MailGuard May 29, 2025 10:24:31 AM 6 MIN READ

PDF Phishing via Dropbox: A Persistent Threat in Trusted Clothing

Dropbox continues to be a popular weapon for cybercriminals due to its reputation and widespread use in business environments. A growing wave of phishing attacks is leveraging compromised Dropbox accounts to distribute PDFs embedded with malicious links — bypassing SPF/DKIM filters and delivering payloads under the guise of legitimate document sharing.

In 2020, MailGuard first detected large-scale phishing and malware distribution campaigns leveraging compromised Dropbox accounts to send seemingly legitimate emails with links to PDF attachments.

Those PDFs, hosted on Dropbox, contained embedded URLs pointing to credential-harvesting and malware sites.

Despite initial takedowns, this tactic re-emerged in late 2024, and many leading security providers still fail to block these messages because they originate from Dropbox’s own infrastructure and host benign-looking PDF files.

How it Works

Cybercriminals phish or brute-force into Dropbox accounts, often those used for business document sharing. Using the compromised account’s SMTP or Dropbox’s “Share link” API, attackers send emails with genuine dropbox.com links and branding.

  • Legitimate Sender Infrastructure: Emails are dispatched from genuine @dropbox.com addresses or via OAuth-authenticated SMTP, bypassing SPF/DKIM/DMARC checks and trusted-sender filters. Attackers leverage the legitimate account’s OAuth token to send mail via smtp.dropbox.com or through the Dropbox API’s share endpoint.
  • PDF Trojan Horse: The message body links to a PDF on Dropbox (e.g., an “Invoice” or “Proposal”); opening the PDF reveals embedded HTML links or JavaScript that redirect to external phishing portals or initiate drive-by downloads. PDFs contain <a> tags redirecting to shortened URLs (bit.ly, tinyurl) that forward to malicious payloads. Some use embedded JavaScript in PDF annotations to auto-launch external links upon opening.
  • Defence Evasion: Static URL-based detectors skip dropboxusercontent.com links. Sandboxing solutions often whitelist known cloud-storage endpoints.
  • Persistent Reappearance: After peak activity in mid-2020, the same technique resurfaced in organizations’ inboxes during Q4 2024, demonstrating that many email defences still allow Dropbox-hosted attachments through.

“Our forensic analyses show these PDFs use multi-stage redirect chains, often via URL shorteners, before landing on malware payloads. Each stage is designed to evade both static and dynamic scanning engines.”

— Prathik Chandrashekar, Head of Engineering, MailGuard

Key Points for Partners

 

  • These campaigns spoof invoices or proposals via Dropbox-hosted PDFs, often sent from real @dropbox.com addresses.
  • PDFs act as Trojan horses, hiding credential-harvesting links or JavaScript-based malware redirection.
  • Static email security tools struggle to detect these threats due to Dropbox’s high-reputation IPs and OAuth-authenticated SMTP.

 

Here’s What It Looks Like

This example leverages Dropbox branding and its file transfer mechanism to capture the details of unsuspecting users. The initial email is masquerading as a purchase order, inviting users to click the ‘View Transfer’ button to learn more.

Dropbox - 4

Here’s another example, impersonating a Dropbox file sharing email, with a more well-formed email inviting the user to view another ‘Purchase Order’.

Dropbox - 3

This one has a simple subject line of ‘Request - Quote details’ aiming to spike the curiosity of the recipient. Carrying Dropbox brand elements, the email features a link to a ‘Quote-Plan Details and Approval’ PDF document.

Dropbox - 1

Clicking the ‘View Transfer’ button leads users to a phishing page impersonating Adobe in this example, that aims to steal the users email and password.

Dropbox - 2

And in this example, the user is taken to a phishing page that’s impersonating an Office 365 sign in. By entering their email and password, the user is disclosing to the criminals their Office 365 credentials.

Dropbox - 5

Advice to Share with Clients

If users aren’t expecting a document, don’t open it — especially from file-sharing platforms. Dropbox links should always be treated with scrutiny unless the sender is personally verified.

 

“Credential exfiltration through Dropbox-hosted PDFs is particularly insidious: By exploiting OAuth-authenticated SMTP and Dropbox’s share-link API, adversaries weaponize high-reputation infrastructure to deliver PDF payloads that embed stealthy phishing and malware redirects, undermining traditional email-authentication and sandbox defences.”

— Anwar Ibrahim, CTO, MailGuard

 

Want to learn more or arm your team with the latest insights?

Reach out to your MailGuard Partner Manager today or contact expert@mailguard.com.au.

Your expertise, combined with MailGuard’s leading-edge technologies, gives your clients a decisive advantage.

🚀 Let’s build the future of cyber resilience together.

 

Keeping Businesses Safe and Secure

Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.

No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist third-party cloud email solution like MailGuard.   

For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, zero zero-day email security. Special Ops for when speed matters!  Our real-time zero zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.

MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.

 

Talk to us

MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.

Australian partners, please call us on 1300 30 65 10

US partners call 1888 848 2822

UK partners call 0 800 404 8993

 

Keep Informed with Weekly Updates