Growing Threat: Brand Impersonation and Callback Phishing in PDF Email Campaigns

Cybersecurity experts are sounding the alarm over a rise in phishing attacks that impersonate trusted brands to deceive victims into calling fake customer service lines—a tactic known as Telephone-Oriented Attack Delivery (TOAD) or callback phishing.

What Is TOAD?

TOAD campaigns lure victims via phishing emails, often containing PDF attachments, prompting recipients to call a phone number operated by cybercriminals. During the call, attackers impersonate customer support agents, guiding victims to disclose sensitive data or install remote access tools on their devices.

Key Findings

A new report from Cisco Talos analyzed phishing emails between May 5 and June 5, 2025, highlighting that Microsoft and DocuSign were the most spoofed brands. Other common impersonations included PayPal, NortonLifeLock, and Geek Squad.

These PDF-based attacks typically:

• Display fake service issues or invoice disputes.

• Embed malicious links via QR codes or annotations in the PDF.

• Direct users to phishing websites impersonating login portals like Microsoft 365.

In TOAD scenarios, the attackers exploit human trust in phone communication, using emotional manipulation and scripted dialogue to execute their schemes. Most attackers utilize VoIP numbers, which are difficult to trace, sometimes reusing the same number for days across multiple victims.

M365 and QR Code Exploits

In parallel, phishing actors have increasingly abused Microsoft 365’s Direct Send feature. This tactic allows emails to appear as though they come from internal corporate addresses, bypassing traditional authentication checks.

These messages may:

• Mimic voicemail alerts or business communications.

• Include QR codes leading to credential harvesting pages.

Security firm Varonis reported that over 70 organizations have been targeted using this method since May 2025.

AI’s Role in Phishing and Misinformation

Phishing threats are evolving with artificial intelligence (AI) integration:

• A study by Netcraft found that LLMs (Large Language Models) occasionally suggest incorrect or unregistered login URLs—many of which can be hijacked.

• Cybercriminals have also published malicious fake APIs on GitHub and promoted them through blog tutorials and social media to poison AI training datasets and influence code assistant outputs.

Search Engine Poisoning and SEO Abuse

To increase visibility, cybercriminals are leveraging services like Hacklink, which lets them insert malicious links into the code of compromised .gov or .edu websites. These links manipulate search rankings, making phishing pages appear legitimate and prominently in results.

How to Protect Yourself

• Verify sender details on suspicious emails.

• Do not call phone numbers listed in unsolicited messages.

• Use 2FA and password managers to enhance account security.

• Update your software and antivirus tools regularly.

• Employ brand impersonation detection engines if managing email infrastructure.

As phishing attacks grow more sophisticated, combining brand trust, QR codes, AI, and phone-based deception, staying informed and vigilant remains the first line of defense.