Cisco has released a significant update to its brand impersonation detection engine, primarily targeting malicious emails that deliver phishing payloads through PDF attachments.
This enhancement is designed to improve detection accuracy by expanding coverage across a broader spectrum of impersonated brands, notably those distributed via PDF payloads, including widely recognized names such as Microsoft, DocuSign, Dropbox, Adobe, PayPal, McAfee, and Best Buy’s Geek Squad.
PDF attachments have become a preferred vector for social engineering campaigns, primarily due to their universal compatibility and portability.
Threat actors exploit these files to embed brand logos, names, QR codes, and hyperlinks elements intended to deceive recipients into believing the communication is legitimate.
Cisco Talos researchers have observed a surge in sophisticated phishing emails where attackers use enticing subject lines like “Paycheck Increment,” timed to coincide with organizational promotion cycles, to increase the likelihood of user engagement.
In many cases, the entire deceptive message, complete with graphics and clickable links, is contained within the PDF, allowing it to potentially evade traditional content-based email filters.
Abuse of VoIP Technologies
A notable evolution in these attacks is the widespread adoption of Telephone-Oriented Attack Delivery (TOAD), also known as callback phishing.
Rather than relying solely on malicious hyperlinks, PDFs now frequently urge victims to call adversary-controlled phone numbers to resolve fabricated issues or confirm phony transactions.
Once contact is established, attackers, often shielding their identities through Voice over Internet Protocol (VoIP) services, impersonate legitimate representatives to extract sensitive information or manipulate victims into installing malicious software.
Talos has noted that VoIP numbers are often reused across multiple campaigns due to the relative anonymity and cost-effectiveness they provide, as well as the slower propagation of phone number intelligence across the security community.
Additionally, Talos has documented abuse of legitimate platforms such as Adobe’s e-signature service, where malicious actors upload phishing PDFs and send them directly to victims under the guise of document signing requests from trusted brands like PayPal.
These tactics increase the perceived legitimacy of the communication, further undermining recipient defenses.
QR Codes and PDF Annotations
To sidestep both users’ suspicion and automated detection mechanisms, threat actors are increasingly turning to QR code phishing.
These QR codes often embedded within branded PDFs redirect targets to phishing sites. Such sites commonly employ CAPTCHA challenges to further obscure their true intent.
This technique is particularly challenging for detection engines reliant on textual analysis, as the QR code’s content requires optical character recognition (OCR) to decode, a process that is both resource-intensive and prone to errors.
Moreover, attackers are utilizing PDF annotations, comments, and form fields to conceal phishing URLs sometimes embedding multiple links within a single file.
For instance, a QR code may lead to a seemingly innocuous website, while an embedded annotation redirects to the actual phishing page.
The inclusion of shortened URLs and irrelevant “noise” text further complicates detection and user verification.
According to Cisco Secure Email Threat Defense, campaigns between May 5 and June 5, 2025, reveal Microsoft and DocuSign as the most frequently impersonated brands in PDF-based phishing emails, followed by services such as Dropbox, NortonLifeLock, PayPal, and Geek Squad.
Attackers’ exploitation of the PDF format’s complexity and flexibility together with social engineering techniques like TOAD and QR code phishing has enabled sustained, widespread phishing operations that circumvent traditional security controls.
As these campaigns continue to adapt, security teams are urged to adopt comprehensive detection strategies that scrutinize not only email text, but also attachment content and associated indicators such as phone numbers, QR codes, and PDF metadata.
The imperative for organizations is clear: vigilance and layered defenses remain critical as adversaries refine their methods for brand impersonation and user deception.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
