New Phishing Attack Uses Decoy PDF to Scalp Credentials at Colorado Law Firm

Recently, A PDF decoy was used in stealing credentials from a Denver based law firm. This phishing attack was made possible by use of Azure blob storage that contained a Microsoft-issued domain and SSL certificate.

What makes this particular phishing scheme troublesome to detect is the effectiveness, precision, and complexity of the decoy used. Enabled by hosting the bait in Azure blob storage, the cutting-edge attack included a Microsoft-issued SSL certificate and domain, heightening the legitimacy of the landing page, and successfully hiding the “hook” from both users and software alike. Since the landing page was so convincing and presented to be secure, users felt comfortable entering their Office 365 Credentials (username and passwords).

Protect Organizations from Cybercrime with Phish Threat End User Training

The attack starts with an email sent to users with a PDF attachment that reads, “Scanned Document…Please Review.pdf.,” Once clicked, in an effort to download the attachment, the Denver Colorado users then were prompted to enter their Office 365 credentials. What happened next isn’t unusual – redirecting the users to another phishing page which presented a claim that their personal information was entered inaccurately. From there, the users experienced a multiple redirect journey, until the users finally landed upon a Microsoft page; empty-handed with no downloaded PDF, and stolen credentials to boot. Some victims continued to try and retrieve the downloadable PDF by entering their username and password information again, and sometimes even other credentials.

Why is this attack so impressive? It aims to trick even the most phishing aware-users, who use caution and check to ensure the domain and SSL certificate of a website match the content. This new tactic is showcasing bad-actors ability to go beyond unaware users, and finding ways to target, and trick even those who are aware.

To avoid falling victim to the decoy, be sure to check the subdomain. This will show that it is Azure blob storage, not a legitimate Microsoft address.


In the effort to secure your organization it is essential to have a multi-threat protection mindset that stems from your cloud, to your network hardware all the way down to your users.

Some of these technologies include next-gen firewall, email protection, and spam filtering, ransomware protection, user-awareness training, and dark web credential theft monitoring in place. The only true way to protect your organization from the varying types of attacks is to apply a defense in depth strategy.

"Whether you're in colorado, or vermont, new york or new hampshire, we're all neighbors on the network." Devi Momot pins and string on map