\nMicrosoft, DocuSign, Adobe, McAfee, NortonLifeLock, PayPal, and Best Buy\u2019s Geek Squad are being impersonated online through malicious emails that contain fake telephone support numbers and dangerous QR codes that can ensnare victims into phishing scams.<\/p>\n
The brands and their products are frequently relied upon for everyday administration, like sending emails, obtaining signatures, viewing documents, receiving payments, and even getting tech help, emphasizing the threat these phishing campaigns have to small business owners and their shops.<\/p>\n
This latest suite of phishing attacks was observed by researchers at Cisco Talos, who discovered that, between May and June, the most impersonated brands for emails containing PDF attachments, in order, were:<\/p>\n
1. Microsoft
2. NortonLifeLock
3. PayPal
4. DocuSign
5. Geek Squad<\/p>\n
The attacks involve a careful blend of technical evasion and social engineering to arrive in people\u2019s inboxes and to send those people on a dangerous path\u2014online or over the phone\u2014into eventually handing over important login credentials or even downloading malware directly onto their computers.<\/p>\n
The emails themselves, according to Talos researchers, often avoid phishing detection because the email bodies are blank. Without any text to review, phishing detection engines that rely strictly on text become somewhat useless.<\/p>\n
But the cybercriminals in these attacks still have to trick targets with their emails, so they instead attach PDFs to those emails that are cleverly structured to automatically load when a person opens just the _email_ , not the _attachment_. What the targets see, then, is nearly indecipherable from a regular email: a convincing company logo, a paragraph or two about an urgent need, and a telephone number, link, or QR code that the reader can follow to \u201cfix\u201d the issue.<\/p>\n
One fraudulent email from \u201cMicrosoft\u201d teased a potential raise with more information behind a QR code, another claimed to arrive from \u201cAdobe\u201d containing a file from \u201cHuman Resources,\u201d two emails\u2014one from \u201cMcAfee,\u201d another from \u201cPayPal\u201d\u2014included fake invoices for hundreds of dollars, and one falsely claimed that a target had a set of downloads to access through \u201cDropbox.\u201d<\/p>\n
As witnessed by the security researchers, many of the emails in these phishing campaigns are part of a broader type of attack called \u201ctelephone-oriented attack delivery\u201d or, more simply, \u201ccallback phishing.\u201d In these types of attacks, targets are tricked into taking their conversations to an entirely separate medium\u2014the phone\u2014where they can be preyed upon further, the researchers said.<\/p>\n
> \u201cVictims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction. Once the victim calls, the attacker poses as a legitimate representative and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.\u201d<\/p>\n
Researchers also discovered emails that contained malicious QR codes that, if scanned by victims, would send them to a separate phishing website. The phishing sites, themselves, also impersonate brands, as researchers found fake login pages for Microsoft and Dropbox.<\/p>\n
## How to stay safe from phishing<\/p>\n
Though the callback phishing scams discovered by cybersecurity researchers involved clever techniques to make sure they reached people\u2019s email inboxes, the rules of phishing detection still apply for everyday businesses. Here are the clear signs of a phishing scam (some of which were present in the callback phishing emails above):<\/p>\n
* **The email invokes urgency, fear, or confusion**. Scammers trick people into clicking on dangerous links or calling unknown numbers because a bigger (fake) problem needs to be addressed immediately. Slow down before taking action.
* **The email includes attachments**. It is extraordinarily rare to receive an attachment in an email from a company that you merely do business with. Don\u2019t trust any attachment from someone you don\u2019t personally know.
* **The email comes from an unknown sender**. Even if the email looks like it has arrived from a major company or a known contact, the email address itself can be spoofed\u2014and sometimes through rather lazy attempts, like replacing letters with numbers or adding a period in the address that shouldn\u2019t be there.
* **The email includes a QR code**. QR codes can easily hide malicious links. Be wary around any you find inside emails.<\/p>\n
It\u2019s important to be able to detect phishing scams on your own, but mistakes happen everywhere, everyday. That\u2019s why the best protection requires an active antimalware solution with web protection.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams Update ID MALWAREBYTES:A678FA1FF300BC213AD948ACF788317A Type malwarebytes Published 2025-07-03T10:38:59 Last…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,115,13,33,7,11,5],"class_list":["post-7524","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=7524\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams Update ID MALWAREBYTES:A678FA1FF300BC213AD948ACF788317A Type malwarebytes Published 2025-07-03T10:38:59 Last...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=7524\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-03T07:33:26+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7524#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7524\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams\",\"datePublished\":\"2025-07-03T07:33:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7524\"},\"wordCount\":770,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"malwarebytes\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7524#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7524\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7524\",\"name\":\"Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-03T07:33:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7524#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7524\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7524#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=7524","og_locale":"en_US","og_type":"article","og_title":"Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams - zero redgem","og_description":"Security Update News Update Information Title Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams Update ID MALWAREBYTES:A678FA1FF300BC213AD948ACF788317A Type malwarebytes Published 2025-07-03T10:38:59 Last...","og_url":"https:\/\/zero.redgem.net\/?p=7524","og_site_name":"zero redgem","article_published_time":"2025-07-03T07:33:26+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=7524#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=7524"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams","datePublished":"2025-07-03T07:33:26+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=7524"},"wordCount":770,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","malwarebytes","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=7524#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=7524","url":"https:\/\/zero.redgem.net\/?p=7524","name":"Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-03T07:33:26+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=7524#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=7524"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=7524#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7524"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7524\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}