Security researchers have uncovered a multi-stage phishing campaign that demonstrates how threat actors are bypassing traditional email security by abusing trusted platforms and widely used business file formats.
The attack, described in a new advisory published by Forcepoint on Monday, begins with a professional-looking procurement or tender-related email sent to business users. The message is designed to be intentionally minimal and contains no embedded links, relying instead on a PDF attachment.
This approach allows the email to pass common authentication checks such as DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Sender Policy Framework (SPF), while avoiding keyword-based detection.
Once opened, the PDF does not feature malicious code. Instead, it relies on interactive PDF elements to redirect the recipient to a second document hosted on legitimate cloud infrastructure.
From Trusted Documents to Credential Theft
The cloud-hosted document then redirects the victim to a fraudulent website impersonating Dropbox. The page closely mimics a legitimate Dropbox login screen and claims that authentication is required to view shared business documents. Because Dropbox is commonly used in corporate environments, the request appears routine to many users.
When credentials are entered, client-side scripts capture the email address and password, along with contextual data such as IP address, approximate location, date, time, and device information. This data is collected using publicly accessible Application Programming Interfaces (APIs) and then transmitted to attacker-controlled infrastructure using the Telegram messaging platform.
In order to maintain credibility with the user, the phishing page simulates a login prompt by including a temporary delay prior to presenting the user with an error prompt.
Irrespective of the credentials entered by the victim, users are then informed that their login failed, which may encourage them to refrain from immediately reporting the incident, as the attackers retain the compromised data.
According to Forcepoint, this phishing campaign demonstrates a wider trend of how phishing attacks are evolving. By avoiding malware delivery and relying on trusted services, attackers reduce technical indicators of compromise and increase the likelihood of user interaction.
For defenders, this underscores the importance of inspecting document behavior, not just attachments and links, and reinforcing user awareness around unexpected authentication requests, even when they appear to come from familiar platforms.
