Warning - New way of bypassing Email security filters?

[Frank the Insurance guy]

Just received an email, with a PDF attachment.

The email is made to look like they are looking for a quotation, and the details are in the attached PDF.

There is nothing wrong with the PDF itself.....however it is password protected. Putting in the password opens up the PDF and then it is a PDF document with a LINK to click on with a "PDF logo" to click on (the sort of thing you used to see within body of emails when scammers were trying to get you to click on it!

I called the sender and they know nothing about it!

Just warning to others - is there a lot of this happening? The first I have come across!

 

[fisicx]

This one has been around for a while. I get payment advice attachments. Email address is usually spoofed.

Top tip. Never, ever open unexpected. email attachments. Just opening a pdf can infect your network.

 

[Ashley_Price]

Yes, like @fisicx I've had my fair share of these over the years - usually it's from somewhere abroad sending me a Purchase Order for the products I sell!?! (I'm a transcription service, I don't have a "product".)

 

[fisicx]

Apparently I ordered 200 pumps from China and they now want payment....

And my domains are all going to expire tomorrow unless I renew with some weird sounding registrar.

Two examples from today.

 

[Ashley_Price]

I won't ask why you need 200 pumps.

 

[WaveJumper]

Yep they try everything I had apparently overdue parking fines and last week like above another email for import tax on steal pipes I don't remember ordering

 

[fisicx]

...import tax on steal pipes I don't remember ordering

That's because they were stolen

 

[Paul Kelly ICHYB]

I won't ask why you need 200 pumps.

Or what type they are!!!

 

[alamest]

I’ve had a few of these lately as well, and it does look like scammers are using PDFs to slip past normal filters. The files often look completely clean, but inside there’s usually a link or QR code to a fake login page (Microsoft seems to be a common target). I’ve also seen a couple with hidden scripting
that only triggers in certain PDF readers, which makes them even harder to spot.

My rule now is simple: if we weren’t expecting an invoice, it gets deleted without opening. Even replying confirms the email address is active. Seems to be a growing issue, so definitely one to keep an eye on.

 

[Jasminka]

Yes, seeing a lot more of this lately. Password-protected PDFs are a common trick to bypass email scanners, and the actual payload is usually the link inside, not the PDF itself.


We’ve seen similar ones posing as RFQs, invoices or payment advice, often with spoofed sender addresses. Best practice is exactly as said above: don’t open unexpected attachments and verify out of band with the sender. Blocking password-protected attachments at the gateway helped reduce these for us.

 

[JEREMY HAWKE]

Im to busy to open attachments
Your quote has to be on the Email