When “Secure Upload” Links Are the Real Threat

Published on 6 October 2025 at 13:28

Last week, I was working with a client who got what looked like a normal email. It said:

“Hi, I tried sending you some documents through attachments, but it says files are too large, so I had to resend using Dropbox Application Secured Upload for security reasons.”

The email included a PDF file. When the client opened it, they were taken to Adobe’s document site, which most people consider trustworthy. Inside the PDF was a link labeled “Open Secure Document.” If clicked, it would have redirected to an application page hosted on Google’s infrastructure.

Fortunately, my client trusted their instincts and stopped there. But when I analyzed the chain, it was clear this was more than a simple phishing trick. If they had clicked through, the link would have opened a malicious Google application page where a script could run directly in the browser. That script was not limited to stealing passwords. It could have been written to exfiltrate sensitive data, deliver a payload, or create a foothold for further compromise.

At first glance, nothing looked dangerous. The PDF itself did not drop malware, and there were no suspicious pop-ups. Everything appeared normal. That subtlety is what makes this type of attack especially dangerous.

Beyond Credential Theft: The Real Stakes

When an attacker can execute scripts through a browser session, the risks increase significantly:

  • Data exfiltration: Harvesting local files, stored credentials, or authentication tokens.

  • Session hijacking: Using existing logins to impersonate the user.

  • Lateral movement: Probing connected systems or networks once a foothold is established.

  • Payload delivery: Dropping spyware, ransomware, or backdoors without an obvious download.

  • API and cloud misuse: Leveraging the session to access internal APIs or cloud resources.

These threats go far beyond the traditional idea of a phishing email.

Why This Matters Now

Modern attackers are not making the same obvious mistakes we saw in the past. They use tactics that appear professional and legitimate:

  • Trusted branding: Names like Dropbox, Adobe, or Google create instant credibility.

  • Layered redirects: A PDF that leads to Adobe’s site, which then leads to a Google app. Each layer reduces suspicion.

  • Cloud hosting: By placing fake apps or malicious scripts on platforms such as Google Cloud, AWS, or Azure, attackers gain the appearance of legitimacy.

  • Invisible execution: Browser-based scripts may run quietly in the background, with no immediate signs that anything is wrong.

These details make attacks harder to spot, even for security-aware users.

For background on how these tactics are evolving, see That innocent PDF is now a Trojan Horse for Gmail attacks article on CSO Online.

What Businesses Should Do

  1. Teach employees to pause. Just because an email mentions Dropbox or Adobe does not make it safe.

  2. Inspect links carefully. Hovering over a link to see the actual destination is a simple but effective step.

  3. Use layered defenses. Email filtering, web filtering, and browser controls can block many of these attacks before a user ever sees them.

  4. Monitor and block suspicious domains. Keep threat feeds and domain intelligence active.

  5. Encourage reporting. Build a culture where employees forward suspicious emails to IT or security for review.

 

Phishing is no longer just about tricking someone into downloading an infected file. Increasingly, it is about using trusted brands, cloud services, and clever redirection to make users open the door themselves.

«