Cybercriminals are increasingly weaponizing PDF files, leveraging their ubiquity in business communications to launch sophisticated email-based attacks, new research reveals.

With 87% of organizations relying on PDFs for daily operations and over 400 billion opened globally last year, the format has become a prime vehicle for evading detection, accounting for 22% of malicious email attachments, according to Check Point Research (CPR).

The cybersecurity firm found that 68% of cyberattacks originate via email, with PDF-based campaigns now dominating nearly a quarter of these incidents. Attackers exploit the format’s complexity—governed by a 1,000-page ISO specification—to embed malicious links, phishing prompts, or obfuscated code. Unlike earlier methods that targeted PDF reader vulnerabilities, modern tactics prioritize social engineering, capitalizing on user trust in the seemingly innocuous files.

“PDFs act like CAPTCHAs—simple for humans to open but engineered to baffle automated security systems,” explained a CPR analyst. Threat actors increasingly hide harmful content behind redirects via whitelisted platforms like Google AMP or Bing, embed QR codes to bypass URL scanners, or use phone scams to eliminate digital footprints entirely.

CPR observed a surge in “low-tech” link-based campaigns, where PDFs mimic trusted brands like Amazon or DocuSign to trick users into clicking malicious URLs. These attacks exploit gaps in reputation-based security tools, as attackers rapidly alter links, images, or text to evade static detection. Even sandboxes struggle to replicate human decision-making required to trigger such schemes.

Evolving Evasion Tactics



Cybercriminals deploy layered obfuscation techniques to outmaneuver defenses. Static analysis tools are frequently defeated through encoded annotations, indirect objects, or encryption—methods that exploit discrepancies between PDF readers’ interpretations. Machine learning models, meanwhile, are targeted via text embedded in images or invisible characters designed to confuse optical recognition software.

“Attackers understand exactly how security systems scan files,” noted CPR. Over the past year, numerous campaigns evaded traditional vendors, showing zero detections on VirusTotal.

Mitigation Strategies



Check Point advocates for its Threat Emulation platform, which analyzes files in isolated environments to block zero-day PDF threats preemptively. For users, CPR recommends disabling JavaScript in PDF readers, verifying sender addresses, and hovering over links to inspect URLs before clicking.

“Always question unexpected PDFs—especially those prompting immediate action,” the firm warned. Regular software updates and using modern, secure PDF viewers further reduce risks.

As businesses continue relying on PDFs, experts stress that vigilance and adaptive defenses are critical to countering these stealthy, socially engineered attacks.