---
title: "PDF Dropbox Phishing, ShinyHunters MFA Bypass, Signal Journalist Targeting | DMARC Report"
description: "PDF Dropbox Phishing, ShinyHunters MFA Bypass, Signal Journalist Targeting from DMARC Report explains practical steps for email authentication, domain."
image: "https://dmarcreport.com/og/blog/pdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting.png"
canonical: "https://dmarcreport.com/blog/pdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting/"
---
Quick Answer
\_According to the FBI's 2022 Internet Crime Report (IC3), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses. DMARC Report PDF Dropbox Phishing, ShinyHunters MFA Bypass, Signal Journalist Targeting
Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/)
Share
[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fpdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=PDF%20Dropbox%20Phishing%2C%20ShinyHunters%20MFA%20Bypass%2C%20Signal%20Journalist%20Targeting&url=undefined%2Fblog%2Fpdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fpdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fpdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting%2F&title=PDF%20Dropbox%20Phishing%2C%20ShinyHunters%20MFA%20Bypass%2C%20Signal%20Journalist%20Targeting "Share on Reddit") [ ](mailto:?subject=PDF%20Dropbox%20Phishing%2C%20ShinyHunters%20MFA%20Bypass%2C%20Signal%20Journalist%20Targeting&body=Check out this article: undefined%2Fblog%2Fpdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting%2F "Share via Email")
> The support tickets we get after a spoofing incident all start the same way: ‘we didn’t know someone was sending email from our domain,’ says Vasile Diaconu, Operations Lead at DuoCircle. DMARC reporting would have caught it weeks earlier. The cost of monitoring is nothing compared to the cost of a successful impersonation attack.
\_According to the [FBI’s 2022 Internet Crime Report (IC3)](https://www.ic3.gov/Media/PDF/AnnualReport/2022IC3Report.pdf), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses. DMARC Report
PDF Dropbox Phishing, ShinyHunters MFA Bypass, Signal Journalist Targeting
```
```
/
```
```
RSS Feed
```
Share
Link
Embed
```
/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-38439” readonly/>
```
```
The first edition of February revolves mainly around phishing attacks. While a new type of phishing campaign is doing the rounds that involves targeting PDFs and Dropbox, notorious cyber gang ShinyHunters seemed to have bypassed [MFA](https://www.ibm.com/think/topics/multi-factor-authentication) in their latest cyberattack. Meanwhile, multiple journalists are being targeted by misusing the Signal messenger. An Indian firm fell prey to a threat attack and lost around **$610 K USD**.
## New phishing campaign targeting PDFs and Dropbox services to steal credentials
[AI tools](https://kanerika.com/blogs/ai-tools/) are making it easy for threat actors to level up their threat campaigns. While cybercrooks are getting sophisticated with their [threat attacks](https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/email-threat-landscape-report-evolving-threats-in-email-based-attacks), they still prefer to carry out simple phishing campaigns because of the rate of success.
A group of researchers at \*\*ForcePoint has discovered a new [phishing campaign](https://www.infosecurity-magazine.com/news/password-stealing-phishing-pdf/) that involves PDF files and Dropbox storage. It is a multi-stage threat campaign that redirects victims to malicious pages to gain access to their credentials.
When a victim clicks on a [malicious PDF](https://cybersecuritynews.com/apache-tika-core-vulnerability/), they get redirected to a [Dropbox login page](https://help.dropbox.com/account-access/sign-in-out). It is basically a malicious page designed to carry out fraud activities like account takeover, internal access, etc. [Cybercrooks](https://www.csoonline.com/article/4032743/cybercrooks-faked-microsoft-oauth-apps-for-mfa-phishing.html) prefer this campaign as it looks similar to **normal business behavior**, which further increases its credibility.
_First, the victim receives a legitimate-looking email._ The email will mostly revolve around tender procurement or any **business operations**. Along with it comes a request to evaluate the attacked document.
The \*\*PDF works like a primary [malware delivery](https://thehackernews.com/2025/08/mixshell-malware-delivered-via-contact.html) system. The sender address tends to be spoofed. \_After being redirected to the malicious Dropbox login page, the victim is highly likely to log in using their email address and password. \_These malicious emails easily bypass [traditional authentication tools](https://proximia.com/blog/hidden-costs-traditional-authentication-tco/) such as [SPF](https://dmarcreport.com/what-is-spf/) (Sender Policy Framework), [DKIM](https://dmarcreport.com/what-is-dkim/) (DomainKeys Identified Mail), and [DMARC](https://dmarcreport.com/) (Domain-based Message Authentication, Reporting, and Conformance).
## ShinyHunters managed to bypass MFA in a recent data theft attack!
MFA or multi-factor authentication is considered to be a great tactic to prevent [cyberattacks](https://www.aljazeera.com/news/2025/4/15/china-accuses-us-of-launching-cyberattacks-during-asian-winter-games). But in a recent cyber incident, ShinyHunters managed to bypass MFA during a [social engineering attack](https://www.cybersecuritydive.com/news/social-engineering-preferred-initial-access/803363/).
_In this cyber incident, ShinyHunters targeted SoundCloud, Crunchbase, Panera Bread, and several dating apps, including Match, Hinge, OkCupid, and Tinder._ A \*\*group of researchers at Silent Push believes that there can be more victims of ShinyHunters, especially those who belong to financial services, [real estate](https://www.investopedia.com/terms/r/realestate.asp), logistics, fintech, healthcare, energy, and so on.
Mandiant believes that, in addition to [ShinyHunters](https://www.helpnetsecurity.com/2026/02/02/shinyhunters-mfa-social-engineering/), there are two other independent threat groups that are also deploying the same tactic to bypass MFA.
These threat actors tend to pose as \*\*IT customer support executives and use vishing calls as well as real-time adversary-in-the-middle infrastructure to gain access to OKTA SSP credentials and [OTPs](https://gulfnews.com/business/banking/countries-phasing-out-sms-otps-for-online-banking-security-1.500209725).
Okta is an access [management service provider](https://www.techtarget.com/searchitchannel/definition/managed-service-provider) and believes that threat actors are using tailor-made phishing kits that have been specially designed to help live-call-based cyberattacks. \*\*Experts believe that any type of MFA that is not resistant to phishing can be easily bypassed because of this new [cyber campaign](https://www.ncsc.gov.uk/news/uk-allies-expose-china-tech-companies-enabling-cyber-campaign).
## Signal Messenger used to target journalists
Unknown threat actors have been trying to gain access to multiple journalists’ accounts by using [Signal Messenger](https://netzpolitik.org/2026/phishing-attack-numerous-journalists-targeted-in-attack-via-signal-messenger/). Most of them are **investigative journalists**. While some are well-known faces on television, others are from large and medium-sized media outlets. Besides journalists, reputed individuals and prominent figures of society, such as lawyers, are also being targeted. Threat actors send a message through Signal Messenger and pose as a customer support executive. They allege that someone is engaging in suspicious activity on the victim’s phone and attempting to access [sensitive data](https://thehackernews.com/2026/01/new-research-64-of-3rd-party.html). They then ask the victim to complete a Signal verification process and share a \*\*verification code with the executive.
_When the chat request on Signal Messenger is accepted by the victim, they receive a verification code on their smartphone_. Sharing this code with the \*\*Signa Security Support Chatbot enables attackers to gain access to the victim’s account.
## An Indian firm was duped because of a fake email!
Indian infrastructure firm **Megha Engineering and Infrastructures Ltd**. fell prey to a massive phishing scam and lost almost [$610 K](https://timesofindia.indiatimes.com/city/hyderabad/infra-major-meil-loses-rs-5-5-cr-in-phishing-attack/articleshow/118258061.cms).
[MEIL](https://in.linkedin.com/company/meilgroupofficial) needed to buy burner packages and a reaction furnace package from a Netherlands-based vendor. Payments were to be made in accordance with to signed contract. But a group of threat actors managed to impersonate the vendors and tampered with the payment instructions by using a [malicious email](https://www.securitymagazine.com/articles/100687-the-last-six-months-shows-a-341-increase-in-malicious-emails) ID. As a result of this tactic, MEIL transferred the payments to a fraudulent JPMorgan Chase account rather than the genuine [ABN Amro](https://en.wikipedia.org/wiki/ABN%5FAMRO) Bank account.
**On November 29**, threat actors sent a [fake email](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/) to MEIL claiming that the vendor’s original bank account is no longer functional because of a court order. The cybercrooks used a fake email address- [nujis@duiker.cam](mailto:nujis@duiker.cam), in place of [nujis@duiker.com](mailto:nujis@duiker.com). MEIL considered the email to be genuine and transferred payments to the fraudulent account in **January 2025**.
## Topics
[ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ SPF ](/tags/spf/)
[ Brad Slavin ](/authors/brad-slavin/)
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin)
## Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.
[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/)
## Related Articles
[ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/)
```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```
```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```
```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"PDF Dropbox Phishing, ShinyHunters MFA Bypass, Signal Journalist Targeting","description":"PDF Dropbox Phishing, ShinyHunters MFA Bypass, Signal Journalist Targeting from DMARC Report explains practical steps for email authentication, domain.","url":"https://dmarcreport.com/blog/pdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting/","datePublished":"2026-02-05T08:45:57.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-02-05T08:45:57.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/pdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting/"},"articleSection":"foundational","keywords":"dkim, DMARC, SPF","wordCount":1145,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"PDF Dropbox Phishing, ShinyHunters MFA Bypass, Signal Journalist Targeting","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"PDF Dropbox Phishing, ShinyHunters MFA Bypass, Signal Journalist Targeting","item":"https://dmarcreport.com/blog/pdf-dropbox-phishing-shinyhunters-mfa-bypass-signal-journalist-targeting/"}]}
```