The Growing Threat of PDF-Based Cyber Attacks: A Silent Entry Point in the Digital Workplace

PDFs are everywhere—but so are cyber threats hiding within them. With 22% of malicious email attachments now embedded in PDFs, attackers are exploiting this trusted format to bypass defences and launch phishing attacks. As businesses rely on PDFs for daily communication, understanding how they’re weaponised is critical to staying protected in today’s evolving threat landscape.

Cyber attackers are increasingly turning to PDFs as a primary tool for launching attacks, exploiting their widespread use and trusted reputation in business communication. With over 400 billion PDF files opened and 16 billion edited in Adobe Acrobat last year, attackers have identified this format as an effective vehicle for delivering malicious content. 

According to Check Point Research, 22% of malicious email attachments are now embedded in PDFs, making them one of the most commonly exploited file types in phishing and malware campaigns.

PDFs as a common entry point for cyber threats

PDFs remain a preferred medium in business environments, with 87% of organisations relying on them for daily communication. This ubiquity makes them an ideal target for cyber criminals. While 68% of cyber attacks begin with email, PDFs have emerged as particularly effective carriers due to their flexibility and ability to bypass traditional security filters.

The complexity of the PDF format itself is a significant contributor to its vulnerability. Defined by the ISO 32000 standard, the specification spans nearly 1,000 pages, providing attackers with multiple opportunities to insert harmful content in ways that avoid detection. This makes PDFs behave much like CAPTCHA tests—simple for humans to interpret, but challenging for automated systems to scan effectively.

Evolving tactics: From exploits to social engineering

In earlier campaigns, cyber attackers exploited known software vulnerabilities (CVEs) in PDF readers. However, as these readers—especially browsers that now open PDFs by default—have become more secure, threat actors have shifted towards simpler, more targeted techniques.

Modern campaigns often do not rely on software exploits. Instead, attackers embed links, malicious downloads, or prompts for action within the PDF file, relying on social engineering to manipulate the recipient. These tactics are harder to detect as they depend on user interaction. The attacker’s goal is to entice the recipient into clicking a link, scanning a QR code, or calling a phone number, thereby initiating the attack.

Common campaigns and how they operate

Among the most widely observed techniques are link-based PDF attacks. These typically involve a visually clean document containing a hyperlink, often accompanied by a logo or branding from a trusted service such as Amazon, DocuSign, or Adobe. The attacker controls the embedded link, allowing them to quickly change the destination, text, or visual elements to avoid detection.

These types of attacks pose a significant challenge to static security systems, which often rely on signatures or known patterns to identify threats. Since the content within the PDF can be easily altered and requires user interaction to trigger, traditional detection methods fall short.

Techniques used to evade detection

URL Obfuscation: Attackers make use of benign redirect services such as Bing, LinkedIn, and Google AMP to disguise malicious destinations. These services are frequently whitelisted by security systems, reducing the chances of detection. QR codes are another common tactic—encouraging recipients to scan with their phones, effectively bypassing most email and browser-based security filters. Some attacks go further by asking recipients to call phone numbers, removing any digital trail that can be automatically analysed.

Static Analysis Evasion: Many security systems perform static analysis on attachments. However, attackers use annotations, obfuscation, and encoding techniques that confuse these systems. By exploiting inconsistencies in how different PDF readers interpret annotations, attackers can hide links and commands in ways that automated tools fail to identify.

File Obscurement: PDFs allow for various layers of encryption, filtering, and indirect referencing. These features, though legitimate, are manipulated to conceal malicious payloads. While some readers may mark such files as corrupt, most mainstream PDF software is built to prioritise usability and still opens them—allowing the attack to proceed.

Machine Learning Bypass Methods: As machine learning becomes a standard feature in cyber defence, attackers develop evasion methods such as embedding text in images. This forces systems to use Optical Character Recognition (OCR), which may misread or miss key indicators. Other methods include using altered or degraded images and inserting hidden text in formats that deceive Natural Language Processing (NLP) models.

Why detection is failing

Check Point Research highlights that even well-established security platforms are failing to detect these new threats. In fact, they report that many of these attacks have evaded all detection by VirusTotal over the past year. This indicates a need for a new approach to threat analysis—one that does not solely rely on static methods or reputation databases.

Protection and mitigation strategies

To combat these rising threats, organisations and individuals can implement the following preventive measures:

• Verify the source of every PDF attachment, even if the file appears legitimate.
• Avoid opening unexpected documents, particularly those requesting actions like clicking links, scanning codes, or calling numbers.
• Hover over links before clicking to reveal the full URL, watching out for suspicious redirects or shortened links.
• Use secure PDF viewers, preferably browsers or trusted readers with built-in security features.
• Disable JavaScript functionality in PDF viewers unless it is explicitly needed.
• Regularly update all systems and security tools to patch vulnerabilities that may be exploited.
• Remain cautious of documents with poor formatting, typos, or suspicious requests for personal information.