Cyber attackers constantly seek new ways to trick users into granting access to their accounts. When a method proves effective, it often becomes more widespread in the hopes of repeated success. Over the past few weeks, there has been a growing trend involving using PDF links to disguise malicious links sent to targeted users.

What does the attack look like?

A user receives an email containing a link to a document that’s been shared with them, usually asking for approval or review. Recently, we’ve observed these as both DocuSign and Adobe PDF links.

The link takes the user to a PDF, viewable on the web. Since this PDF is hosted on adobe[.]com, it appears as a normal document, complete with the usual Adobe PDF functionality and any required design or branding elements.

This PDF often contains a button, link, or other hyperlinked item designed to attract the user’s attention and look official.

Upon clicking, the user is taken to a secondary link, bypassing any email protection in place.

This secondary link might download malicious content, direct the user to a phishing page, or carry out other harmful activities. So far, we’ve seen unknown executables that immediately run in the background and phishing pages.

Alternative attack methods

Another method we’ve observed involves a download link initially, which provides the user with a ‘pdf.url’ file. This might be within a ZIP folder or another form of archive to evade antivirus detection. The ‘pdf.url’ file then leads to a PDF page similar to the one mentioned above.

Why is this successful?

The malicious link might not be detected by standard email protection measures, as it’s embedded within another page entirely.

These emails have been traced back to compromised client accounts, allowing an attacker to use a trusted contact to send the emails. This can bypass filters if the sender has been marked as a trusted partner or explicitly allowed. It also tricks the targeted user, as they may have had legitimate contact with this client or sender in the past.

The entire attack chain only requires a few clicks and blends seamlessly into normal day-to-day activities.

When a document is compressed into an archive, it becomes harder for traditional antivirus systems to scan and detect malicious content.

Recommendations

We recommend user training and encouraging greater vigilance against schemes that lead users away from email. Similar schemes have been observed via LinkedIn mail and business web chat services.

We also recommend using application whitelisting, which would prevent unknown executables from running.