Fake Dropbox Phishing Campaign Targets Users, Steals Login Credentials

A sophisticated phishing campaign that uses a multi-stage approach to bypass email filtering and content-scanning systems.

The attack exploits trusted platforms, benign file formats, and layered redirection techniques to harvest user credentials from unsuspecting victims successfully.

The attack chain begins with a professionally crafted phishing email containing a PDF attachment.

The malicious payload leverages legitimate cloud infrastructure, specifically Vercel Blob storage, to host a deceptive PDF that ultimately redirects victims to a counterfeit Dropbox login page designed to capture credentials.

The attack commences with a procurement-themed phishing email that appears legitimate and routine.

The email references a request order review and requests the recipient to sign in with their business email credentials, creating a sense of urgency typical of tender or procurement fraud.

X-Labs team has detected a phishing campaign that utilizes a multi-stage approach to evade email and content scanning by exploiting trusted platforms, a harmless file format and layered redirection.  

Notably, the email body contains no malicious links, relying instead on the PDF attachment as the primary delivery mechanism.

This approach is particularly effective because it bypasses standard email authentication checks including SPF, DKIM, and DMARC protocols.

The minimal, business-like content avoids keyword-based detection systems, allowing the message to appear as routine operational communication rather than a security threat.

PDF Evasion Techniques

Analysis of the malicious PDF reveals the use of FlateDecode-compressed streams and AcroForm objects.

AcroForms are commonly exploited to embed interactive clickable elements while minimizing visible content, making the PDF file appear benign to security scanning tools.

The PDF contains a seemingly innocent link labeled “View specification online Here:” that directs victims to a cloud-hosted URL on Vercel Blob storage.

By leveraging this trusted infrastructure, attackers reduce suspicion and bypass automated security checks that rely on reputation-based indicators.

The cloud-hosted document subsequently redirects victims to a fraudulent website impersonating Dropbox. The fake login interface prompts users to enter their credentials under the pretense of accessing documents.

The attacker-controlled domain has no affiliation with Dropbox but mimics its familiar interface to deceive users.

The domain tovz[.]life has no affiliation with Dropbox. The victim is then prompted to login with the credentials.

Upon credential submission, the malicious JavaScript embedded in the fake page collects user credentials along with system and location information by querying external APIs.

The stolen data, including email, password, IP address, geolocation, and timestamp, is transmitted to an attacker-controlled Telegram bot.

The script then displays a simulated login failure message, encouraging the victim to attempt login again, potentially with alternative credentials.

Exfiltration and Impact

All harvested credentials are transmitted to attacker infrastructure via Telegram, enabling account takeover, lateral movement within compromised networks, and potential follow-on fraud.

This multi-stage approach succeeds because each layer from the trusted PDF format to legitimate cloud storage to familiar branding creates the appearance of legitimacy.

Organizations should implement email filtering for PDF attachments from untrusted sources, enforce multi-factor authentication to mitigate credential theft impact, and conduct security awareness training emphasizing verification of login prompts and sender authenticity.

IOCs

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.