Technical Analysis & Remediation
Attack Flow & Methodology
Initial Access (T1566.002)
The attack begins with a "boring" email regarding business contracts, tenders, or procurement orders. Crucially, the email body is clean (no malicious links), shifting the payload to a PDF attachment.
Execution & Evasion (T1204.002, T1027)
The attached PDF utilizes AcroForms and FlateDecode to obfuscate a clickable button/link inside the document. This technique hides the malicious logic from static analysis engines that trust standard PDF structures.
Redirect & Hosting (T1583.006)
Clicking the PDF link redirects the victim to a second document hosted on Vercel Blob storage. Since Vercel is a legitimate cloud platform, its domains often pass allow-list filters.
Credential Harvesting (T1110)
The Vercel-hosted file leads to a spoofed Dropbox login page. Scripts on this page harvest the email, password, IP address, and location data.
Exfiltration (T1567.002)
Stolen telemetry is exfiltrated directly to a private channel via a hardcoded Telegram bot API, bypassing traditional C2 traffic blocks.
Extracted Indicators of Compromise (IOCs) & Anchors
Technique Anchors
"AcroForms", "FlateDecode", "Vercel cloud storage".
Infrastructure
Hosting
.public.blob.vercel-storage.com (Generalized Vercel Blob pattern based on "Vercel cloud storage" citation).
Exfiltration
api.telegram.org (Standard Telegram Bot API endpoint).
Social Engineering Themes
"tender", "procurement", "request order", "business contract".
Remediation - THE ENTERPRISE TRACK (SANS PICERL)
Phase 1: Identification & Containment
Filter Audit
Immediately audit email filters for PDFs containing "AcroForms" structures combined with external links, particularly those resolving to Vercel domains.
DNS Blockade
If Vercel or Telegram are not business-critical, implement temporary DNS blocking or sinkholing for *.vercel.app (or specific blob subdomains) and api.telegram.org at the firewall level.
Search & Purge
Query SIEM/EDR for outbound traffic to Telegram APIs originating from non-admin workstations.
Phase 2: Eradication
Identity Reset
Force password resets and revoke active sessions for any user who clicked the PDF link.
Endpoint Isolation
Isolate devices that show successful connections to the phishing landing page until a full scan is completed.
Phase 3: Recovery
Re-enable Access
Restore network access to Vercel/Telegram only after confirming the campaign has ceased or specific malicious URLs are blacklisted.
MFA Enforcement
Ensure FIDO2-compliant hardware keys are required for Dropbox access to neutralize credential harvesting.
Phase 4: Lessons Learned
Detection Engineering
Create detection rules for "clean" emails followed immediately by outbound traffic to cloud storage blobs.
User Training
Update security awareness modules to specifically highlight "Business Contract" PDFs and the danger of "clean" notification emails.
Remediation - THE HOME USER TRACK
Priority 1: Safety (Immediate Action)
Do Not Click
If you received a "tender" or "contract" email you weren't expecting, delete it immediately.
Disconnect
If you clicked the link and entered data, disconnect your device from the internet to stop further scripts from running.
Priority 2: Identity Protection
Change Passwords
Using a different (clean) device, change your Dropbox password immediately.
Check Sessions
In Dropbox settings (Security tab), look for "Devices" or "Web Sessions" you don't recognize and click "Unlink" or "Sign out."
Enable 2FA
Turn on Two-Factor Authentication (2FA) for Dropbox if it wasn't already enabled.
Priority 3: Persistence Removal
Scan Device
Run a full scan with a reputable antivirus solution (e.g., Microsoft Defender, Malwarebytes) to ensure no secondary payloads were dropped.
Hardening & References
Baseline
CIS Benchmark for Microsoft 365 (Email Security & Phishing Defenses).
Framework
NIST SP 800-61r2 (Computer Security Incident Handling Guide).
Tactical
MITRE ATT&CK T1566 (Phishing: Spearphishing Attachment).
Sources
Forcepoint X-Labs
Hackread
hackread.com
