Phishing remains one of the most persistent and effective methods for cybercriminals to infiltrate organizations and defraud individuals. Among the myriad forms this threat takes, a particularly insidious campaign involves the use of fraudulent purchase order (PO) PDFs. This tactic leverages the trust associated with business transactions and familiar document formats to trick recipients into compromising their security. Malwarebytes has provided a detailed look into such a campaign, shedding light on its intricate workings.

This specific purchase order PDF phishing campaign relies heavily on social engineering, preying on the urgency and routine associated with procurement processes. Attackers craft seemingly legitimate emails that appear to originate from known suppliers or internal departments. These emails typically contain an attached PDF file, purporting to be a purchase order, an invoice, or a related document critical for business operations. The file names are often designed to evoke a sense of legitimacy, such as “PO_###_companyname.pdf” or “Invoice_###_PaymentDue.pdf.”

The deceptive nature of these PDFs is central to the attack. Unlike simple malicious attachments that might contain executable files, these PDFs are often crafted to appear harmless at first glance. However, upon opening, they typically contain embedded links or elements that redirect the unsuspecting user to a malicious website. This redirection is often disguised as a request to verify order details, log in to a supplier portal, or download an encrypted version of the document.

The goal of these malicious links is predominantly credential theft. When a user clicks on the embedded link, they are directed to a phishing page meticulously designed to mimic a legitimate login portal for services like Microsoft 365, Google Workspace, or various enterprise resource planning (ERP) systems. By entering their login credentials on these fake pages, victims inadvertently hand over their usernames and passwords directly to the attackers. These stolen credentials can then be used to access sensitive company data, launch further internal phishing attacks, or initiate financial fraud.

Beyond credential theft, some sophisticated PDF phishing campaigns might also attempt to install malware. While less common with embedded links, a compromised login could lead to further steps where malware is delivered. The success of these campaigns hinges on several factors: the convincing nature of the email, the familiarity of the PDF format, and the general busy environment of many business professionals who might quickly open such a document without scrutinizing its origin.

Malwarebytes’ analysis of this campaign emphasizes the importance of vigilance and robust email security solutions. Organizations must educate their employees about the subtle signs of phishing, even when emails appear to come from trusted sources or contain familiar attachments. Training should cover how to spot suspicious email addresses, generic greetings, urgent language, and unexpected attachments. Furthermore, implementing advanced email filters that can detect malicious links within documents, even PDFs, and secure web gateways that block access to known phishing sites are critical layers of defense.

This purchase order PDF phishing campaign serves as a stark reminder that cybercriminals continuously refine their methods. By leveraging common business workflows and document types, they aim to bypass initial security checks and exploit human trust. A combination of technological defenses and continuous employee education is essential to defend against such pervasive and evolving threats.

Source: https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-order-pdf-phishing-campaign