For years, security professionals have trained users to look for suspicious links in SMS messages. But as defenders get better at blocking malicious URLs, attackers are pivoting to a more "trusted" format: the PDF.
New research from Zimperium’s zLabs has uncovered a troubling shift in the mobile threat landscape, where cybercriminals are increasingly weaponizing PDF documents delivered directly via SMS and MMS.
According to a blog covering the research, by attaching a PDF to a text message, attackers bypass many traditional mobile security filters that scan primarily for known malicious links. To the user, a PDF feels official and carries a sense of "work-related" legitimacy. To the security stack, it is an opaque file that often requires deep inspection—something many mobile environments lack.
Zimperium’s research highlights two active campaigns that demonstrate the scale and sophistication of this tactic:
The EZDriveMA Campaign: Impersonating Massachusetts’ electronic tolling system, attackers sent SMS messages with malicious PDF attachments. To ensure longevity and evade detection, the campaign utilized a massive infrastructure of over 2,100 rapidly generated phishing domains.
From the blog post: "This campaign exemplifies how attackers leverage PDF documents to harvest credentials through carefully crafted social engineering attacks.
This research expands upon previously documented EZDriveMA-targeted campaigns, which have primarily utilized SMS-based phishing (smishing) approaches targeting drivers with fake toll payment notifications. The identified PDF-based attack vector represents a tactical evolution from these traditional text-based methods, adding sophistication through document attachments that may bypass conventional anti-phishing measures.
EZDriveMA serves as a high-impact target due to its role as Massachusetts' electronic tolling system, operating on major highways, bridges, and tunnels throughout the state. The system's large user base and the inherent trust users place in toll payment notifications make it particularly susceptible to social engineering attacks, as drivers can easily be convinced they owe unpaid toll fees that could result in debt collection measures or, at worst, fines and criminal penalties."
The PayPal Crypto Scam: In this high-touch campaign, attackers spoofed PayPal by delivering fake cryptocurrency invoices via PDF. This attack was particularly insidious because it combined the malicious file with voice-based social engineering (vishing), directing users to call "support" numbers controlled by the hackers.
From the blog post: "This attack demonstrates a 'dual-lure' tactic, combining the urgency of a cryptocurrency transaction with a credential harvesting page disguised as a live support service.
The attack begins with users receiving SMS communications containing a PDF attachment designed to mimic an official PayPal invoice. The document claims a fake payment of $480.11 USD for a Bitcoin (BTC) purchase to create panic. The PDF contains malicious links and phone numbers that redirect victims to credential harvesting operations, offering two distinct attack vectors (digital and voice) to maximize success."
Read the blog for all of the technical details, including attack flow documentation.
This shift poses a significant threat to organizational security for several reasons:
The context gap: Employees routinely receive PDFs on their mobile devices—invoices, shipping notices, and payment receipts. Because many use their personal devices for work (BYOD), they are less likely to apply the same level of scrutiny to a mobile message as they would to a corporate email.
Bypassing the perimeter: Most enterprise security tools are focused on the email gateway or the network perimeter. Malicious files arriving via MMS often land directly on the endpoint, completely bypassing traditional "north-south" security traffic.
Speed of execution: Using disposable infrastructure and thousands of domains, attackers can steal credentials and sensitive data before security teams even register that an attack is underway.
For CISOs and their teams, this evolution in mobile phishing requires a shift in defensive strategy. They can no longer rely on "link-scanning" as a primary defense.
Endpoint-first protection: Mobile Threat Defense (MTD) is no longer optional. Organizations need on-device protection capable of scanning file attachments in real-time, regardless of the delivery channel (SMS, WhatsApp, or email).
Modernized awareness training: Security awareness programs must be updated to include "Smishing with Attachments." Users need to be taught that a PDF from an unknown number is just as dangerous as a suspicious .exe on a desktop.
Zero-Trust for mobile: Treat mobile devices as untrusted endpoints. If a device lacks an active security agent capable of inspecting file-based threats, its access to sensitive corporate applications (SaaS, VPNs) should be restricted.
The weaponization of PDFs in mobile phishing proves that attackers are moving faster than our traditional defenses. As the "persona layer," the human element becomes the primary target, and an organization's security posture must evolve to protect the device in the employee's pocket as rigorously as the server in the data center.