Research reveals attackers weaponising trusted documents to bypass traditional security controls in latest SMS scam
Research out this week from Zimperium, a world leader in mobile security, has exposed a growing wave of mobile-targeted phishing attacks that weaponise PDF documents delivered via SMS and MMS.
The findings reveal how threat actors are exploiting user trust in PDFs and gaps in mobile security controls to harvest credentials and sensitive data at scale.
According to Zimperium’s zLabs research team, attackers are increasingly using PDFs as a delivery mechanism for mobile phishing – often referred to as mishing – because the format appears legitimate, is widely used in business communications and frequently bypasses traditional email- and network-based defenses. When combined with the immediacy of text messaging, these campaigns are proving highly effective.
Zimperium’s research underscores a broader trend: cybercriminals are prioritising mobile as part of a mobile-first attack strategy, leveraging zero-day infrastructure and social engineering to reach users where protections are weakest. PDF-based phishing often bypasses email gateways, reputation-based filters, and cloud-only defenses, leaving organizations exposed during the most critical early stages of an attack.
The research details two active campaigns demonstrating the sophistication and speed of modern mobile attacks. One targeted users of EZDriveMA, Massachusetts’ electronic tolling system, using SMS messages with malicious PDF attachments. Attackers rapidly generated more than 2100 phishing domains using automated techniques to evade blocklists.
Zimperium detected and classified these domains with 98.46% accuracy, often hours or days before they appeared on public phishing databases.
A second campaign impersonated PayPal using a fake cryptocurrency invoice delivered via PDF, combining phishing links with voice-based social engineering. The attack relied on direct IP addresses, URL obfuscation, and disposable VoIP numbers to evade detection. Zimperium identified and blocked the malicious infrastructure more than 27 hours before it was publicly recognised – highlighting a critical exposure window for organizations relying on reactive security controls.
“These campaigns show how quickly attackers are shifting to mobile channels and trusted file formats to stay ahead of traditional defenses,” says Pablo Morales, security researcher at Zimperium. “PDFs sent over SMS create a dangerous blind spot, especially when security tools don’t inspect files at the device level. Detection speed is now the difference between stopping an attack and responding after credentials are stolen.”
To be updated with all the latest news, offers and special announcements.
Our media channels target any business that wishes to engage and commercialise ‘connected consumers’ whilst they use mobile devices and telephones to respond or interact with value added service / digital content propositions.
© 2025 Telemedia. All Rights Reserved

source