By Priya, CyberPress
Click here to read the entire article.
A recent phishing campaign disguised as a purchase order PDF is targeting business users with well-crafted lures designed to harvest corporate credentials and system data.
The malicious file, titled “NEW Purchase Order #52177236.pdf”, was first flagged after Malwarebytes blocked access to a suspicious link embedded within the document.
Malicious PDF Targets Business Emails
The PDF appeared to contain a purchase order button labeled “View Document”, adding a sense of legitimacy. However, hovering over the button revealed a long, deceptive URL hosted on the ionoscloud.com subdomain, a legitimate European cloud service provider.
Attackers are increasingly abusing reputable infrastructure such as IONOS Cloud, AWS, and Azure because domains from trusted providers are less likely to be automatically blocked by security software.
When the victim clicks the button, the link redirects to a fake PDF viewer hosted on a compromised website, which pre-fills the recipient’s email address in a login form. The page prompts users to log in with a “business email login,” tricking them into providing corporate credentials.
This broad prompt is meant to capture credentials that could unlock valuable enterprise accounts, such as Microsoft Outlook, Google Workspace, VPNs, or file-sharing systems.