Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
Briefly

Phishing campaigns that impersonate popular brands are increasingly common, misleading victims into calling attacker-controlled phone numbers. This tactic, known as Telephone-Oriented Attack Delivery (TOAD), has been observed in emails with PDF attachments. The analysis indicated that Microsoft and Docusign are primarily targeted, along with other brands like NortonLifeLock and PayPal. Attackers utilize urgency and mimic real support processes to extract sensitive information during phone calls. Furthermore, these emails often use QR codes and embedded URLs in PDF annotations to enhance their credibility and lure victims effectively.
Cybersecurity researchers revealed that a significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, employing a technique known as Telephone-Oriented Attack Delivery (TOAD). This form of callback phishing allows attackers to manipulate victims into revealing sensitive information or installing malware under the guise of legitimate customer support.
An analysis from May 5 to June 5, 2025, showed Microsoft and Docusign are the most impersonated brands, closely followed by NortonLifeLock, PayPal, and Geek Squad. This highlights how attackers exploit the trust associated with these well-known brands to launch effective phishing attacks.
Read at The Hacker News
[
|
]