The Evolution of Phishing: How Encrypted PDFs Are Slipping Past Your Defences

Social engineering remains one of the most expansive and effective attack surfaces in cybersecurity. At its core, it exploits a simple truth: every organisation depends on people to function. And wherever there are people, there is human vulnerability.

No matter how technologically advanced a business becomes, it still relies on employees to operate systems, communicate with clients, and manage day-to-day processes. Not all of those employees need to be technically skilled. They certainly do not all need to be cybersecurity experts. That reality creates opportunity – and threat actors are always looking for opportunity.

Phishing in Its Simplest Form

At its most basic, phishing is an attempt to trick someone into handing over sensitive information – usually login credentials – by impersonating a legitimate entity. Traditionally, phishing is delivered via email, although similar variants exist:

• Vishing: voice-based phishing (phone calls)

• Smishing: SMS-based phishing

But phishing, in its conventional sense, typically involves an email containing a link to a fraudulent website designed to harvest usernames and passwords.

Strip phishing down to its bare bones and it becomes almost absurdly simple: someone sends you a message asking for your username and password. As alarming as it sounds, there will always be a non-zero percentage of recipients who comply.

Fortunately, most users today are more cautious. They ignore, report, or block suspicious emails. Threat actors know this – and they have adapted accordingly.

Emotional Manipulation: The Attacker’s Advantage

Modern phishing campaigns are rarely crude. Instead, they are engineered to provoke emotion.

Common examples include:

• “Pay this fee to receive your parcel.”

• “COURT SUMMONS” in bold capital letters.

• “Your account will be suspended within 24 hours.”

These messages create urgency, fear, or a perceived sense of authority. Under emotional pressure, critical thinking often takes a back seat.

Regardless of how the email is packaged, the objective remains the same: trick the recipient into surrendering access to their account.

And here’s the critical point : Any account is valuable.

It doesn’t matter whether the compromised user is a senior executive or a junior staff member. Even a low-privilege account can provide enough access for an attacker to:

• Enumerate other users within identity systems

• Identify higher-value targets

• Launch internal phishing campaigns

• Move laterally across systems

Much like a penetration tester, a threat actor does not need much access to cause significant damage. Even limited access can be too much.

The Defensive Response and the Attacker’s Countermove

Security vendors have invested heavily in email security solutions. Modern email gateways and web filtering systems can:

• Scan embedded links

• Detonate suspicious files in sandboxes

• Analyse web forms for credential harvesting behaviour

• Block known malicious domains

If a phishing link is placed directly in the body of an email, it will often be detected.

Attackers know this. So they have evolved.

Beyond the Obvious Link

Phishing links are no longer always placed directly in the email body. Instead, attackers may:

• Embed links within attachments

• Include a link that downloads a file containing the real phishing URL

• Obfuscate the malicious payload within layered content

In many of these cases, security tools still detect and block the threat.

But recently, a more subtle technique has been gaining traction.

The Rise of Encrypted PDF Phishing

Security Operations Centres are observing an increase in a specific tactic: phishing links hidden inside encrypted PDFs.

Here’s how it works:

1. The attacker sends an email containing an encrypted PDF attachment.

2. The body of the email conveniently includes the password needed to open the PDF.

3. When the recipient decrypts the document, it contains a phishing link.

At first glance, encrypted PDFs are not inherently suspicious. In fact, many legitimate organisations – insurance companies, legal firms, financial institutions – regularly send password-protected PDFs to protect sensitive information.

However, there is a critical distinction:

In legitimate use cases, the password is rarely sent in the same email as the encrypted document.

From a security perspective, sending the decryption key alongside the encrypted file completely defeats the purpose of encryption – unless bypassing security controls is the goal.

And that is precisely the goal.

Why This Works

Security appliances struggle to reliably inspect encrypted attachments. If they cannot decrypt the PDF, they cannot analyse its contents for phishing links or malicious code.

Unlike encrypted ZIP files – which are commonly blocked by default – encrypted PDFs are often allowed through email security filters because they are widely used for legitimate business communication.

The attacker exploits this gap:

• The encrypted PDF conceals the phishing link from automated scanning tools.

• The included password ensures the end user can easily open the file.

• The security appliance never sees the malicious link inside.

In effect, the attacker shifts the inspection responsibility from automated systems back to the human – the very component they are targeting.

What This Means for Organisations

This technique reinforces several important truths:

1. Technical controls alone are not enough.

2. User awareness remains critical.

3. Attackers will continue adapting to bypass defensive technology.

Security solutions are essential. They reduce risk significantly. But they are not infallible – especially when encryption is deliberately used to obscure malicious content.

Organisations should consider:

• Implementing stricter controls on encrypted attachments

• Flagging emails that include both encrypted documents and passwords

• Conducting regular phishing awareness training

• Reinforcing a culture where employees feel comfortable reporting suspicious emails

Most importantly, users should understand this simple principle:

If someone sends you an encrypted document and provides the password in the same email, treat it with extreme caution.

Final Thoughts

Phishing has evolved far beyond poorly written emails with obvious spelling mistakes. Today’s campaigns are calculated, emotionally manipulative, and technically sophisticated.

The use of encrypted PDFs to bypass email security controls is a reminder that cybersecurity is not just about technology – it is about people, processes, and constant adaptation.

Threat actors innovate. Defenders must do the same.

And in the ongoing battle between security controls and human psychology, awareness remains one of the most powerful defences.