Cybersecurity researchers are warning about a new wave of phishing attacks that use PDF attachments and Voice over Internet Protocol (VoIP) numbers to trick targets into calling phone numbers operated by threat actors.
A recent analysis of phishing emails with PDF attachments found that Microsoft and Docusign are the most impersonated brands, while NortonLifeLock, PayPal, and Geek Squad are among the most impersonated brands in Telephone-Oriented Attack Delivery (TOAD) emails. The attacks typically incorporate legitimate brand names like Adobe to scan malicious QR codes or click on links that redirect users to phishing pages posing as services.
The attackers masquerade as a legitimate customer representative during phone calls, tricking victims into disclosing sensitive information or installing malware on their devices. Most TOAD campaigns rely on the illusion of urgency and use scripted call center tactics, hold music, and spoofed caller IDs to convincingly imitate real support workflows.
Threat actors are using VoIP numbers to remain anonymous and make it harder to trace. Some numbers are reused consecutively for as many as four days, allowing attackers to pull off multi-stage social engineering attacks using the same number.
In recent months, phishing campaigns have capitalized on a legitimate feature in Microsoft 365 called Direct Send to spoof internal users and deliver phishing emails without compromising an account. The novel method has been employed to target over 70 organizations since May 2025.
Additionally, attackers are using artificial intelligence (AI) chatbots to create phishing pages at scale. They are also publishing fake APIs on GitHub to route transactions to an attacker-controlled wallet.
The developments mark a new twist in brand impersonation and phishing attacks, where cybercriminals are looking to game AI-powered tools by surfacing malicious URLs as responses to queries.
Source: https://thehackernews.com/2025/07/hackers-using-pdfs-to-impersonate.html