Alexander Culafi , Senior News Writer , Dark Reading February 2, 2026 3 Min Read Source: Jorge Fernandez via Alamy Stock Photo A new phishing scheme aims to trick organizations into giving up their Dropbox logins using a multistage obfuscation strategy. Data security vendor Forcepoint on Monday published research concerning an email-based social engineering campaign observed in the wild. It follows a pattern often seen : The threat actor sends an email to the target requesting the latter open a linked PDF to review a phony "request order." The PDF includes a link to log in to a believable-yet-fake Dropbox phishing site; the target is asked to use his or her professional email address to log in and review the "order," with reassurance that once the target does so, a response will automatically be sent to the email sender. The threat actor harvests the target's Dropbox credentials and location data, while the phishing site spits back an "incorrect username/password" message. One aspect that makes this campaign stand out is that neither the PDF nor the email nor the phishing site includes conventional malware of any kind. Credential theft is the end goal. While that might (reasonably) make one ask, "So what?" this and other aspects paint a portrait of an unexpectedly thoughtful scheme. And if they're able to bypass security checks and reach employee inboxes, it's a scheme worth being aware of. What Makes This Fake Dropbox Phishing Campaign So Effective The PDF attached to the email lure includes a brief message and a link beckoning the target to read the actual file. The target clicks the link and is sent to a blurry PDF hosted on a legitimate cloud service that looks like an invoice or order form of some kind, with a hyperlink over it stating, "Your PDF is ready" and instructing to "click here." It is this second link that leads to the fake Dropbox login. The lure contains no malware, while also presenting as straightforward and professional. It also comes from an internal email address (either spoofed or compromised), making the request seem routine while passing email authentication checks (including, the blog post points out, SPF, DKIM, and DMARC ). "A clean PDF is much more likely to get through email security and reach the victim. Malware often triggers alarms, blocks delivery or causes attachments to be quarantined. By avoiding malware and focusing only on credentials theft, the attackers increase the chances that the email is delivered, opened and trusted," Hassan Faizan, senior security researcher at Forcepoint, tells Dark Reading. "In short, they chose reliability over complexity." The initial PDF link, which sends users to that second pre-phish document, is hosted on Vercel (a legitimate cloud hosting provider) and by extension includes a URL in line with that platform. That, too, builds trust. When the user reaches the Dropbox login and types in credentials, the site has a built-in five-second delay before telling the user their email or password is incorrect, so as to resemble an authentic login. Credentials are harvested along with user system and location data, which are fed to an attacker-controlled Telegram bot. These credentials enable "further misuse such as account takeover, internal access or additional follow-on fraud," Forcepoint X-Labs security researcher Prashant Kumar wrote in the blog post . How Organizations Can Protect Themselves Forcepoint's blog post includes indicators of compromise and notes that its products are protected against this campaign. Many phishing best practices remain useful here. Don't open a PDF attachment unless you can guarantee it came from a trusted source. Before opening any untrusted attachment or getting a suspicious email, get verbal or visual secondary confirmation from the person that sent it (such as via a phone call) or a relevant decisionmaker from within the organization. If you are given an urgent call to action to do something like log in to a website via your business credentials, take a moment to evaluate the request critically. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. See more from Alexander Culafi