Why are hackers sending PDFs that look like Microsoft or DocuSign emails asking me to call a phone number?

Cybercriminals are now using PDF attachments in phishing emails that impersonate trusted brands like Microsoft, DocuSign, PayPal, and NortonLifeLock to trick users into calling fake support numbers. This growing attack, called Telephone-Oriented Attack Delivery (TOAD) or callback phishing, persuades victims to dial a VoIP number where attackers act like customer support agents. They steal credentials, install malware, or gain remote access. These PDFs often include QR codes, fake annotations, or use real brand logos, making them hard to detect. Users should avoid interacting with unknown PDFs, scanning suspicious QR codes, or calling unfamiliar numbers mentioned in email attachments.

  Security News & Threat Intelligence   Jul 4, 2025   13  Add to Reading List

What’s Going On?

Between May and June 2025, cybersecurity researchers at Cisco Talos discovered a wave of phishing emails that use malicious PDF attachments to impersonate trusted brands like Microsoft, DocuSign, NortonLifeLock, PayPal, and Geek Squd. These PDFs prompt victims to call fake support phone numbers—a rising trend called Telephone‑Oriented Attack Delivery (TOAD) or callback phishing.

How the Scam Works

 Impersonation Through PDFs

The emails often contain a blank body; the PDF itself displays official logos, urgent messages (e.g., “Paycheck Increment” notice), QR codes, or sticky-note annotations. These tactics bypass email filters due to the content being hidden inside the attachment.

 Callback Phishing (TOAD)

When users open the PDF, they’re encouraged to call a number—often a VoIP line—to resolve a fictional problem. Attackers on the call then pretend to be official reps, using scripted dialogue, hold music, and caller ID spoofing to gain trust. They may steal passwords, install malware, or create remote access on devices .

Why This Scam Is Dangerous

Live Interaction Boosts Trust

Unlike regular phishing links, this scam uses real-time human interaction, making it easier to manipulate victims emotionally.

PDF & QR Code Evasion

Embedding the malicious content inside PDFs and QR codes makes detection harder, as many email scanners don’t scan inside attachments or use OCR technology.

Anonymity with VoIP

Attackers use recycled VoIP numbers to stay anonymous and maintain the illusion of legitimacy over multiple days.

Spoofing Internal Mails

Attackers exploit Microsoft 365 Direct Send to spoof internal addresses and bypass email filters, making these phishing messages more convincing.

Scam Techniques vs. Impact & Easy Fixes

Scam Feature Why It's Dangerous How to Protect Yourself
PDF attachments Bypass text filters, mimic brand identity Disable auto-open; preview before launching
QR codes Hidden malicious links Avoid scanning with phone; hover to check URL
VoIP callback numbers Hard to trace, seem professional Don’t call unverified numbers; confirm via official support site
Phone social engineering Live manipulation increases success Verify caller credentials; ask for details via official channels
M365 Direct Send spoofing Bypasses normal anti-spam protections Use strict DMARC, DKIM, SPF and internal filtering

Simple Steps to Stay Safe

  • Never open PDFs from unknown or suspicious emails.

  • Avoid calling phone numbers inside unsolicited PDFs—confirm via official websites.

  • Don’t scan QR codes in unexpected attachments.

  • Use email security filters that analyze attachments and VoIP call metadata.

  • Train staff to recognize callback phishing and verify requests independently before responding.

Conclusion

This emerging phishing method, callback phishing via malicious PDFs, is gaining traction because it blends technical evasion with psychological manipulation. Attackers weaponize urgency, brand familiarity, and human trust to trick victims into calling and self-compromising. Keeping your defenses strong means being aware, cautious, and always verifying—especially when communication moves from screen to phone.

FAQs 

What is a callback phishing attack (TOAD)?

Callback phishing is a scam where users are tricked into calling a fake support number mentioned in an email or PDF, where attackers impersonate real companies.

Why are hackers using PDFs for phishing in 2025?

PDFs help bypass email security filters and appear legitimate, making it easier to trick users into interacting with the content.

Which companies are commonly impersonated in these phishing campaigns?

Popular brands include Microsoft, DocuSign, NortonLifeLock, PayPal, and Geek Squad.

What happens when someone calls the number in a phishing PDF?

Attackers pretend to be customer support agents and may try to steal personal info, credentials, or install malware.

How are QR codes used in phishing PDFs?

The PDF may contain a QR code linking to a fake login page or malicious website.

Are these phishing PDFs detectable by antivirus?

Many are not, especially if they use annotations or embedded QR codes instead of direct links.

What is the goal of callback phishing?

To gain trust through voice communication and extract sensitive data or access.

Is Microsoft 365 involved in this phishing attack?

Yes, attackers are exploiting Microsoft 365’s Direct Send feature to spoof internal emails.

What is PDF annotation abuse?

It’s when attackers hide malicious links in sticky notes or comments inside PDFs.

How can I identify a phishing PDF?

Look for urgent messages, support numbers, QR codes, and brand impersonation.

What makes these scams so effective?

They mix technical bypassing (like using PDFs) with human manipulation over the phone.

Are VoIP numbers traceable?

Not easily—attackers use them to stay anonymous and reuse them for several days.

What devices are targeted in these scams?

Both mobile and desktop users, with a focus on Android malware and remote access installs.

What is Direct Send in Microsoft 365?

It’s a feature that allows internal delivery of emails without authentication, which attackers exploit.

How do these scams differ from normal phishing?

They combine email, voice calls, and real-time social engineering instead of just links or fake websites.

What is the FBI’s stance on TOAD attacks?

The FBI has warned about callback phishing as a growing threat since May 2025.

How do these attackers sound so convincing?

They use call center scripts, hold music, and spoofed caller IDs to mimic real support teams.

Are there any visual signs in the email or PDF?

Yes, often official-looking logos, fake payment notices, or voicemail alerts are used.

What is the risk of scanning QR codes in unknown PDFs?

You might be redirected to a phishing site or malware payload.

Is this the same as a tech support scam?

It’s similar but starts via PDF email instead of pop-ups or browser redirects.

Can company emails be spoofed in these attacks?

Yes, attackers spoof internal email addresses using predictable smart host names.

What should I do if I called a number from a suspicious PDF?

Disconnect the call, do not share info, and run a full malware scan.

What tools help stop these scams?

Email filters, QR scanners, endpoint protection, and PDF analysis tools.

Is brand impersonation common in phishing?

Yes, it's one of the most widely used techniques to gain user trust.

Can these scams target organizations too?

Absolutely—especially IT staff and finance departments.

How do attackers create convincing GitHub scams?

They publish fake code, tutorials, and use bot accounts to promote them for AI indexing.

Why are AI tools involved in phishing now?

Cybercriminals try to game LLMs to suggest malicious URLs when users ask for login links.

What is Hacklink and how does it help phishing?

It’s a black market that lets attackers inject links into compromised .gov or .edu sites to boost fake page rankings.

Can phishing campaigns manipulate search engine results?

Yes, through injected code and backlinks from high-trust domains.

How can I report these scams?

Report to your email provider, CERT, or national cybersecurity agencies.

Join Our Upcoming Class!

Tags