Fake PDFs used to steal Dropbox credentials in phishing campaign

A multistage email scheme guides recipients from a routine-looking document prompt to a counterfeit Dropbox login page that captures credentials.

What happened

Dark Reading reported that researchers observed an email-based social engineering campaign that sends targets a PDF themed “request order” prompt, then uses links inside the lure to route victims to a believable fake Dropbox login page. The flow relies on a first click that opens a blurry PDF hosted on a legitimate cloud service, followed by a second click that lands on the phishing site, where victims are urged to sign in with work email credentials to view the supposed document. Attackers collect Dropbox usernames and passwords along with location and system data, then show an “incorrect username or password” message after a short delay to mimic normal login behavior.

Going deeper

Malware-free credential theft campaigns focus on tricking users rather than delivering malicious files. Many inbox defenses are designed to stop harmful attachments or known exploit patterns, so emails that contain only links or routine requests often pass through without issue. Authentication checks such as SPF, DKIM, and DMARC confirm that a message was sent from an approved domain, which can make a fraudulent message appear trustworthy, especially when it looks internal.

Researchers noted that the campaign also relied on infrastructure that blends into everyday business activity, including cloud-hosted documents and a brief delay before the fake login page appears, which reduces suspicion. Once credentials are captured, attackers can move beyond a single account into shared folders, connected applications, and other systems that reuse the same passwords.

What was said

Hassan Faizan, a senior security researcher, told Dark Reading that clean PDFs are more likely to pass through email security controls and reach recipients. “A clean PDF is much more likely to get through email security and reach the victim. Malware often triggers alarms, blocks delivery, or causes attachments to be quarantined. Focusing on credential theft instead of malware increases the chances that the email is delivered, opened, and trusted.” He added, “In short, they chose reliability over complexity.”

In the know

Hackread reports that the phishing setup is built to quietly move stolen credentials off the page without alerting the victim. “The script is designed to capture user credentials,” the report explains, before sending them to a “hardcoded” Telegram bot controlled by the attackers. Instead of confirming a login or redirecting users, the fake site always returns an error message.

The message is intentional. It makes the interaction feel like a routine login mistake. While the victim assumes nothing happened, the credentials have already been captured and sent to a private Telegram channel controlled by the attackers.

The bottom line

IBM X-Force’s 2025 Threat Intelligence Index found that PDFs were the most common file type attached to malicious emails in 2024, accounting for more than 45% of malicious attachments. Attackers continue to rely on formats people see every day, which lowers suspicion and increases the chance of interaction.

Paubox’s 2025 mid-year email breach data helps explain why these campaigns keep working. In the first half of 2025, 107 email-related breaches were recorded, putting the year on pace to match or exceed 2024. The data shows a steady focus on credential harvesting rather than loud malware campaigns. In healthcare environments, email connects staff to shared files, SaaS tools, and internal systems, so one stolen login can spread access well beyond a single inbox and into systems tied to patient care.

FAQs

What makes PDF-based lures hard to spot in corporate environments?

PDF workflows are common for invoices, purchase orders, and administrative approvals, so a document review request can feel routine, especially when the message appears to come from an internal account and contains no obvious malicious attachment indicators.

How can organizations reduce the chance that harvested credentials get reused elsewhere?

Single sign-on with strong access policies can limit password reuse, and conditional access rules can add friction when logins occur from unusual locations, devices, or risk signals, which helps contain damage if one set of credentials is captured.

What does phishing-resistant MFA mean, and why does it matter here?

Phishing-resistant multi-factor authentication refers to methods that are designed to prevent attackers from successfully using stolen credentials, including approaches such as FIDO-based authentication that bind sign-ins to cryptographic proof rather than codes that can be replayed.

Which detection signals tend to matter for malware-free SaaS credential theft?

Security teams often get better mileage from identity and audit telemetry than from endpoint malware alerts, including unusual sign-in patterns, impossible travel indicators, new device enrollments, changes to forwarding or sharing settings, and new OAuth app grants that extend access without repeated logins.

What should incident response include when SaaS credentials may be compromised?

Containment typically includes forcing password resets, revoking active sessions and tokens, reviewing recent sign-ins and file access logs, checking for new sharing links or third-party app connections, and confirming whether any regulated data could have been accessed, so notification and regulatory steps can be assessed.