PDF trapped that steals M365 session/account password

By xillibit
in Microsoft (Windows)

 Share

Recommended Posts

Collaborator

xillibit

Posted
Posted (edited)

Hello,

Someone that i know i received a mail on Outlook 2021 (on Win 11 25H2 with the patch tuesday ot 14th october installed) which contains a PDF trapped she thought it was legitimate and she has opened the PDF. Just after she has noticied that there was a huge amount of spam send which is mail address. By opening the PDF the hacker has stolen his password of sessions/ M365 account (it's the same password for the windows sessions and his M365 account). The hacked has set a rule to move automatically the mails arriving in the inbox to a specific folder. 

How is-it possible to stole the password just by opening the PDF ?

Thanks by adance

  • hellowalkman
  • Like 1
Grand Master

adrynalyne

Posted
Posted (edited)
On 09/11/2025 at 02:05, xillibit said:

Hello,

Someone that i know i received a mail on Outlook 2021 (on Win 11 25H2 with the patch tuesday ot 14th october installed) which contains a PDF trapped she thought it was legitimate and she has opened the PDF. Just after she has noticied that there was a huge amount of spam send which is mail address. By opening the PDF the hacker has stolen his password of sessions/ M365 account (it's the same password for the windows sessions and his M365 account). The hacked has set a rule to move automatically the mails arriving in the inbox to a specific folder. 

How is-it possible to stole the password just by opening the PDF ?

Thanks by adance

It isn’t. I’ve seen and investigated this phishing attempt dozens of times. They open it, it triggers a prompt to login (usually via SSO), and they do. It’s all over after that. If they don’t login, they don’t get their account stolen. 
 

More importantly though, DO NOT OPEN SUSPICIOUS FILES. 

Grand Master

+Nik Louch Subscriber²

Posted
  • Subscriber²
Posted
On 09/11/2025 at 09:05, xillibit said:

Hello,

Someone that i know i received a mail on Outlook 2021 (on Win 11 25H2 with the patch tuesday ot 14th october installed) which contains a PDF trapped she thought it was legitimate and she has opened the PDF. Just after she has noticied that there was a huge amount of spam send which is mail address. By opening the PDF the hacker has stolen his password of sessions/ M365 account (it's the same password for the windows sessions and his M365 account). The hacked has set a rule to move automatically the mails arriving in the inbox to a specific folder. 

How is-it possible to stole the password just by opening the PDF ?

Thanks by adance

There is a missing part of the story. 

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

If she in fact didn't enter her credentials, then it sounds like it stole her sessions cookies.

Didn't the same thing happen to Linus Tech tips?

Per the Verge

Quote

According to Sebastian, someone on the Linus Media Group’s team downloaded “what appeared to be a sponsorship offer from a potential partner” and launched the included PDF with the terms of that offer. But Sebastian says this offer actually included malware that accessed “all user data from both their installed browsers” — including session tokens — which effectively gave the bad actor “an exact copy” of the browsers that they could export and use to wreak havoc without needing to enter security credentials.

Are we even sure what she was trying to open was a PDF or an executable? 

 

  • Gerowen and +Nik Louch
  • Like 2
Grand Master

Gerowen

Posted
Posted (edited)
On 09/11/2025 at 11:47, adrynalyne said:

It isn’t. I’ve seen and investigated this phishing attempt dozens of times. They open it, it triggers a prompt to login (usually via SSO), and they do. It’s all over after that. If they don’t login, they don’t get their account stolen. 
 

More importantly though, DO NOT OPEN SUSPICIOUS FILES. 

@Warwagon sounds like he's on the right track, given what we know. It's called "cookie hijacking" or "session hijacking".  Malicious PDFs, or sometimes, .exe files disguised as PDFs, since Windows hides file extensions by default, have been used in the past to steal locally stored session cookies for already signed-in accounts without requiring any manual login activity or further interaction from the target user.  If this is what has happened to the OP and they still have access to the account; invalidating all currently logged in sessions, then logging back in and changing your password should be enough to boot the hackers from your account.  The longer you leave them with access however, the more likely it is they either already have, or will eventually do something like change the password the something of their choosing, remove 2FA authenticators or otherwise take greater ownership of the account.

Linus of "Linus Tech Tips" was a victim of this a couple of years ago.

 

  • +Warwagon and xillibit
  • Like 2
Grand Master

adrynalyne

Posted
Posted (edited)
On 10/11/2025 at 10:55, xillibit said:

It can't be an executable because the extensions of files are set to showed

It doesn’t matter at this point. Either login consent was given or session cookies were stolen. You have two very plausible explanations. 
 

At the end of the day, never open suspicious files or unexpected attachments. 

  • +Nik Louch, +Warwagon and Gerowen
  • Like 3

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.