ATTACKERS are carrying out a multistage, credential-hocusing phishing campaign that targets corporate inboxes by asking employees to view a fake “request orders” PDF, which then redirects to a convincing Dropbox login page. The PDF itself contains no malware, but the lure leads users to a blurry PDF hosted on a legitimate cloud service, with a second link that prompts a fake Dropbox authentication.
When victims enter credentials, the site delays for five seconds before returning an “incorrect username/password” message, and the harvested data, along with location information, is fed to an attacker-controlled Telegram bot. The campaign is notable for passing several email-authentication checks (SPF, DKIM and DMARC), a factor that helps it avoid easy detection.
Forcepoint researchers described the scheme as credential theft with the potential for account takeover and follow-on fraud, and according to Forcepoint X-Labs, the actors use the collected data to enable further misuse. The report, published on 2 February 2026, urges organisations to reinforce phishing awareness and verify requests via secondary channels.