Brand impersonation is nothing new. But Cisco Talos says it’s showing up in increasingly creative forms—especially within PDF attachments.
A recent update to Cisco’s intelligence brand impersonation detection engine now expands its reach. It picks up a broader array of email threats where trusted brand names arrive not in plain text, but tucked inside PDF payloads. Some even come armed with QR codes or clickable annotations. Others skip links altogether and simply urge the victim to call a phone number.
It’s a subtle twist on an old scam. And it’s working.
Callback Phishing Via PDF
This isn’t your average phishing campaign. Many of these PDFs carry what Talos calls Telephone-Oriented Attack Delivery, or TOAD. The document prompts the recipient to dial a number, often VoIP, frequently reused, and controlled by the attacker. Once on the line, the victim is met with a convincing voice, posing as someone from Geek Squad, PayPal, or another familiar name.
There’s no malicious link to click. Just a phone call. And that makes it harder to detect using traditional defenses.
The live interaction allows the attacker to manipulate emotions and responses in real-time, Talos researchers explain. It’s phishing without the phishhook, no spoofed login pages or fake captchas required.
Still, those are in play too. Some emails combine tactics: impersonating Microsoft, Adobe, or DocuSign via embedded logos, QR codes, and layered payloads that bypass keyword-based spam filters.
The Versatility of PDFs
It’s the versatility of PDFs that makes them such an effective delivery method. Their structure allows for multiple layers of content, such as text, images, annotations, and even hidden URLs. Attackers are using every inch of that real estate.
One PDF may show a familiar company logo. Another hides a shortened URL in a sticky note or form field. Some mimic official documents, uploaded and sent through Adobe’s e-signature service to add a sheen of legitimacy. And because PDFs render on open, trusted platforms like Adobe Reader, most recipients don’t think twice before opening them.
QR codes are another favorite. They blend naturally into documents and, once scanned, redirect the user to phishing pages, often protected by CAPTCHA screens to appear more secure and delay detection.
Talos has even tracked phishing emails with multiple embedded links. A visible QR code leads to a benign page, while an annotation hides the real threat. It’s sleight-of-hand, built into the file.
Brands Under Fire
Cisco’s data paints a clear picture: between May 5 and June 5, Microsoft and DocuSign were the most spoofed brands in phishing emails with PDF attachments. For TOAD-style attacks, the names NortonLifeLock, PayPal, and Geek Squad top the list.
In one case, Talos found a VoIP number, +1-818-675-1874, used in TOAD scams for four days straight. The repeat usage isn’t random. It allows malefactors to set appointments, follow up with targets, and keep a consistent brand persona. It’s also cheaper.
These operations aren’t localized. An IP map of recent attacks shows sources across multiple regions, pointing to distributed infrastructure and possibly global scam call centers.
Exploiting Psychological Tendencies
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, says: “By impersonating trusted government agencies with well-crafted PDFs, criminals are exploiting our psychological tendency to comply with authority figures. This aligns with KnowBe4 Threat Labs’ research showing how attackers consistently exploit trusted platforms and brands. The 2025 Phishing Threat Trends Report revealing that 62.6% of phishing attacks now use brand display impersonation to establish credibility.”
What’s particularly concerning is how these attacks exploit mobile device limitations, where reduced screen visibility makes scrutiny more difficult, Malik adds. “KnowBe4’s data shows that 76.4% of phishing attacks now employ polymorphic features to evade detection, and these PDF-based government impersonations represent another tactic.”
A Resurgence of TOADs
Lucy Finlay, Director, Secure Behaviour and Analytics, at Redflags from ThinkCyber adds that TOADs are nothing new, but their resurgence recently has been notable. “This evolution is accelerated by the use of AI to identify legitimate login URLs of well-known brands that are vulnerable to takeover and imitation. Pair this with the fact that “attackers imitate real support workflows,” and the usual emotional manipulation is present; it’s extremely hard for the victim to use traditionally taught security awareness techniques to detect the scam.”
She says this is why security training needs to be integrated into daily workflows, and nudging at the point of risk is an effective way to do this. “For example, if the victim receives an email from an address that looks extremely plausible as a known brand, and contains a malicious link or attachment, a nudge on these elements to urge caution may be enough to stop the victim from going on to respond to the attempt.“
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.