Do Son 
Social engineering attack
Phishing attacks have evolved from simple “click here” links to complex, multi-stage puzzles designed to baffle security scanners. A new report from the X-Labs team uncovers a sophisticated campaign that leverages trusted cloud infrastructure and a chain of PDF documents to steal credentials, ultimately using a Telegram bot as a drop point for stolen data.
The campaign is a masterclass in evasion, exploiting the implicit trust users place in file attachments and familiar cloud services. By avoiding malicious links in the initial email, the attackers bypass traditional filters, landing their bait directly in the inbox.
The attack begins with a standard business email disguised as a procurement or tender request. The message urges the recipient to review an attached request order, creating a sense of urgency.
Crucially, the email itself is technically clean. “The email body itself contains no malicious links. Instead, this attack relies on a PDF attachment as the primary delivery mechanism,” the report explains.
Because there is no suspicious URL to flag, the email sails through defenses. “Emails like this are particularly effective because they often pass standard email authentication checks such as SPF, DKIM and DMARC”.
When the victim opens the attachment, they aren’t immediately infected. Instead, they are presented with a link that directs them to another PDF. This second document isn’t hosted on a shady domain; it lives on Vercel Blob, a legitimate cloud storage service used by developers.
“The malicious chain relies on seemingly legitimate cloud infrastructure, such as Vercel Blob storage, to host a PDF that ultimately redirects victims to a Dropbox-impersonation page,” the report warns.
By hosting their redirection point on a high-reputation domain, the attackers ensure their traffic looks benign to network monitors. “By using legitimate cloud infrastructure, the attackers reduce suspicion, bypassing many automated security checks that rely on reputation and known-bad indicators”.
The final destination is a fake Dropbox login page designed to harvest credentials. Once the user enters their email and password, the trap snaps shut.
“Once the victim enters login details, credentials get harvested. These stolen credentials are then exfiltrated to attacker-controlled command-and-control infrastructure,” the X-Labs team notes.
Interestingly, the attackers use a Telegram bot to collect the loot. The malicious script captures not just the password, but also system and location information, transmitting it all to a Telegram channel while the user is shown a fake “Login successful” alert followed by a simulated failure.
This multi-layered approachβPDF to Cloud to Fake Pageβdemonstrates how attackers are increasingly “living off the land,” using the very tools businesses rely on to breach their defenses.
Related Posts:
- New Phishing Tactic: Attackers Abuse Blob URIs to Bypass Email Security
- BianLian and Rhysida Use Azure for Ransomware Attacks
- CVE-2025-57807: A Critical Flaw in ImageMagick Could Lead to RCE, PoC Available
- Malicious PDFs Used in Large-Scale Phishing Operation
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
