Cybercriminals are exploiting trusted PDF files and legitimate cloud infrastructure to harvest Dropbox credentials in a sophisticated new phishing campaign that bypasses traditional email security defenses.
A massive phishing campaign is exploiting users' trust in PDF documents and legitimate cloud services to harvest Dropbox credentials, security researchers warned this week. The multi-stage attack uses procurement-themed emails with PDF attachments that redirect victims through trusted cloud infrastructure before landing on convincing fake login pages—making it nearly impossible for traditional email filters to detect.
The attack begins with professional-looking emails requesting that recipients review procurement documents or place orders. These emails contain no suspicious links in the body—instead, they include PDF attachments that appear legitimate. The PDF uses embedded AcroForm objects to hide clickable links, a technique that helps evade standard email security scanning.
When recipients open the PDF and click the embedded link, they enter the second stage: redirection to a second PDF hosted on Vercel Blob, a trusted cloud storage platform. This intermediary step leverages cloud infrastructure's reputation, allowing attackers to evade suspicion by security systems that typically trust such platforms.
In the third stage, the second PDF contains a link labeled "DOWNLOAD FILE HERE," sending victims to a fake Dropbox login page hosted at tovz[.]life. This phishing site mimics the Dropbox interface and design, prompting victims to enter their business email credentials to access the fraudulent procurement document.
After victims enter their credentials, the site simulates a real login attempt with a five-second delay and displays a fake error message. Meanwhile, attackers collect stolen credentials and location data, then exfiltrate them via Telegram bots. This grants attackers the ability to take over accounts, access company files, or commit further fraud.
This attack succeeds precisely because nothing appears obviously wrong at any single stage. The original email passes standard authentication checks like SPF, DKIM, and DMARC. The PDF opens normally and appears hosted on legitimate cloud services. The Dropbox login page looks authentic. Each step passes what security experts call "the sniff test"—only when viewing the entire attack chain does the danger become apparent.
"When people see a PDF or a Dropbox logo, their guard naturally drops," explained Erik Avakian, technical counselor at Info-Tech Research Group. "Familiarity and the need for speed prevent them from pausing and taking a closer look. Attackers exploit it perfectly."
The campaign's sophistication lies in its abuse of trusted infrastructure. Cloud platforms have become a "shield" for attackers, according to Avakian. Security awareness has conditioned users to scrutinize suspicious domains, but not reputable platforms—creating a mental model that's dangerously outdated.
Stolen Dropbox credentials enable multiple attack scenarios: account takeover, unauthorized access to sensitive company files, lateral movement within corporate environments, and credential-stuffing attacks when victims reuse passwords across platforms. Organizations using Dropbox for business-critical documents face particularly severe exposure.
The attack's malware-free nature makes it harder to detect and prosecute. Traditional security tools focus heavily on identifying malicious code, but this campaign relies entirely on social engineering and credential theft—requiring different detection approaches.
Security experts urge organizations to take proactive measures now: implement multiple defensive layers to counter this emerging threat and protect user credentials from compromise.
Employee Training: Move beyond basic "don't click suspicious links" awareness. Employees must understand that modern phishing is multi-stage, cloud-hosted, and deliberately designed to look routine. Security training should include examples of how legitimate-appearing PDFs can initiate attack chains, even when hosted on trusted platforms.
Verify Authentication Requests: Treat any login prompt as a moment to pause and verify. Before entering credentials, confirm you initiated the action. Check URL spelling carefully—phishing domains often use slight misspellings or unexpected top-level domains. When in doubt, navigate directly to the service rather than clicking through links.
Enhanced Email Security: Deploy AI-powered email security solutions capable of analyzing PDF contents, following embedded links, and detecting suspicious redirection patterns. Traditional filters that only scan email bodies and obvious link domains will miss attacks that hide their payloads in attachments.
Block Suspicious Indicators: Security teams should maintain blocklists of known malicious domains and monitor for connections to suspicious infrastructure. In this campaign, blocking outbound requests to tovz[.]life would prevent credential submission.
Monitor for Compromise: Implement continuous monitoring for unusual authentication patterns—such as logins from unexpected locations, access during off-hours, or multiple failed attempts. Capturing user IP addresses and geolocation during authentication helps identify compromised credentials being used from an attacker's infrastructure.
Multi-Factor Authentication: While not foolproof, MFA adds an additional barrier even if credentials are stolen. However, organizations should be aware that sophisticated attackers increasingly bypass MFA using techniques such as adversary-in-the-middle attacks.
Employees must take initiative—if a procurement-themed email with a PDF attachment requests authentication, they should immediately report it to the IT or security teams. Acting quickly can prevent account compromise and protect your organization from severe consequences.
Security professionals should urgently develop sophisticated phishing simulations that match real-world tactics, so employees recognize nuanced, multi-stage phishing attacks before damaging breaches can occur.
Learn how Attribute-Based Access Control (ABAC) enables fine-grained, context-aware access decisions by evaluating user, resource, and environmental attributes replacing static role-based models with dynamic, adaptive security.
Move beyond reactive alerts with a comprehensive guide to Data Loss Prevention (DLP)—transforming data security into a proactive, automated defense that secures sensitive assets across cloud, endpoints, and networks.
Cloud jacking is an identity-driven cyberattack where threat actors hijack cloud accounts and control planes to stealthily exploit resources and exfiltrate data without using malware.