Cybercriminals turn to PDFs

PDFs, long trusted as a standard format for business communication, are now being increasingly used by cybercriminals to deliver malicious attacks, according to a new report from Check Point Research.

The cybersecurity firm said that 22 percent of all malicious email attachments now come in PDF format, a noticeable jump as attackers exploit the format's widespread use and perceived safety. In total, 68 percent of cyberattacks still begin with a simple email, the report said.

"PDFs are deceptively simple for the user, but incredibly complex for automated systems to analyze," the report stated. "That's what makes them so attractive to attackers looking to evade traditional defenses."

Last year, more than 400 billion PDFs were opened globally, with over 87 percent of organizations using them daily for communication. As the file format becomes increasingly embedded in workplace routines, attackers have adapted their methods to blend in.

"In many cases, we're seeing sophisticated attacks go undetected for months," said a Check Point spokesman. "They're exploiting the trust people have in PDFs and the technical blind spots of legacy security tools."

One emerging tactic involves embedding QR codes inside PDFs. When scanned, the codes redirect victims to phishing sites via mobile browsers, often bypassing security systems entirely. Other methods include hiding malicious links behind trusted domains like LinkedIn or Google's AMP service, and disguising links as images of common brands like DocuSign or Amazon.

"In recent campaigns, the links were surrounded by realistic-looking visuals that encouraged users to click," the company said. "These links then led to phishing pages or malware downloads. It's a form of social engineering that still works."

Check Point Research found that many of these attacks rely less on complex code exploits and more on manipulating user behavior. That includes phishing links, embedded phone numbers, and the use of benign-looking redirects. In some cases, attackers have even inserted phone scams directly into PDFs, asking victims to call fake support numbers.

The research also noted that static file scans, which many email security solutions use, often miss threats hidden through encoding tricks or PDF-specific obfuscation. Malicious actors use encryption, filters, and indirect objects to hide harmful code, all while keeping the document readable to the end user.

"These aren't necessarily flashy attacks, but they're effective," the spokesman said. "The complexity of the PDF format gives attackers plenty of room to hide in plain sight."

To avoid falling victim to such attacks, Check Point recommends users verify sender information, avoid unexpected attachments, and be cautious of links or QR codes in PDFs. Keeping PDF readers and operating systems up to date is also key, as is disabling JavaScript in PDF viewers where possible.

"There's no silver bullet," the company noted, "but awareness and layered security are the best defenses."

Check Point's findings come amid rising concerns about the evolving nature of phishing and email-borne threats, especially as machine learning and automation play bigger roles on both sides of the cybersecurity arms race.