Phishing Scam Uses Clean Emails and PDFs to Steal Dropbox Logins

Phishing attacks have evolved beyond obvious malicious links, now exploiting the inherent trust users place in business documents and reputable cloud providers. By embedding hidden AcroForm buttons within seemingly innocuous PDFs, attackers can silently redirect recipients to a secondary payload hosted on Vercel Blob, a legitimate serverless storage service. This approach sidesteps traditional email gateways and URL reputation tools, which often flag only overtly suspicious domains, allowing the campaign to reach a broader audience of unsuspecting professionals.

The technical choreography of the scam is noteworthy. The initial PDF leverages FlateDecode compression to conceal interactive elements, while the Vercel‑hosted file serves a polished replica of Dropbox’s login interface. When credentials are entered, a lightweight script harvests email, password, IP address, and device metadata before transmitting the data to a hard‑coded Telegram bot. This exfiltration channel is difficult to detect because Telegram traffic is encrypted and commonly allowed through corporate firewalls, further complicating incident response efforts.

Mitigation requires a layered strategy. Security teams should enforce strict PDF inspection policies, enable sandboxing for document attachments, and monitor outbound traffic to known messaging platforms like Telegram. End‑users must be trained to verify any unexpected login request, especially when it originates from a document rather than a direct link. For SaaS providers such as Dropbox, reinforcing anti‑phishing cues and offering two‑factor authentication can reduce the payoff of credential‑theft campaigns, while continuous threat‑intel sharing helps organizations stay ahead of novel abuse of trusted cloud services.