Cybersecurity researchers are calling attention to phishing campaigns that impersonate popular brands and trick targets into calling phone numbers operated by threat actors.
"A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, displaying another popular social engineering technique known as Telephone-Oriented Attack Delivery (TOAD), also known as callback phishing," Cisco Talos researcher Omid Mirzaei said in a report shared with The Hacker News.
An analysis of phishing emails with PDF attachments between May 5 and June 5, 2025, has revealed Microsoft and Docusign to be the most impersonated brands. NortonLifeLock, PayPal, and Geek Squad are among the most impersonated brands in TOAD emails with PDF attachments.
The activity is part of wider phishing attacks that attempt to leverage the trust people have with popular brands to initiate malicious actions. These messages typically incorporate PDF attachments featuring legitimate brands like Adobe and Microsoft to scan malicious QR codes that point to fake Microsoft login pages or click on links that redirect users to phishing pages posing as services like Dropbox.
QR code phishing emails with PDF payloads have also been found to leverage PDF annotations to embed the URLs within a sticky note, comment, or form fields within a PDF attachment, while linking the QR codes to an authentic web page to give the impression that the messages are trustworthy.
In TOAD-based attacks, victims are coaxed into calling a phone number in a purported attempt to resolve an issue or confirm a transaction. During the phone call, the attacker masquerades as a legitimate customer representative and tricks the victim into either disclosing sensitive information or installing malware on their devices.
Most TOAD campaigns rely on the illusion of urgency, but their effectiveness often hinges on how convincingly attackers imitate real support workflows – using scripted call center tactics, hold music, and even spoofed caller IDs.
This technique has been a popular method among threat actors to install banking trojans on Android devices and remote access programs on victim machines to gain persistent access. In May 2025, the U.S. Federal Bureau of Investigation (FBI) warned of such attacks perpetrated by a financially motivated group called Luna Moth to breach target networks by posing as IT department personnel.
"Attackers use direct voice communication to exploit the victim's trust in phone calls and the perception that phone communication is a secure way to interact with an organization," Mirzaei said. "Additionally, the live interaction during a phone call enables attackers to manipulate the victim's emotions and responses by employing social engineering tactics."
Cisco Talos said most threat actors use Voice over Internet Protocol (VoIP) numbers to remain anonymous and make it harder to trace, with some numbers reused consecutively for as many as four days, allowing the attackers to pull off multi-stage social engineering attacks using the same number.
"Brand impersonation is one of the most popular social engineering techniques, and it is continuously being used by attackers in different types of email threats," the company said. "Therefore, a brand impersonation detection engine plays a pivotal role in defending against cyber attacks."
In recent months, phishing campaigns have also capitalized on a legitimate feature in Microsoft 365 (M365) called Direct Send to spoof internal users and deliver phishing emails without the need for compromising an account. The novel method has been employed to target more than 70 organizations since May 2025, per Varonis.
These spoofed messages not only seem to originate from inside the victim organization, they also take advantage of the fact that smart host addresses follow a predictable pattern ("<tenant_name>.mail.protection.outlook.com") to send the phishing emails without requiring authentication.
This tactic shares similarities with vishing, tech support scams, and business email compromise (BEC), but differs in delivery vector and persistence. While some attackers push victims to download remote access software like AnyDesk or TeamViewer, others route them through fake payment portals or impersonate billing departments to harvest credit card information, broadening the attack surface beyond just credential theft.
In one phishing email sent on June 17, 2025, the message body resembled a voicemail notification and included a PDF attachment that contained a QR code directing the recipients to a Microsoft 365 credentials harvesting page.
"In many of their initial access attempts, the threat actor utilized M365 Direct Send functionality to target an individual organization with phishing messages that were subject to less scrutiny compared to standard inbound email," security researcher Tom Barnea said. "This simplicity makes Direct Send an attractive and low-effort vector for phishing campaigns."
The disclosure comes as new research from Netcraft found that asking large language models (LLMs) where to log in to 50 different brands across various sectors like finance, retail, tech, and utilities suggested unrelated hostnames as responses that were not owned by the brands in the first place.
"Two-thirds of the time, the model returned the correct URL," the company said. "But in the remaining third, the results broke down like this: nearly 30% of the domains were unregistered, parked, or otherwise inactive, leaving them open to takeover. Another 5% pointed users to completely unrelated businesses."
This also means that users could be likely sent to a fake website just by asking an artificial intelligence (AI) chatbot where to sign in, opening the door for brand impersonation and phishing attacks when threat actors claim control of these unregistered or unrelated domains.
With threat actors already using AI-powered tools to create phishing pages at scale, the latest development marks a new twist where cybercriminals are looking to game an LLM's response by surfacing malicious URLs as responses to queries.
Netcraft said it has also observed attempts to poison AI coding assistants like Cursor by publishing fake APIs to GitHub that harbor functionality to route transactions on the Solana blockchain to an attacker-controlled wallet.
"The attacker didn't just publish the code," security researcher Bilaal Rashid said. "They launched blog tutorials, forum Q&As, and dozens of GitHub repos to promote it. Multiple fake GitHub accounts shared a project called Moonshot-Volume-Bot, seeded across accounts with rich bios, profile images, social media accounts and credible coding activity. These weren't throwaway accounts – they were crafted to be indexed by AI training pipelines."
The developments also follow concerted efforts on the part of threat actors to inject reputed websites (e.g., .gov or .edu domains) with JavaScript or HTML designed to influence search engines into prioritizing phishing sites in search results. This is accomplished by an illicit marketplace called Hacklink.
The service "enables cybercriminals to purchase access to thousands of compromised websites and inject malicious code designed to manipulate search engine algorithms," security researcher Andrew Sebborn said. "Scammers use Hacklink control panels to insert links to phishing or illicit websites into the source code of legitimate but compromised domains."
These outbound links are associated with specific keywords so that the hacked websites are served in search results when users search for relevant terms. To make matters worse, the actors can alter the text that appears in the search result to match their needs without having to take control of the site in question, impacting brand integrity and user trust.
