Cybercriminals have developed a clever new phishing campaign designed to steal Dropbox login credentials by using seemingly innocent emails and PDF attachments to bypass traditional security filters.
Researchers at cybersecurity firm Forcepoint recently uncovered this multi-stage phishing attack, which deliberately avoids typical red flags that would trigger spam filters or antivirus software. Instead of embedding harmful links directly in the email, attackers rely on a professional-looking message and a PDF attachment to hook unsuspecting victims and ultimately harvest their credentials.
How the Scam Works
The attack begins with an email that appears completely legitimate — often framed as a routine business message about a procurement request or contract. The message contains no suspicious links or obvious malware, which helps it slip through many automated scanning tools that flag dangerous content.
Inside the email is a PDF file, typically named to look like a standard business document. This PDF uses technical features such as interactive forms to hide clickable text inside what appears to be a normal document. When the recipient clicks on the embedded link, it doesn’t trigger an immediate warning — instead, it directs them to a second PDF hosted on a trusted cloud service like Vercel Blob storage.
By leveraging legitimate cloud storage infrastructure as an intermediate step, the attackers are able to evade many security systems that rely on reputation or known-malicious signatures to block phishing content.
The Fake Login Trap
Once the victim clicks through the cloud-hosted content, they are redirected to a fake Dropbox login page that is designed to look exactly like the real thing. Here, unaware users may enter their email and password, believing they are signing into a trusted service. In reality, their credentials are immediately captured by the attackers.
Instead of immediately alerting the victim, the fake page often displays a generic error message after submission — creating the impression that the login attempt simply failed. Meanwhile, the stolen login details are sent to the attackers via a remote channel, such as a Telegram bot controlled by the cybercriminals.
Why This Phishing Scam Is Effective
This strategy works so well for several reasons:
- Clean initial emails: Because there are no malicious links or files detectable at the email stage, standard defenses may not block the message.
- Trusted file format: PDFs are among the most commonly exchanged document types in business communications, meaning recipients are far less likely to treat them with suspicion.
- Legitimate cloud hosting: Using well-known cloud services for hosting intermediate content makes URLs look more credible and reduces automated blocking.
- Familiar brand trust: Dropbox is a widely used platform, and fake login pages that mirror its interface can deceive even cautious users.
How You Can Stay Safe
Protecting yourself from sophisticated phishing campaigns like this requires attention to how you interact with emails and files:
- Think twice before clicking on unexpected attachments, even if they appear professional.
- Verify the sender’s address and compare it with official domains you know to be legitimate.
- Always check the URL of login pages — don’t enter credentials unless you are sure you are on the genuine service’s site.
- If in doubt, contact the sender through a separate channel to confirm they actually sent the document.
Dropbox and other online services also provide guidance on identifying phishing attempts and reporting suspicious messages if you receive them. Hackers Use PDF Attachments in Clean Emails to Steal Dropbox Login Credentials
