PDFs sport QR codes that, when scanned, link to fake Microsoft or Dropbox login pages.
  • Hidden URLs: Using PDF annotations, sticky notes, or form fields, attackers embed phishing URLs that appear innocuous.
  • Spoofed Messaging: PDFs mimic account alerts, billing statements, or voicemail notifications, ramping up urgency.

Example:
On June 17, 2025, researchers spotted a phishing email disguised as a voicemail alert with an attached PDF. The PDF’s QR code led directly to a fake Microsoft 365 login page, primed to steal credentials.

The “Callback” Angle

Here’s why callback phishing is so insidious:

  • Scripts and call center tactics: Attackers read from detailed scripts, play hold music, and use organizational jargon.
  • VoIP and anonymity: Calls use Voice over Internet Protocol (VoIP) numbers, often recycled for several days and difficult to trace.
  • Multi-stage attacks: One phone call can lead to malware installation (like banking trojans or remote access programs) or even financial fraud.

Microsoft 365 Direct Send: Why Internal Spoofing Is a Game-Changer

A newer twist is the abuse of Microsoft 365’s Direct Send feature. Instead of compromising accounts, hackers spoof internal email addresses to deliver phishing messages. Here’s how it works:

  • Predictable Patterns: Attackers use smart host addresses like <tenant_name>.mail.protection.outlook.com to masquerade as internal users.
  • Bypassing Security: These emails often face less scrutiny because they appear to come from within the organization.
  • Lower Effort, Higher Impact: No account takeover needed—just clever exploitation of email routing protocols.

This method has targeted over 70 organizations since May 2025, according to Varonis. Learn more about Direct Send attacks.

Why does this matter?
Because it’s not just about getting phished; it’s about attackers living off the land—abusing legitimate infrastructure to maximize trust and minimize detection.

The Expanding Attack Surface: Beyond Credential Theft

Today’s PDF-based phishing campaigns aren’t just after your login details. The attack surface has grown dramatically:

  • Remote Access Software: Victims are duped into installing tools like AnyDesk or TeamViewer, giving attackers persistent control over devices.
  • Fake Payment Portals: Some campaigns impersonate billing departments, tricking users into “resolving” fake invoices and handing over credit card information.
  • Malware Deployment: PDFs can lead victims to download banking trojans, ransomware, or information-stealing malware.

Real-World Example:
The Luna Moth group, flagged by the FBI in May 2025, posed as IT personnel in callback phishing attacks to breach corporate networks. FBI Public Service Announcements offer additional details.

How AI and LLMs Are Changing the Phishing Game

Artificial Intelligence isn’t just a tool for defenders—it’s now in the attacker’s arsenal. Here’s how:

AI Chatbots and Phishing

A recent Netcraft study found that when users asked large language models (LLMs) for login URLs to major brands, the AI sometimes provided unregistered or unrelated domains. Nearly a third of these incorrect results were inactive or available for registration—prime territory for hackers to scoop up and weaponize.

Why this is dangerous:
– Users could be directed to fake, attacker-controlled sites simply by trusting an AI chatbot’s answer.

AI-Poisoning and Supply Chain Attacks

  • Fake APIs on GitHub: Attackers published malicious APIs and promoted them across blogs, forums, and multiple fake GitHub accounts, hoping AI coding assistants would recommend them.
  • SEO Poisoning: By injecting reputable (.gov, .edu) sites with malicious JavaScript or HTML via illicit hacklink marketplaces, scammers try to manipulate search engines into ranking phishing domains higher.

In essence, attackers are gaming both AI and search algorithms to expand their reach—with very little effort.

How to Recognize and Defend Against PDF-Based Callback Phishing

Now that you know the threat is real and evolving, let’s focus on practical defense. Here’s what to look for and how to stay one step ahead:

Red Flags in PDF-Based Phishing Campaigns

  • Unexpected PDFs from known brands: Especially those referencing urgent account activity.
  • Requests to call a phone number: Legitimate companies rarely resolve security issues exclusively via phone, especially from unsolicited emails.
  • Poor grammar or formatting: Many—but not all—phishing emails contain subtle errors.
  • QR codes or suspicious links: Be wary of scanning codes or clicking annotated URLs in PDFs.
  • Emails from internal addresses that don’t match previous correspondence: Be especially alert to unexpected messages from your own organization.

Key Defensive Strategies

Here’s how organizations and individuals can boost their defenses:

1. Security Awareness Training

  • Regularly educate employees on the latest phishing tactics, including PDF and callback-based attacks.
  • Run phishing simulations to test and reinforce good habits.

2. Email and Attachment Scanning

  • Deploy advanced email security solutions that scan PDFs for embedded links, annotations, and QR codes.
  • Implement tools capable of detecting brand impersonation at the gateway.

3. Multi-Factor Authentication (MFA)

  • Require MFA for all critical systems, making it much harder for attackers to compromise accounts—even if credentials are leaked.

4. Strong Incident Response Playbooks

  • Prepare scripts and escalation procedures for suspected phishing incidents—especially those involving phone callbacks or requests for remote access.

5. Monitor and Block VoIP Numbers

  • Collect and update threat intelligence on VoIP numbers abused in callback scams.
  • Implement call screening and verification for inbound support calls.

6. Patch and Monitor Internal Infrastructure

  • Ensure Microsoft 365 and other systems are up to date.
  • Monitor for signs of Direct Send abuse, unexpected internal email activity, or anomalous traffic to unusual domains.

What Companies and IT Leaders Can Do Now

Defending against this new wave of phishing requires a blend of people, process, and technology. Here’s what CISOs and IT leaders should prioritize:

  • Invest in phishing-resistant authentication methods (like FIDO2 security keys).
  • Deploy AI-driven email security solutions that can spot brand impersonation in attachments and messages.
  • Collaborate with threat intelligence providers to stay ahead of emerging tactics, especially as attackers weaponize AI and SEO.
  • Communicate proactively with users—remind them that your organization will never ask for credentials or remote access over unsolicited phone calls or emails.

Quick Reference: PDF Callback Phishing at a Glance

  • Attack Vector: Email with branded PDF attachment (Microsoft, DocuSign, etc.)
  • Payload: Embedded phone number, QR code, or annotated phishing link.
  • Tactics: Brand impersonation, urgency, real-time manipulation via phone.
  • Targets: Individuals, businesses, and entire organizations (often via Microsoft 365).
  • Goals: Credential theft, remote access, financial fraud, persistent network access.
  • Emerging Trends: Use of AI/LLMs to direct users to malicious domains, SEO poisoning, GitHub supply chain attacks.

Frequently Asked Questions (FAQ)

How can I tell if a PDF attachment is a phishing attempt?

Look for red flags like: – Unexpected attachments from known brands or your own organization – Urgent requests to call a phone number or scan a QR code – Inconsistent sender addresses or odd formatting
When in doubt, verify with the company directly—never use the contact details in the suspicious message.

What is Telephone-Oriented Attack Delivery (TOAD)?

TOAD, or callback phishing, is when attackers use emails (often with PDFs) to persuade victims to call adversary-controlled phone numbers. The scammer then manipulates the victim over the phone to steal data or install malware.

Are QR codes in emails and PDFs safe?

Not always. Attackers often embed QR codes in phishing emails or PDFs to direct users to fake login pages. Only scan QR codes from sources you trust, and verify URLs carefully.

How does Microsoft 365 Direct Send phishing work?

Attackers exploit the Direct Send feature in M365 to spoof emails from internal users, making phishing messages look like they’re coming from inside your company. These emails can bypass standard email security checks.

What should I do if I’ve called a scammer’s number or shared information?

Immediately disconnect, report the incident to your IT/security team, change any compromised credentials, and monitor accounts for suspicious activity. If you installed remote software, disconnect from the internet and seek expert help.

How are AI and LLMs making phishing worse?

AI tools can sometimes suggest incorrect or unregistered login URLs, which attackers can register and weaponize. Hackers are also poisoning AI models and coding assistants with malicious data, making it easier to spread and scale attacks.

Where can I learn more about defending against phishing?

Check resources like Cybersecurity & Infrastructure Security Agency (CISA), FBI Internet Crime Complaint Center, and The Hacker News for updates and best practices.

The Bottom Line: Stay Skeptical, Stay Secure

The evolution of PDF-based callback phishing shows just how adaptable—and dangerous—cybercriminals have become. By blending brand impersonation, manipulated PDFs, social engineering, and even AI-powered subterfuge, they’re setting ever-more convincing traps.

Here’s the key takeaway:
Never trust an unsolicited attachment or urgent request—no matter how authentic it looks. Always verify through official channels, and empower your teams to do the same. When in doubt, pause and ask for help.

Staying informed is your best defense. Subscribe for more insights, or dive deeper into our latest cybersecurity guides to keep one step ahead of the next wave of phishing attacks.

Found this article helpful? Share it with your colleagues and help stop phishing in its tracks! For ongoing updates, consider subscribing to our cybersecurity newsletter.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!

real estate scams
|

The Rise of Middle Eastern Real Estate Fraud in Online Listings

ByInnoVirtuoso

The Middle Eastern real estate market is booming, but a surge in online real estate scams comes alongside this growth digital platforms to find rental and purchase opportunities, cybercriminals are exploiting the trust and urgency associated with these transactions. According to Group-IB, the region’s median financial loss per scam is approximately $3,064, with annual losses…

green padlock on pink surface
| | | | | | | | |

Seclists on Github: The Essential Toolkit for Security Testers

ByInnoVirtuoso

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI, InfoSec coverage. Learn More Introduction to Seclists Seclists serves as a crucial resource within the realm of security testing, offering a comprehensive collection of various lists that support a multitude of security-related assessments. Designed specifically for infosec professionals, Seclists…

GodFather Banking Trojan Debuts Virtualization Tactic: A New Era in Mobile Cyber Threats
|

GodFather Banking Trojan Debuts Virtualization Tactic: A New Era in Mobile Cyber Threats

ByInnoVirtuoso

In the fast-evolving world of cyber threats, the GodFather banking Trojan has emerged as a formidable adversary, especially for financial institutions in Turkey. By leveraging a groundbreaking virtualization tactic, this Android malware has taken cybercrime to new heights, targeting legitimate banking and cryptocurrency applications. This blog post delves into how GodFather is reshaping the landscape…

teal LED panel
| | |

Understanding the Top Cyber Attacks: Focus on Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks

ByInnoVirtuoso

Introduction to Cyber Attacks In today’s increasingly digitized world, cyber attacks have become a prevalent and growing threat, posing significant risks to businesses, individuals, and governments alike. Cyber attacks are malicious attempts by individuals or groups to breach the information systems of others, whether to steal data, disrupt operations, or cause damage. These attacks can…

white robot
| |

CISA Enhances Public Safety Communications with New Cyber Resiliency Toolkit Resources

ByInnoVirtuoso

Join our weekly newsletters for the latest updates and exclusive content on industry-leading AI, InfoSec, Technology, Psychology, and Literature coverage. Learn More Introduction to the Cyber Resiliency Toolkit The Cyber Resiliency Toolkit developed by the Cybersecurity and Infrastructure Security Agency (CISA) represents a crucial advancement aimed at bolstering the cybersecurity infrastructure of public safety agencies….