Cybercriminals are leveraging PDFs to impersonate major brands, including Microsoft, DocuSign, PayPal, and Norton LifeLock, in sophisticated callback phishing campaigns that trick victims into calling attacker-controlled phone numbers.
What happened
Cisco Talos researchers discovered a surge in what they call Telephone-Oriented Attack Delivery (TOAD) campaigns between May 5 and June 5, 2025, with Microsoft and DocuSign being the most frequently impersonated brands in phishing emails containing PDF attachments. Unlike traditional phishing that uses malicious links or fake websites, these attacks persuade victims to initiate phone contact with scammers posing as legitimate customer service representatives.
The campaigns predominantly originated from the United States and Europe, with additional activity scattered across South America, Asia, and Africa. Attackers have been using Voice over Internet Protocol (VoIP) numbers to remain anonymous and harder to trace, with some numbers being reused for up to four consecutive days to maintain credibility and enable multi-stage attacks.
Going deeper
The attack methodology is subtle because it exploits multiple layers of trust. Victims receive emails with PDF attachments that appear to come from trusted brands, often with blank email bodies to evade text-based phishing detection. When opened, these PDFs render content that looks like legitimate correspondence, complete with company logos and urgent messages about transactions, security issues, or service renewals.
One example involved fake McAfee transaction receipts charging for services the victim never ordered, while another impersonated PayPal with bogus transaction notifications. Adobe's PDF service was also abused to send documents that appeared to require signatures but contained callback numbers for "assistance." In each case, the PDF included a customer service number that victims were encouraged to call to resolve the supposed issue.
Once victims call these numbers, attackers posing as customer representatives use advanced social engineering tactics to manipulate emotions and extract sensitive information or convince targets to install remote access software. The live interaction allows scammers to adapt their approach in real-time, making these attacks more effective than traditional phishing emails.
Why it matters
Healthcare organizations face risk from these campaigns for several reasons. Medical facilities routinely receive legitimate communications from software vendors like Microsoft and document management services like DocuSign, making staff more likely to trust such messages. The healthcare sector's reliance on various technology vendors for electronic health records, billing systems, and administrative tools creates numerous opportunities for brand impersonation.
Furthermore, healthcare workers operating under time pressure may be more susceptible to urgent-sounding requests about system access or billing issues. If successful, these attacks could lead to unauthorized access to protected health information (PHI), installation of ransomware, or compromise of critical medical systems. The use of phone-based social engineering also bypasses many email security tools that healthcare organizations have invested in, creating a security gap.
What they're saying
Omid Mirzaei, security research lead at Cisco Talos, emphasized the psychological advantage of callback phishing: "Attackers use direct voice communication to exploit the victim's trust in phone calls and the perception that phone communication is a secure way to interact with an organization. Additionally, the live interaction during a phone call enables attackers to manipulate the victim's emotions and responses by employing social engineering tactics."
The FBI warned in May 2025 about similar attacks by the Luna Moth group targeting organizations by posing as IT department personnel, highlighting the growing prevalence of this attack vector.
FAQs
What is callback phishing or TOAD?
Telephone-Oriented Attack Delivery (TOAD), also known as callback phishing, is a social engineering attack where victims are tricked into calling a phone number controlled by attackers. Unlike vishing where attackers call victims, in TOAD attacks the victim initiates contact, making them more trusting and vulnerable to manipulation.
How is this different from traditional phishing?
Traditional phishing uses malicious links or attachments to steal credentials or install malware directly. Callback phishing adds an extra step where victims must call a phone number, allowing attackers to use live conversation and emotional manipulation to achieve their goals, whether that's stealing information or convincing victims to install remote access software.
Why are PDFs effective for these attacks?
PDFs can bypass many email security filters because the malicious content is embedded in the attachment rather than the email body. They also appear more legitimate and official than plain text emails, and can be designed to render immediately when an email is opened, making them look like normal email content to unsuspecting users.
