A multi-stage phishing campaign is using a sneaky technique to evade detection by security tools and harvest corporate credentials for well-known cloud storage services, researchers have warned.
Forcepoint X-Labs issued an alert about the ongoing campaign on February 2, which combines phishing emails which claim to relate to urgent business, PDF attachments, hidden malicious links and a spoofed login page to steal login credentials for Dropbox accounts.
The campaign begins with phishing emails which appear to be related to procurement requests or business purchases.
The messages are brief but could be viewed as convincingly professional looking, often tailored to look like they come from an organization or contact the target might expect, and ask the user to open a PDF attachment for more information.
Forcepoint noted that the succinct nature of the emails helps them to bypass email authentication checks like SPF, DKIM and DMARC, while the implied urgency of the request is designed to manipulate the receiver into following the instructions.
If the user opens the PDF, they are asked to follow an embedded link to aid with the request. This link is written in AcroForm which minimizes the ability for security software to scan it.
According to researchers, this link directs the target to a ‘Trusted Cloud Storage’ platform, which then in turn serves up a fake, but convincing looking Dropbox login page.
“By using legitimate cloud infrastructure, the attackers reduce suspicion, bypassing many automated security checks that rely on reputation and known-bad indicators in the process,” said Prashant Kumar, senior researcher at Forcepoint.
If the user enters their login credentials, that username and password is sent to a Telegram channel operated by the attackers. With legitimate login credentials, the attackers can access the account and potentially use this initial access as a starting point to conduct additional attacks.
“These stolen credentials are exfiltrated to attacker-controlled command-and-control infrastructure, enabling further misuse such as account takeover, internal access or additional follow-on fraud,” said Kumar.
Credential theft and identity-based attacks surged during 2025, as cybercriminals looked to covertly gain access to enterprise accounts and networks. Sometimes, the end goal for attackers is simply data theft itself. But these intrusions can also represent the beginning of more destructive campaigns, including ransomware attacks.