A phishing-as-a-service toolkit is turning the most trusted document format into a credential harvesting weapon, and email security can’t see it happening.
PDFs have become the most common vehicle for malicious email attachments, accounting for more than 45% of all malicious files sent via email in 2024 according to IBM X-Force. The format’s reputation as a safe, read-only document type makes it ideal for phishing: employees open PDFs constantly for invoices, contracts, and HR forms, often without a second thought. In one high-profile case, a single PDF attachment disguised as a job offer led to the theft of $600 million from Axie Infinity’s crypto accounts, with the FBI attributing the attack to North Korea’s Lazarus Group.
A pattern has emerged in how attackers exploit this trust: instead of trying to slip past user suspicion, they target the behaviors that security awareness training has reinforced. Malvertising exploits the trust users place in search results, while ClickFix takes advantage of the expectation that browsers will prompt for verification. Fake CAPTCHAs do the same with challenge prompts users have come to accept as normal. The through-line is consistent: attacks succeed not despite user caution but because of it.
A phishing toolkit called MatrixPDF, discovered by Varonis researchers in late 2025, applies this logic to PDFs directly. It targets employees, vendors, and customers who have been conditioned to open document attachments without hesitation.
How the attack works
When a user opens a MatrixPDF document, they see what looks like a legitimate file with the actual content obscured or grayed out. A prominent button offers to unlock or reveal the protected information. The visual language is familiar: it resembles the kind of access prompt users encounter when opening encrypted documents or files shared through secure portals. Nothing about the experience signals danger. If anything, the apparent security layer makes the document seem more legitimate, not less.
Clicking the button opens a credential harvesting page in the user’s browser. But the PDF itself contains no malicious code, only an embedded link. Scanners look for malware, suspicious macros, and known malicious signatures; MatrixPDF files have none of these. The email security bypass works because Gmail treats the click as a normal user-initiated web request—from its perspective, nothing dangerous happened. The threat only materializes when a human interacts with the file, and by then, the email security layer is no longer watching.
The split architecture problem
This is the core issue MatrixPDF exposes: the attack is distributed across two systems that don’t talk to each other. The PDF passes through email security. The credential harvesting page lives on separate web infrastructure. Neither system sees the complete attack, and most organizations aren’t set up to correlate them.
Attackers benefit from this operationally. When defenders identify a malicious PDF, the phishing infrastructure behind it remains untouched. New document lures pointing to the same destination spin up with minimal effort. Taking down the phishing page doesn’t help either; the PDFs already in circulation still work, and attackers simply update URLs in the next batch. The attack surface is distributed, but the defense posture typically isn’t.
The toolkit as product
What makes MatrixPDF worth tracking beyond the technique is what it represents about phishing-as-a-service maturation. The builder is polished enough that operators without technical skills can produce convincing lures in minutes: import a PDF, add the overlay and button, specify the destination, done. The developer markets it as a “phishing simulation and blackteaming tool,” though Varonis found it being sold via Telegram to buyers with no apparent interest in authorized testing. This follows the trajectory visible in TyKit and broader fraud-as-a-service ecosystems: when techniques become products, technical barriers collapse and volume follows.
The impersonation layer
This is where the threat gets personal. Attackers can dress up the PDF overlay with company logos, formatting, and document styling to make lures look like internal communications or vendor invoices. None of that triggers traditional phishing defenses, which focus on malicious payloads and suspicious domains rather than document appearance. An employee receiving what looks like a benefits update from HR, or a customer receiving what looks like an invoice from your billing department, has no technical reason to suspect the document. The impersonation happens inside the file itself, not on infrastructure that security tools are watching.
The Bottom Line
MatrixPDF represents the convergence of several trends that make PDF-based phishing particularly difficult to address: a universally trusted file format, a technique that leaves nothing malicious in the file itself, and a toolkit that puts the capability in reach of anyone willing to pay for it. The split between where the lure lives (email) and where the attack executes (web) means most organizations are defending against half the problem at best. Until security architectures can correlate document behavior with downstream web activity, attacks like this will continue to find the gaps.
Key Takeaways
PDFs account for over 45% of malicious email attachments because the format has a reputation as safe and read-only. Employees open them constantly for routine business documents, often without scrutiny. A single PDF-based attack cost Axie Infinity $600 million.
The toolkit converts ordinary PDFs into lures with obscured content and an “unlock” button. Clicking opens a credential harvesting page in the browser. The PDF contains no malicious code, just an embedded link, so scanners find nothing dangerous.
Email security looks for malware, macros, and malicious signatures. MatrixPDF files have none of these. The threat only materializes when a human clicks, and by then the email security layer is no longer involved.
The PDF passes through email security while the credential harvesting page lives on separate web infrastructure. Neither system sees the complete attack, and most organizations can’t correlate activity across both.
Attackers can add company logos, formatting, and document styling to the PDF overlay without triggering traditional defenses. The impersonation happens inside the file, not on a domain you’re monitoring.
