Phishers unleash simple but effective social engineering techniques using PDF attachments

The Gmail phishing attack is reportedly so effective that it tricks even technical users, but it may be just the tip of the iceberg. We’re seeing similarly simple but clever social engineering tactics using PDF attachments.

These deceitful PDF attachments are being used in email phishing attacks that attempt to steal your email credentials. Apparently, the heightened phishing activity that we have come to expect every year during the holiday season has not subsided.

Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, they rely on social engineering to lead you on to phishing pages, where you are then asked to divulge sensitive information.

At Microsoft Malware Protection Center, we continuously monitor the threat landscape for threats such as these PDF files that arrive via email and execute their payload from the web. We do this, not only so we can create security solutions for the latest threats, but also so we understand cybercriminal’s newest schemes and warn customers.

Awareness is an effective weapon against social engineering. We’re sharing some examples of these PDF attachments, including one that spoofs Microsoft Office, so you are armed with knowledge that you can use to detect these social engineering attacks.

Example 1: You received a document that Adobe Reader can’t display because it’s a protected Excel file, so you need to enter your email credentials

Attachment file type: PDF
Filename: Quote.pdf
Info stolen: Email credentials
Windows Defender detection: Trojan:Win32/Pdfphish.BU

One example of the fraudulent PDF attachments is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity.


When you open the attachment, it’s an actual PDF file that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel”. But it’s actually a link to a website.


Clicking the link opens your browser and brings you to a website, where the social engineering attack continues with a message that the document is protected because it is confidential, and therefore you need to sign in with your email credentials.


If you’re using Microsoft Edge, Microsoft SmartScreen will block this website, stopping the phishing attack.


However. if you’re using a browser that does not block the website and you click OK, you are led to the phishing site, which asks you to enter your email address and password. The website is designed to appear like you are opening an Excel file. The website goes to great lengths to mimic Microsoft Excel Online, but what you see in the site is not an Excel file, but just an image.


If you fall for this social engineering trick and enter your details, you are redirected to the site below, which says you entered your details incorrectly. But at this point, the attackers will have your email credentials. Once they have access to your email, the attackers can launch further phishing attacks against your contacts, or gain access to your social networking, online banking, or online gaming accounts.


Example 2: You received a PDF file from Dropbox and need to log in using your email credentials

Attachment file type: PDF
Filename: ScannedbyXerox.pdf
Info stolen: Gmail, Outlook, AOL, Yahoo!, Office 365 credentials
Windows Defender detection: PWS:HTML/Misfhing.B

Another example of these PDF attachments put on pretense that you need to sign in to online storage provider Dropbox to access your document. Just like the first example, this PDF document does not have malicious code, but contains a link to “View .PDF online”.


Clicking the link takes you to a fake Dropbox login page that gives you options to sign in using your Google, Outlook, AOL, Yahoo!, Office 365 or other email credentials.


Microsoft Edge users are protected from this threat. Using Microsoft SmartScreen, it stops this phishing attack from loading or serving further offending pages.

On the phishing page, options are tailored to look like a legitimate email sign in page. For example, clicking the Office 365 option brings up a window that may look authentic to an untrained eye.


It’s the same level of customization for the other options. For example, for the Google option, the window first asks you to choose whether you’d like to sign in using your organizational or individual account. This step is not present in the actual Google sign in process, but this may be done to help the attackers identify business-related account credentials. It then brings up the sign in page.



If you enter your details, an actual PDF document (hosted in Google Drive, not Dropbox) is opened in a window.


As part of the social engineering tactic, this is done so you don’t immediately suspect you were phished. By this time, the attackers will have your credentials. This last step can buy them more time to use your credentials before you realize you need to change your password.

Other examples: Enter your email credentials to access or download your file

We have seen other examples of PDF files being distributed via email and exhibiting the same characteristics. Just like the first two cases, these PDF files don’t contain malicious code, apart from a link to a phishing site. All of them carry the message that you need to enter your email credentials so that you can view or download the document. All of these attachments are detected as variants of Trojan:Win32/Pdfphish.

pdf-example-3 pdf-example-4 pdf-example-5 pdf-example-6 pdf-example-8 pdf-example-7

How to stay safe from phishing attacks

As we saw from these examples, social engineering attacks are designed to take advantage of possible lapses in decision-making. Awareness is key; that is why we’re making these cybercriminal tactics known.

Don’t open attachments or click links in suspicious emails. Even if the emails came from someone you know, if you are not expecting the email, be wary about opening the attachment, because spam and phishing emails may spoof the sender.

In these times, when we’re seeing heightened phishing attacks with improved social engineering techniques, a little bit of paranoia doesn’t hurt. For instance, question why Adobe Reader is trying to open an Excel file. Ask why Dropbox is requiring you to enter your email credentials, not your Dropbox account credentials.

For more information, download and read this Microsoft e-book on preventing social engineering attacks, especially in enterprise environments.

Using a secure platform like Windows 10 will let you take advantage of security features that can help identify and stop phishing attacks:

  • Microsoft Edge is a secure browser that can block phishing sites and other malicious websites using Microsoft SmartScreen
  • Windows Defender can detect and block malicious PDF attachments and other malicious code
  • Office 365 has built in content security features that can block spam and phishing emails


Alden Pornasdoro


Comments (7)

  1. Tom says:

    Why do the screen shots referring to Microsoft Edge show Internet Explorer instead? Is Microsoft not running Windows 10 internally?

    1. Sam says:

      I would assume that since Microsoft Edge browser would prevent them from entering, They were using another browser to show people what the actual sites looked like. Taking screen shots is a lot easier than recreating all of the code needed to appear to be phishing site..

  2. Douglas plumley says:

    We have EOP/ATP, neither caught this exact attack unfortunately…

  3. Suzanne Weiss says:

    I am receiving approximately 2 phishing emails daily. They always claim to be from Apple. I changed my email password to see if that would protect me, but they keep coming. Is it going to be necessary to close my Hotmail account and open a new account? Thank you in advance for your help.

  4. Dennis Lloyd says:

    I believe I have become a victim of a phishing exercise – email said to be from my cousin but had a pfd attached which I opened showing an advert from a travel company ( called Sajad):realised quickly this was not from my cousin so closed the pfd and deleted the mail. No information given but does this make me safe? Or what else should I do now?

    1. John says:

      I came across this site while checking a couple of suspicious emails I’ve recently received – after reading this (and many other articles), I’m convinced I’ve been targeted by an increasing number of phishing scams similar to those outlined in the article. To respond to Dennis’ question – first let me say that I am no internet security expert, but am relatively IT-savvy, though I too was close to being fooled by some of these attacks – they had been carefully “tailored” to my business to seem plausible, though there were still some inconsistencies and tell-tale signs which set the alarm bells off.

      As to what to do – a few general points:

      1) If you’ve opened a suspicious pdf file, there is a risk that it was infected with malware, so it is worth (a) ensuring your anti-virus software is up to date and (2) running a system scan to see if anything is flagged up

      2) Wrt the suspicious attachment – did you at any time enter your email address and or any password or other personal info? If so, it may be worth resetting your email password

      3) While I know it is an absolute pain, it is worth ensuring that passwords on critical sites (e-mail, banking or any sort of account through which you purchase like Amazon, social media accounts) have different passwords. Furthermore, I would encourage against allowing a browser to save passwords (or, indeed, storing them on your computer) – they can be easy to access once a computer is compromised. Also, do not save any password information within your email account – again, if your email is compromised, it is likely to be searched for any password or other critical info which in turn can be targeted & compromised

      4) Where possible, set up important accounts with “2 Factor” authentication. I use this on my google account – it means that if anyone does get hold of my password, they still cannot access my account without also entering a 6 digit code which is sent to my mobile each time I try accessing from a different device.

      5) Finally – be on your guard generally. In recent years, these sorts of attack have been getting both more frequent and more subtle & plausible. If you weren’t expecting an email, view it with some suspicion. Check that everything – names, email addresses, URLs, general quality of the spelling/grammar are consistent and as you would expect. Be suspicious of generic gmail/hotmail/yahoo etc addresses; be suspicious if the person does not give any other ways to verify/contact them.

      All that said, on a positive note – we received a suspicious looking enquiry for bathroom equipment from the Falkland Islands. Suspicious at first, we ignored it, but when the gent got back in touch, we contacted Falkland House in London, managed to ascertain the enquiry was genuine and ended up with a nice little export order to the South Atlantic! And we so nearly deleted that one as well…

  5. lourdes lopes dacunha says:

    I ned big help ,mi english ,veri poor ,all staff in mi computador is new for mi ,i like mi facebook i enjoy mi family,this time i in chock i find all this staff in mi favor toy (computador) ?????????????? thank’s help-me LOURDES LOPES DACUNHA.!

Skip to main content