Dear Potential Victim,

This is an example of a new type of phishing attack, where the attacker sends you an email with a PDF attachment, neither of which contain overly suspicious wording, broken English, or links to Russian websites. Often times, they’re sent using compromised user accounts from perfectly legitimate email providers, such as Office 365 or Gmail, and therefore, are undetected by anti-spam systems.  Since there is no malware attached, or suspicious links in the body of the email, they’re delivered directly to your Inbox.

However, when you ignore the #1 rule of email security (don’t open attachments or click on links from senders you don’t know), you may become a victim of this attack.  That’s because they’re going to craft a simple yet intriguing email, enticing you to “click the icon below.” Sometimes, it will be a familiar attack, such as a letter from UPS indicating you have a delivery.  They’re simply using a different delivery mechanism in hopes of bypassing your anti-spam controls, catching you with your guard down. Or it could be a “Secure Email Notification”, indicating that you’ve received an encrypted email and must click the icon below to access it.  If they’ve taken their time to craft the attack, the PDF will look legitimate, possibly including your name, company letterhead, a document ID, date/time stamps, etc.   They could even include the image of a popular website security seal, to further the legitimacy, which of course, if you clicked on it, you would be taken to the same malware infested site.

The objective of this type of attack, is to bypass the existing anti-spam controls you have in place, since we’ve been trained to look for suspicious links in the body of emails. But the end result is the same, you’re most likely being redirected to a site containing malware or to a page which will further entice you to supply personal information.

The challenge with detecting this type of attack, is that the email is often times “technically” legitimate. There is nothing suspicious in the body, nor is the attachment suspicious in nature. It’s up to you, the recipient, to employ the Security Awareness and Training you’ve received, and realize you shouldn’t open or click the links within.

But what happens if you do click the link? Here’s the answer everyone loves, it depends. If you’re using a Mac and the PDF opens in the default Viewer application, Windows 10 and the PDF opens in Edge, or either operating system using Chrome as the browser, there will be no security prompts (the answer I’m sure you wanted to hear). If you click the image above to access your encrypted email, or the Norton Secured icon in the footer, you’ll simply be taken to the website embedded into the PDF (please feel free to test using this PDF).

However, if you’re using Adobe, you’ll have two additional chances to realize it’s phishing before you’re taken to the site. The first is a technique which is often applicable in emails, where you simply leave your mouse pointer over the link (or image in this case), and the address will be displayed.

But if you do happen to click that one, there is an Adobe Security Warning, which clearly displays the site you’re being taken to. So, you have one final chance to Cancel.


Threats continue to emerge daily, so it’s up to you, as our last line of defense, to always be on guard, especially when it comes to email, attachments, and clicking links. For more information, or for free end user security training information, please visit our website’s education section.

Brian Shrift

Leave a Comment

You must be logged in to post a comment.