Forcepoint researchers uncovered a phishing campaign that uses PDF attachments and trusted cloud infrastructure to harvest Dropbox credentials while evading email security controls. The multi-stage attack chain exploits legitimate services including Vercel blob storage and Telegram bots for exfiltration.
Campaign overview
| Attribute | Details |
|---|---|
| Discovery | Forcepoint X-Labs |
| Target | Dropbox credentials |
| Delivery | PDF attachments via email |
| Hosting | Vercel blob storage |
| Exfiltration | Telegram bot API |
| Data collected | Email, password, IP, geolocation, device info |
Attack chain overview
Email → PDF attachment → Vercel-hosted PDF → Redirect PDF → Fake Dropbox login → Telegram exfiltrationThe attack is designed so that no single stage appears malicious, defeating traditional security controls that analyze components in isolation.
Stage-by-stage breakdown
Stage 1: Clean email
Victims receive procurement-themed emails with subjects like:
- “PO #[number] - Urgent Review Required”
- “Invoice Attached - Please Confirm”
- “Document for Your Review”
- “Tender Submission Request”
- “Contract Amendment - Signature Required”
The emails contain no links—only a PDF attachment. This bypasses URL scanning and link reputation checks in email security gateways.
| Email characteristic | Security bypass |
|---|---|
| No embedded URLs | URL scanners find nothing |
| No malware payload | Sandbox analysis passes |
| Legitimate-looking sender | SPF/DKIM may pass |
| Business-relevant subject | User opens without suspicion |
Stage 2: PDF on trusted hosting
The PDF uses an AcroForm object to link to a file hosted on:
public.blob.vercel-storage.comVercel’s blob storage is a legitimate service used by thousands of developers. Security tools that check domain reputation see a trusted Microsoft-owned infrastructure provider, not a known malicious host.
| PDF technique | Purpose |
|---|---|
| FlateDecode compression | Obscures content from basic scanners |
| AcroForm objects | Embeds clickable elements |
| No JavaScript | Avoids JS-based detection |
| Clean metadata | No obvious attacker artifacts |
Stage 3: Second redirect
The Vercel-hosted file is another PDF with a prominent “DOWNLOAD FILE HERE” button. This additional redirect:
- Adds another layer of separation from the original email
- Makes the victim an active participant (clicking download)
- Creates a sense of legitimate document retrieval
- Frustrates security tools that analyze single hops
Stage 4: Credential harvesting
The final destination is a convincing Dropbox login page clone. Key features:
| Element | Purpose |
|---|---|
| Pixel-perfect Dropbox UI | Visual legitimacy |
| Pre-filled email field | Uses victim’s email from earlier redirect |
| 5-second delay after submission | Makes “incorrect password” error believable |
| ”Try again” prompt | Encourages second credential entry |
| Browser fingerprinting | Collects device metadata |
| SSL certificate | Shows padlock for false trust |
The 5-second delay is particularly effective—it mimics the time a real authentication system would take to validate credentials, making the subsequent “incorrect password” error seem authentic.
Stage 5: Exfiltration via Telegram
Harvested credentials and system metadata are sent to an attacker-controlled Telegram bot. Using Telegram provides:
| Advantage | Explanation |
|---|---|
| Encrypted communication | Hard to intercept in transit |
| Instant notification | Attackers receive credentials immediately |
| Difficult-to-block infrastructure | Telegram is legitimate business tool |
| No traditional C2 server | No infrastructure to take down |
| Anonymous bot creation | Low attribution risk |
| Reliable delivery | Enterprise-grade uptime |
Data collected
The phishing page harvests extensive information beyond just credentials:
| Data type | Collection method |
|---|---|
| Email address | Form input |
| Password | Form input (often twice) |
| IP address | Server-side logging |
| City/country | IP geolocation |
| Device type | User-agent parsing |
| Browser | User-agent parsing |
| Screen resolution | JavaScript |
| Timezone | JavaScript |
| Referrer chain | HTTP headers |
This metadata enables attackers to:
- Prioritize high-value targets
- Craft follow-up attacks using victim context
- Identify corporate vs. personal accounts
- Time account takeover attempts appropriately
Technical indicators
Vercel blob storage patterns:
public.blob.vercel-storage.com/[random-string]Phishing page characteristics:
- Dropbox branding with subtle URL differences
- Form POST to non-Dropbox domain
- JavaScript delay before error display
- Browser fingerprinting scripts
- Missing standard Dropbox footer elements
Telegram exfiltration pattern:
api.telegram.org/bot[token]/sendMessageWhy it’s effective
| Traditional Defense | Why It Fails |
|---|---|
| Email link scanning | No links in email—only attachment |
| Attachment sandboxing | PDF contains no malware, just a link |
| URL reputation | Vercel is a trusted service |
| Domain blocklisting | Phishing pages use fresh domains |
| User awareness | Multi-step process builds false confidence |
| Safe links rewriting | No links to rewrite in original email |
“A clean PDF is much more likely to get through email security and reach the victim. Malware often triggers alarms, blocks delivery or causes attachments to be quarantined. By avoiding malware and focusing only on credentials theft, the attackers increase the chances that the email is delivered, opened and trusted.” — Hassan Faizan, Senior Security Researcher, Forcepoint
Abuse of legitimate services
The campaign highlights a broader trend: adversaries weaponizing trusted cloud infrastructure to evade detection.
| Service | Legitimate Use | Attacker Abuse |
|---|---|---|
| Vercel blob storage | Developer file hosting | Phishing redirect hosting |
| Telegram bots | Automation, notifications | Credential exfiltration |
| Cloud storage URLs | Document sharing | Lure delivery |
| CDN providers | Content delivery | Malware hosting |
| Form services | Survey collection | Credential harvesting |
Security tools that allowlist major cloud providers inadvertently provide cover for these attacks.
Detection opportunities
Email layer
| Indicator | Detection logic |
|---|---|
| PDF with AcroForm to blob storage | Flag external links to cloud storage |
| Procurement themes from unfamiliar senders | Sender reputation + content analysis |
| Mismatched sender domains and display names | SPF/DMARC alignment checks |
| PDF-only attachments in financial contexts | Behavioral analysis |
Network layer
| Indicator | Detection logic |
|---|---|
Connections to public.blob.vercel-storage.com followed by credential entry | Correlation analysis |
| Traffic to Telegram API endpoints from non-Telegram applications | Application identification |
| Multiple redirects ending at Dropbox-branded pages not on dropbox.com | URL chain analysis |
| POST requests to non-Dropbox domains with credential-like payloads | DLP inspection |
Endpoint layer
| Indicator | Detection logic |
|---|---|
| PDF readers spawning connections to cloud storage | Process behavior monitoring |
| Browser navigating to Dropbox lookalike domains | URL filtering |
| Form submissions to recently registered domains | Domain age checks |
Recommendations
For security teams
| Control | Implementation |
|---|---|
| Phishing-resistant MFA | FIDO2 keys or passkeys for cloud services |
| PDF inspection | Scan AcroForm objects for external links |
| Cloud service monitoring | Alert on unusual blob storage access patterns |
| Telegram blocking | Consider blocking Telegram API if not business-critical |
| User reporting | Make suspicious email reporting easy |
| Domain age filtering | Block or warn on domains < 30 days old |
Email gateway configuration
| Setting | Recommendation |
|---|---|
| PDF link extraction | Enable deep PDF analysis |
| Cloud storage link inspection | Follow and analyze destination |
| Sender reputation | Weight heavily for financial themes |
| Attachment sandboxing | Extend timeout for multi-stage analysis |
For users
- Be suspicious of unexpected document-sharing requests
- Verify sender identity through separate channel before opening attachments
- Check URLs carefully before entering credentials—look for the real domain
- Never re-enter credentials after an “incorrect password” error without verifying the site
- Report suspicious emails even if you didn’t click
- Use password manager autofill—it won’t fill credentials on fake sites
Similar campaigns
This attack follows a pattern seen across multiple credential harvesting operations:
| Campaign | Hosting abuse | Target |
|---|---|---|
| Current | Vercel blob storage | Dropbox |
| 2025 campaigns | Firebase, AWS S3 | Microsoft 365 |
| 2024 campaigns | Cloudflare R2 | Google Workspace |
| Ongoing | GitHub Pages | Various |
The consistent theme: leveraging trusted infrastructure to bypass reputation-based defenses.
Context
This campaign demonstrates the evolution of phishing beyond obvious “click here” attacks. By chaining multiple legitimate services and adding psychological manipulation (the 5-second delay, procurement urgency), attackers create believable scenarios that bypass both technical controls and human judgment.
Organizations should assume that email security alone cannot stop sophisticated phishing. Defense in depth—combining email filtering, endpoint detection, network monitoring, phishing-resistant MFA, and user training—remains essential. The most effective control for credential theft is phishing-resistant authentication that doesn’t rely on passwords at all.