This phishing campaign employs a sophisticated, multi-stage attack chain beginning with a procurement-themed email containing a PDF attachment. Upon opening, the initial PDF redirects the victim to a second PDF hosted on a reputable cloud storage domain (notably a vercel-storage.com subdomain), which then directs the user to a counterfeit Dropbox login page. This multi-step redirection leverages trusted cloud services and common file formats (PDF) to bypass traditional security controls such as email filters and endpoint protections. The attackers use social engineering to convince recipients to enter their Dropbox credentials into the fake login page. Once credentials are harvested, they are exfiltrated to attacker-controlled infrastructure via Telegram bot APIs, a less common but effective exfiltration channel that may evade network monitoring. The campaign tags indicate use of various MITRE ATT&CK techniques including phishing (T1566), credential access (T1078), command and scripting interpreter (T1059.007), and data exfiltration over alternative protocols (T1102.003). The absence of a CVE or known exploits suggests this is a social engineering-based threat rather than a software vulnerability. The campaign’s reliance on legitimate cloud platforms and business-related themes increases its likelihood of success and complicates detection.

For European organizations, the primary impact is credential theft leading to unauthorized access to Dropbox accounts and potentially other linked corporate resources. Compromised credentials can enable attackers to access sensitive corporate data stored in Dropbox, disrupt business operations, or facilitate further lateral movement within the organization’s network. The use of trusted cloud storage and PDF files lowers suspicion, increasing the risk of successful phishing. Exfiltration via Telegram complicates detection and response efforts. Organizations with procurement or supply chain functions are particularly vulnerable due to the theme of the phishing email. Loss of credentials can lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial loss. The campaign’s medium severity reflects the moderate but tangible risk posed by credential compromise and subsequent misuse.

1. Implement advanced email filtering solutions that analyze multi-stage redirections and inspect PDF attachments for embedded URLs or suspicious content. 2. Conduct targeted phishing awareness training emphasizing the risks of opening unsolicited procurement-related attachments and verifying URLs before entering credentials. 3. Enforce multi-factor authentication (MFA) on Dropbox and other cloud services to reduce the impact of stolen credentials. 4. Monitor network traffic for unusual outbound connections to Telegram API endpoints or other uncommon exfiltration channels. 5. Use domain and URL reputation services to block access to known malicious domains such as the identified vercel-storage.com subdomain and suspicious URLs. 6. Employ endpoint detection and response (EDR) tools to detect suspicious PDF behaviors and script execution. 7. Regularly audit and review access logs for Dropbox and cloud services to identify anomalous login attempts or geographic irregularities. 8. Encourage users to report suspicious emails and provide clear procedures for verification of procurement requests. 9. Collaborate with cloud service providers to report and take down malicious hosted content promptly. 10. Maintain updated threat intelligence feeds to stay informed about emerging phishing campaigns and indicators of compromise.