Lately, cybersecurity experts have detected a new wave of rather clever online scams. These are phishing campaigns that impersonate well-known brands such as Microsoft, DocuSign, PayPal, NortonLifeLock, and Geek Squad. But the most curious (and concerning) part is that instead of stealing your information through a form, they prompt you to make a phone call.
Yes, you read that right: cybercriminals are using PDF files to convince people to call numbers they control, posing as the customer service department of a well-known company. This technique is known as callback phishing, or TOAD (Telephone-Oriented Attack Delivery).
It all starts with an email that, at first glance, looks legitimate. It might appear to come from a brand like Microsoft, for example, and it includes a PDF attachment. When you open it, you see a message that says something like: “There’s an issue with your account” or “You’ve been charged for something you didn’t recognize,” and it gives you a phone number to call to resolve it.
Most people, upon seeing a recognizable brand and an urgent message, fall for the trap without suspecting a thing.
When you call, someone answers as if they work in the company’s tech support. They have prepared scripts, hold music, and even caller IDs that mimic real ones. It all seems very professional. But in reality, they’re trying to get you to reveal sensitive information (such as passwords or credit card numbers) or even install malicious software on your computer.
PDF files are ideal for this type of scam for several reasons:
They look professional, so they inspire trust.
They can be opened on almost any device without raising suspicion.
Within the PDF, attackers can insert links, buttons, QR codes, and even interactive fields to redirect you to fake sites or include a phone number as a contact point.
Between May 5 and June 5, 2025, hundreds of these emails were analyzed, and the data is clear: Microsoft and DocuSign are among the most commonly impersonated brands. An increase in emails with fake logos and messages from Adobe, Dropbox, and other well-known platforms has also been observed.
Read more: Fake DocuSign and GitCode Sites Spread NetSupport RAT
One of the most creative techniques being used involves embedding QR codes inside the PDF. These codes, which seem harmless, are designed for you to scan with your phone. And that’s where the trouble begins: in many cases, they redirect you to a fake page that mimics the website of Microsoft, Google, or another service, where you're asked to log in.
Even worse, some PDF files use features like annotations, sticky notes, or form fields to hide malicious links that activate as soon as you click anywhere in the document. At first glance, everything looks normal, but they’re carefully designed to trick you without you realizing it.
One reason these phishing campaigns are so effective is that they play on urgency and trust. When you see a charge you don’t recognize or a warning that your account will be suspended, your natural reaction is to act quickly. And if the message appears to come from a well-known company, it’s very easy to fall into the trap.
Moreover, by having you make the call, attackers bypass many automated security filters. Antivirus software, spam filters, and other tools don’t detect anything suspicious in a PDF that simply contains a phone number.
And during the call, the scammers are convincing. They have prepared answers for everything, use professional language, and even put you on hold with corporate-style music to make it feel like you're talking to a legitimate company.
Cisco Talos explains that most cybercriminals use internet-based phone numbers (VoIP) to remain anonymous and make it much harder to trace them. Interestingly, they sometimes use the same number for several days in a row, which allows them to call the same person back and continue the scam in different stages—as if it were a real support or customer service process. This way, they can carry out more elaborate attacks, gain the victim’s trust, and advance step-by-step without raising suspicion.
According to security experts, brand impersonation remains one of the most commonly used strategies in malicious emails—and that’s no coincidence. People tend to trust emails when they see names like Microsoft, Adobe, or even their own email provider.
That’s why many security solutions are beginning to include intelligent systems to detect this type of impersonation, as they can make all the difference in stopping an attack before any harm is done.
And speaking of Microsoft… in recent months, some hackers have discovered a very clever way to abuse a legitimate Microsoft 365 feature called "Direct Send." Using it, they can send phishing emails that appear to come from within the company, without needing to steal credentials or take over an account. This trick has already been used against more than 70 organizations since May 2025, according to data from Varonis.
What’s most concerning is that these emails use addresses that look legitimate, such as those ending in *.mail.protection.outlook.com, which causes many security systems to fail to flag them as suspicious. As a result, the messages go unnoticed and land directly in users’ inboxes.
Example of a Phishing Email from the Campaign (Source: Varonis)
Read more: Hackers Abuse Direct Send in Microsoft 365 to Send Phishing
Attackers continue to refine their tactics, now using everything from PDF files to legitimate Microsoft 365 features to launch increasingly convincing phishing campaigns. These methods are effective because they exploit trust and urgency—not just technology.
That’s why, in addition to staying alert and thinking twice before clicking or calling an unknown number, it’s crucial to have tools that detect these threats before they reach the user. Solutions like TecnetProtect, which integrates Acronis technology, can help identify advanced phishing emails and impersonation attacks, protecting users and businesses in real time through features such as:
Real-time behavior analysis
Brand spoofing detection
Intelligent scanning of links and attachments
Protection against malicious emails with no files or links
Prevention of BEC attacks and email fraud
Thanks to this proactive approach, TecnetProtect stops attacks before they reach the user’s inbox—even if they’re brand new threats. Because in cybersecurity, the best defense is to stay one step ahead.