Hackers Exploit PDFs to Impersonate Microsoft, DocuSign, and Others in Callback Phishing Schemes

Cybersecurity experts have raised alarms about phishing campaigns that mimic well-known brands, deceiving victims into calling phone numbers managed by cybercriminals. According to Cisco Talos researcher Omid Mirzaei, “A notable percentage of email threats featuring PDF payloads persuade victims to dial adversary-controlled numbers, showcasing a prevalent social engineering tactic referred to as Telephone-Oriented Attack Delivery (TOAD) or callback phishing.” An analysis of phishing emails with PDF attachments from May 5 to June 5, 2025, found that Microsoft and DocuSign were the most frequently impersonated brands. Other notable targets in TOAD emails included NortonLifeLock, PayPal, and Geek Squad. This surge in activity forms part of broader phishing efforts that leverage the trust associated with popular brands to provoke harmful actions. Typically, these messages include PDF attachments…

Hackers Target Users with PDF-Based Callback Phishing Impersonating Microsoft and DocuSign

July 2, 2025

Recent findings from cybersecurity experts highlight an alarming trend in phishing attacks that exploit the trust associated with reputable brands such as Microsoft and DocuSign. These campaigns leverage PDF attachments to manipulate unsuspecting victims into calling phone numbers controlled by malicious actors. Termed Telephone-Oriented Attack Delivery (TOAD) or callback phishing, this technique is gaining traction among cybercriminals as they seek to bypass traditional email security measures.

A comprehensive analysis conducted by Cisco Talos between May 5 and June 5, 2025, revealed that the overwhelming majority of phishing emails featuring PDF payloads are designed to dupe recipients into initiating phone calls to adversary-operated numbers. The report indicates that Microsoft and DocuSign emerged as the most frequently impersonated brands, a testament to their widespread recognition and the trust they command among users. Other notable targets included NortonLifeLock, PayPal, and Geek Squad, further illustrating the deceptive tactics employed in TOAD campaigns.

These phishing emails typically contain cleverly crafted messages and PDF attachments that aim to seem legitimate, thereby exploiting the victims’ familiarity with the brands. The objective is straightforward: to manipulate individuals into divulging sensitive information or following harmful instructions under the guise of recognized institutions.

By leveraging social engineering techniques, such as impersonation of trusted brands, these phishing attacks effectively exploit established consumer trust to initiate malicious activities. The potential repercussions for affected organizations and individuals can be severe, ranging from financial losses to the compromising of sensitive personal data.

From a cybersecurity perspective, this type of campaign underscores the importance of understanding the tactics outlined in the MITRE ATT&CK framework. Adversaries are likely employing multiple tactics for initial access, such as phishing and social engineering, to lure victims into engaging with their malicious infrastructure. Once contact is established, further techniques may include credential dumping or data exfiltration, facilitating ongoing exploitation and persistence within targeted environments.

Protective measures against such attacks necessitate heightened awareness and education among employees about the risks associated with unsolicited communications. Organizations should prioritize training programs that focus on recognizing the signs of phishing attempts and the importance of verifying the authenticity of communication before taking action.

In conclusion, as phishing tactics continue to evolve, so must the strategies employed by businesses to safeguard against these threats. Staying informed about current threat landscapes and understanding the methodologies of cyber attackers is crucial for fostering a resilient cybersecurity posture.

Source link

Related Posts

TA829 and UNK_GreenSec Collaborate on Strategies and Infrastructure in Ongoing Malware Campaigns

July 01, 2025
Cyber Espionage / Vulnerability

Cybersecurity experts have identified striking tactical parallels between the threat actors behind the RomCom RAT and a group observed deploying a loader named TransferLoader. Enterprise security firm Proofpoint is tracking this activity back to a group recognized as UNK_GreenSec, alongside the RomCom RAT actors, referred to as TA829. This group is also known by multiple aliases, including CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu. According to Proofpoint’s findings, UNK_GreenSec emerged during their investigation of TA829, with notable similarities in infrastructure, delivery tactics, landing pages, and email lure themes. TA829 stands out in the threat landscape for its capacity to engage in both espionage and financially motivated attacks. This hybrid group, aligned with Russia, has been linked to the exploitation of zero-day vulnerabilities in Mozilla software.

Critical Flaw in Anthropic’s MCP Poses Remote Exploitation Risk for Developer Systems

July 01, 2025
Vulnerability / AI Security

Cybersecurity experts have identified a severe security flaw in Anthropic’s Model Context Protocol (MCP) Inspector project, potentially enabling remote code execution (RCE) and granting attackers total access to affected systems. Identified as CVE-2025-49596, this vulnerability boasts a CVSS score of 9.4 out of 10, indicating a critical risk level. “This represents one of the first significant RCE vulnerabilities within Anthropic’s MCP framework, opening the door to a new wave of browser-based attacks targeting AI development tools,” stated Avi Lumelsky from Oligo Security in a recent report. “With the ability to execute code on a developer’s machine, attackers can compromise sensitive data, install malware, and navigate through networks—posing serious threats to AI teams, open-source initiatives, and enterprises utilizing MCP.” Introduced by Anthropic in November 2024, MCP is an open protocol aimed at standardizing large language model (LLM) applications…

Severe Cisco Vulnerability in Unified CM Allows Root Access via Hard-Coded Credentials

July 3, 2025
Vulnerability / Network Security

Cisco has issued patches to fix a critical security flaw in Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). This vulnerability could enable an attacker to access susceptible devices with root privileges, achieving a CVSS score of 10.0 under the identifier CVE-2025-20309. In an advisory released on Wednesday, Cisco noted that “this vulnerability arises from the use of static user credentials for the root account, which are meant for development use only.” An attacker could exploit this flaw to log into an affected system and execute arbitrary commands as a root user. Hard-coded credentials often stem from testing or temporary fixes during development, but they should never be present in live environments.

Chinese Hackers Exploit Ivanti CSA Zero-Days to Target French Government and Telecoms

On July 3, 2025, France’s cybersecurity agency disclosed that multiple sectors—including government, telecommunications, media, finance, and transport—were affected by a cyber campaign led by a Chinese hacking group. This group exploited several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The campaign, identified in early September 2024, has been linked to an intrusion set known as Houken, which reportedly shares characteristics with the threat cluster tracked by Google Mandiant as UNC5174 (also referred to as Uteus or Uetus). According to the French National Agency for the Security of Information Systems (ANSSI), “Houken’s operators use both zero-day vulnerabilities and sophisticated rootkits, alongside a variety of open-source tools primarily developed by Chinese-speaking programmers.” The attack infrastructure utilized by Houken features a mix of components, including commercial VPNs and other tools.