PDF, Call, Virus: New Type of Attack That Even Antivirus Software Can't Prevent
Each instruction sounds convincing until the victim faces the consequences.
Phone-based fraudulent schemes, masquerading as support from popular brands, are rapidly gaining popularity among cybercriminals. Cisco Talos experts reported that cybercriminals are increasingly using a new approach called TOAD (Telephone-Oriented Attack Delivery), or so-called reverse phishing interactions over the phone. In these attacks, victims are coerced into calling the criminals, who pretend to be employees of well-known companies.
According to an analysis of emails containing malicious PDF attachments conducted from May 5 to June 5, 2025, cybercriminals most often impersonated Microsoft and DocuSign in such campaigns. Brands like NortonLifeLock, PayPal, and Geek Squad were also actively used. The criminals rely on the high level of trust users have in these names, thus initiating further actions with the victims.
Phishing emails often contain PDF documents with logos of popular companies such as Adobe or Microsoft, and these PDFs feature QR codes. By scanning them, users can be directed to a fake Microsoft login page or another phishing platform that mimics services like Dropbox. In some cases, links to malicious sites are hidden inside PDFs using annotations, such as “sticky” notes or comments, which bypass standard security mechanisms and increase the credibility of the email.
What distinguishes TOAD attacks is that the criminals prompt the victim to call the phone number provided in the email, supposedly to confirm a transaction or resolve an issue. During the call, the fraudster, pretending to be a support agent, convinces the victim to disclose confidential information or install malicious software on their device.
The effectiveness of such attacks depends largely on their preparation: criminals use scripts, simulate real call center operations, include background hold music, and even spoof phone numbers to make them look legitimate. Often, anonymous VoIP services are used, and the phone numbers remain active for several days, allowing the criminals to run multi-step deception schemes.
As noted by Cisco Talos specialists, such schemes are commonly used to install banking trojans on Android devices and gain remote access to victims’ computers. Specifically, criminals offer to install programs like AnyDesk or TeamViewer to gain full control over the device.
In May 2025, the FBI officially warned about such attacks organized by the Luna Moth group, which specializes in financial extortion. Members of this group impersonate IT department employees of companies to gain access to their networks.
Another threat has arisen from the abuse of the Direct Send feature in Microsoft 365. Cybercriminals use this feature to send phishing emails as if they are internal company employees, without compromising real accounts. Thanks to the predictable format of the message delivery addresses, criminals can bypass standard authentication and security mechanisms. Since May 2025, more than 70 organizations have been targeted using this method.
These attacks resemble traditional phone fraud, tech support scams, and corporate email compromise, but differ by utilizing other communication channels and aiming for a constant presence within the system. In addition to stealing login credentials, criminals redirect victims to fake payment portals or pose as employees of financial departments to obtain banking card information.
In one incident on June 17, 2025, victims received an email styled as a voicemail notification, containing a PDF with a QR code. This code led to a fake Microsoft 365 login page. As specialists explained, attacks via Direct Send are less noticeable to standard security systems, making them particularly attractive to criminals.
The company emphasizes that detecting brand impersonation is one of the key strategies to defend against such threats, given the continuous popularity of this form of social engineering among cybercriminals.
