Blog article

  • 8 minutes read
Author Profile Picture
  • Kiara Saloojee
  • DMARC Enthusiast

PDF Phishing: How Attackers Exploit Email Attachments

Glowing Red Pdf File Icon On A High-Tech Digital Background

PDF phishing overview:

  • PDFs are trusted in professional environments, making them an effective phishing vehicle.
  • Attackers hide malicious content inside PDFs using hyperlinks, clickable overlays, and QR codes.
  • Spoofed sender identity makes PDF phishing significantly more convincing.
  • A DMARC policy set to p=reject helps prevent domain spoofing. p=none provides visibility, not protection.
  • Pairing DMARC with Lookalike Domain Defense, Breach Detection, and network-level filtering enhances your security posture.

PDFs are a staple of business communication. Contracts, invoices, and reports arrive as PDF attachments every day – and recipients open them without hesitation. Attackers know this. A malicious PDF looks identical to a legitimate one, and most email filters find it difficult to analyze the content inside an attachment.

This blog explains what PDF phishing is, why it works, and what your organization can do to reduce its exposure.

Book a Demo

Why PDF Attachments Are a Phishing Vector

PDFs carry an implicit trust that other file types don’t. They are associated with official, finalized documents. A PDF from a supplier, a bank, or an internal department doesn’t raise flags – it looks like work.

Attackers exploit that trust deliberately. By embedding malicious content inside a PDF, they take advantage of the fact that most filters find attachment content significantly harder to analyze than the email body.

PDF Phishing Techniques

PDF phishing attacks use several techniques to deliver malicious payloads:

  • Embedded Links: Attackers include hyperlinks inside PDFs that route recipients to credential-harvesting pages or trigger malware downloads. Unlike links in the email body, they generally aren’t visible to filters scanning for suspicious URLs.
  • Clickable Overlays: Attackers place links over legitimate-looking PDF content, such as buttons or images. The recipient thinks they’re interacting with the document normally. The click routes them to a phishing site or triggers a malware download.
  • QR Codes: Attackers embed QR codes that, when scanned, route victims to phishing sites. Because the destination URL is inside the QR code, email security tools that scan for malicious links in text won’t detect it.

Why PDF Phishing Bypasses Standard Filters

Most email security tools scan the message body for malicious content – suspicious links, known phishing phrases, and flagged keywords. PDF attachments present a different problem. The malicious payload is inside the file, and analyzing content within an attachment is significantly harder than scanning the email body.

Deep inspection of PDF content – including embedded links and QR codes – requires more sophisticated tooling that not all companies have deployed. Attackers are aware of this gap and build their campaigns around it.

Sender trust adds to the problem. A phishing email that appears to come from a known supplier or an internal finance team is far more likely to be opened than one from an unknown address. When the sender seems legitimate, recipients will typically open attachments without suspicion.

That combination – a clean-looking email and a trusted sender – is what makes this attack technique effective.

What Businesses Should Do

  • Enforce a policy of p=reject. Monitoring mode (p=none) provides visibility, not protection. Move domains to full enforcement, not just the primary domain.
  • Ensure SPF and DKIM are correctly configured and aligned. DMARC enforcement depends on SPF and DKIM alignment. Misconfigured records can prevent the policy from working, regardless of what p= is set to.
  • Monitor for lookalike domains. Attackers targeting your organization often register domains that closely resemble your own – substituting letters, adding hyphens, or using different top-level domains. Continuous monitoring for lookalike domains provides early warning of campaigns before they reach inboxes.
  • Deploy a network filter that inspects attachment content. Basic content filtering isn’t enough. Use a filter that performs a deep inspection of PDF attachments.
  • Run phishing awareness training that includes attachment-based threats. Most awareness programs focus on suspicious links in email bodies. Ensure training covers hyperlinks and QR codes in attachments.

The Operational Reality

Large companies managing sending infrastructure across multiple departments, regions, and SaaS platforms face a growing problem. Every tool that sends email on your behalf – marketing systems, CRMs, billing software – represents a potential authentication gap. When SPF and DKIM aren’t correctly configured for every authorized sender, those gaps create spoofing opportunities that attackers can and do exploit.

Security and IT teams don’t have the capacity to manually audit every sender. Unauthorized senders appear. Authentication drift accumulates. Without continuous visibility, issues often go unnoticed until they become real problems.

PDF phishing is a real and growing threat. DMARC is a foundational control that closes a critical entry point that attackers rely on. Pairing it with Lookalike Domain Defense, Breach Detection, and network-level filtering enhances your security posture.

Businesses that haven’t enforced DMARC remain vulnerable to domain spoofing – giving attackers the ability to make phishing emails, and the PDFs they carry, appear credible. See how Sendmarc helps you close that gap.

Book a Demo