phishing campaign is impersonating Pfizer with phony request-for-quotation (RFQ) emails, according to Roger Kay at INKY. The email lures had fairly convincing PDF attachments that didn’t contain any malicious links or malware, and instead prompted the user to reach out to the scammer for more details.

“They both claimed that Pzifer was requesting quotes for various industrial engineering supplies, and both had PDF attachments that impersonated Pfizer,” Kay says. “The PDF was three pages long and had a few inconsistencies (e.g., different due dates on different pages), but, in general, looked pretty good. The discussion of payment methods and terms set the recipient up for the idea that they would have to share banking details at some point.”

Kay notes that the attackers used several measures to help the emails bypass security filters.

“In this particular attack combination, the black hats used both high and low tech to evade anti-phishing radar,” Kay writes. “The high tech involved newly created and freeware domains, set up to send phishing emails that would not trigger rudimentary email defences (i.e., DMARC analysis of DKIM and SPF records). The low tech was a simple PDF attachment with no poison links or malware in either the attachment or the email itself. These elements were designed expressly to not trigger anti-phishing analysis.”

Kay concludes that users should be suspicious of unsolicited emails like this, especially if they appear to come from major companies.

“Recipients should be aware that large enterprises like Pfizer do not typically send out cold emails to solicit bids for projects,” Kay says. “If a recipient is in a sales department and does business with Pfizer (or, in a similar situation, any other company), they should get in touch with their contact directly by telephone or an initiated email to determine whether the RFQ is legitimate. It is also highly unlikely that a Pfizer employee would use a freemail account for official business.”

New–school security awareness training can give your organization an essential layer of defense by enabling your employees to spot phishing emails that slip past your technical defenses.