Cyber adversaries are creating accounts within the Adobe Creative Cloud suite and delivering malicious payloads to Office 365 and Gmail users. Ninety-percent of cyber attacks start with a malicious email. Does your organization have adequate email security?

What’s happening

These hackers’ malicious phishing emails appear as though they come from legitimate cloud users. But links within the emails direct users to online locations that steal credentials, according to researchers from Avanan, a Check Point company.

The ongoing campaign was first discovered in December, when researchers managed to stop one of the attacks. Adobe Creative Cloud represents a popular group of apps that encourage filesharing and creative design. The Adobe Creative Cloud suite includes Photoshop and Acrobat. 

Why it matters

Attackers are hitting both Office 365 accounts and Gmail accounts. You, your colleagues or your employees could become victims of these malicious email threats. 

How it works

Attackers create free accounts in Adobe Cloud, and then create an image or a PDF file with a malicious link embedded within it. After file creation, authors distribute it to victims via email. 

“Think of it like when you create a Docusign,” says cyber security research analyst Jeremy Fuchs. “You create the document and then send it to the intended recipient. On the receiving end, they get an email notification, where they click to be directed to the link.”  

The links within the emails are not hosted within Adobe Cloud. Rather, they’re hosted on a domain owned by the attackers. 

Campaign details

Researchers have presented screenshots of the attacks that they’ve studied. One shows attackers sending what looks like a legitimate PDF from Adobe. When a user clicks on the link, the user sees a page that supposedly leads them to an Adobe PDF. However, the link actually takes users to a typical credential-harvesting page. 

Evasive properties

Attack authors aimed for the emails to evade detection. The emails appear to come from Adobe, which is on most email scanner “allow lists.” And for the most part, the emails look like any other routine email that someone might receive from Adobe. However, clear grammatical errors would naturally lead an attentive, native-English speaking user to suspect phishing. 

Despite a handful of phishing red-flags, researchers state that some users may still fall for the scam, especially those who remain eager to receive seemingly urgent enclosed documents. 

Avoiding compromise

A number of avenues exist through which to help users avoid falling victim to this campaign: 

  1. Users are advised to inspect all Adobe Cloud pages for grammar and spelling errors, and to hover over links to ensure that the intended page is legitimate.
  2. Security professionals can deploy email-based protections that use dynamic, AI-driven analysis instead of static allow lists. 
  3. All organizations should install security solutions that can open PDF files in a sandbox and inspect all links to detect potentially harmful content.  


According to security research, 81% of malicious files were distributed via email, and one in 239 email attachments are malicious. Relying on built-in email security controls could leave your organization vulnerable to cyber criminals. Ensure that your organization retains state-of-the-art emails security protections to help you guard against the latest threats. 

For more information about email security, click here. Lastly, please join us at the premiere cyber security event of the year, CPX 360 2022. Register here.