Email-based phishing campaigns are changing with multi-layered tactics that outsmart traditional filters and trick users into handing over credentials.
According to Cyber Security News, phishing attacks are growing more advanced, as threat actors combine old methods with new delivery mechanisms to bypass both automated security systems and human defenses. In particular, attackers are now leveraging PDF attachments, rather than embedded email links to deliver phishing payloads, marking a major shift in phishing strategy this year.
One standout tactic is the use of QR codes inside PDF files. These codes are often scanned by users on mobile devices, which typically lack the same protective software as desktops. Analysts have flagged a surge in these PDF-based phishing campaigns, which now sometimes include encryption or password protection to avoid detection.
QR code PDFs are just one tactic. Researchers are also reporting a resurgence in calendar-based phishing, where attackers insert malicious links inside calendar event descriptions rather than the email itself. Since calendar apps often send automatic notifications, these can bypass traditional email scans.
More concerning is the rise in infrastructure designed specifically to fool detection systems. Some phishing pages now include CAPTCHA chains to block automated scans, or mimic live authentication systems by interacting directly with real APIs. These phishing sites can relay user credentials in real-time, return actual error messages, and even prompt for multi-factor authentication (MFA) codes, tricking users into revealing both passwords and OTPs.
Login pages used in these campaigns often perfectly imitate well-known cloud services, with branding, folder layouts, and other visuals replicated down to the pixel. Once compromised, attackers can access user accounts with little to no immediate warning.
Cyber Security News reported that these attacks are psychologically engineered to appear legitimate. By mimicking security protocols such as using passwords for file access or CAPTCHA challenges, threat actors increase the likelihood that users will trust and engage with malicious content.
They recommend reinforcing employee awareness through security training and upgrading to enterprise-grade email filters that can adapt to changing tactics.
Phishing has evolved into the leading cause of healthcare data breaches, accounting for over 70% of incidents according to Paubox’s 2025 SMB Email Security Report. Attackers have moved well beyond suspicious links and obvious typos, now using layered tactics like QR codes hidden in PDFs, fake calendar invites, and CAPTCHA-protected phishing pages to slip past both filters and human judgment. Each new trick builds on the same principle: make the experience feel normal, secure, and familiar enough that users let their guard down.
Paubox recommends Inbound Email Security as a smarter way to defend against these changing tactics. Its generative AI studies tone, sender behavior, and message intent to flag communication that looks legitimate but doesn’t fit normal patterns. That behavioral insight helps organizations stop sophisticated phishing emails before they reach users, no matter how authentic they appear.
Mobile devices often lack the same endpoint protection and filtering tools used on corporate desktops, making them easier targets when users scan QR codes from phishing PDFs.
CAPTCHAs can block automated security bots from scanning malicious content while still allowing human users to pass through and unknowingly share credentials.
Calendar invites may appear routine and trigger notification systems that bypass email filters. Users are also less likely to question links in calendar alerts than in standard emails.
They intercept credentials and immediately pass them to the legitimate service, prompting real MFA challenges. Users who enter their codes help the attacker log in successfully before the session expires.
In addition to upgrading filtering systems, organizations should deploy real-time URL rewriting, train users to identify unusual behavior (like file password prompts), and restrict QR code scanning on unmanaged devices.