Skip to main content
Abnormal Intelligence

Credential Phishing

Threat Actors Leverage PandaDoc and Dropbox to Deliver Decoy File and Phish for Microsoft Credentials

Attackers use PandaDoc and Dropbox links to disguise credential phishing behind a decoy document and bypass secure email gateways.

March 28, 2025

Attack Target Summary

Attack Overview

Step 1: Email

The attack begins with an email claiming a document has been shared via PandaDoc. The message includes a link to a PandaDoc-hosted file and instructions for what to do if the document doesn’t render properly.

Attack Library Repo 17 25 Mar Image 1
  • The email appears to come from a legitimate sender.
  • It includes a link to a PandaDoc-hosted decoy document.
  • Targets are instructed to copy and paste a secondary Dropbox link.

Step 2: Decoy Document + Social Engineering

Targets who click the PandaDoc link find a blank or non-functional document. The attacker uses this as a social engineering trick to direct them to manually open the Dropbox link.

Attack Library Repo 17 25 Mar Image 2
  • The PandaDoc document is intentionally non-functional or blank.
  • Targets are encouraged to follow alternative instructions.
  • This phase builds trust while shifting attention to the real payload.

Step 3: Dropbox + Credential Harvesting Page

The Dropbox link leads to a Cloudflare Turnstile, which then redirects the target to a Microsoft-branded phishing login page to harvest credentials.

Attack Library Repo 17 25 Mar Image 3
  • Dropbox link bypasses automated analysis by using Cloudflare Turnstile.
  • Redirects targets through multiple stages.
  • Final destination is a credential phishing page mimicking Microsoft login.

Step 4: Final Destination (Spoofed Microsoft Login)

Attack Library Threat Actors Exploit Docusign 6 Nov Portal

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • The sender domain passed SPF, DKIM, and DMARC checks.
  • The links pointed to legitimate services (PandaDoc, Dropbox), lending credibility.
  • Cloudflare Turnstile verification test and redirect logic limited automated link analysis.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Unusual sender behavior and never-before-seen senders.
  • Presence of suspicious Dropbox links.
  • Email content inconsistent with normal communication patterns.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingLink-basedExternal Party - Vendor/SupplierCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.

Request a Demo