PDF trapped that steals M365 session/account password

[xillibit]

Hello,

Someone that i know i received a mail on Outlook 2021 (on Win 11 25H2 with the patch tuesday ot 14th october installed) which contains a PDF trapped she thought it was legitimate and she has opened the PDF. Just after she has noticied that there was a huge amount of spam send which is mail address. By opening the PDF the hacker has stolen his password of sessions/ M365 account (it's the same password for the windows sessions and his M365 account). The hacked has set a rule to move automatically the mails arriving in the inbox to a specific folder. 

How is-it possible to stole the password just by opening the PDF ?

Thanks by adance

[adrynalyne]

On 09/11/2025 at 02:05, xillibit said:

Hello,

Someone that i know i received a mail on Outlook 2021 (on Win 11 25H2 with the patch tuesday ot 14th october installed) which contains a PDF trapped she thought it was legitimate and she has opened the PDF. Just after she has noticied that there was a huge amount of spam send which is mail address. By opening the PDF the hacker has stolen his password of sessions/ M365 account (it's the same password for the windows sessions and his M365 account). The hacked has set a rule to move automatically the mails arriving in the inbox to a specific folder. 

How is-it possible to stole the password just by opening the PDF ?

Thanks by adance

It isn’t. I’ve seen and investigated this phishing attempt dozens of times. They open it, it triggers a prompt to login (usually via SSO), and they do. It’s all over after that. If they don’t login, they don’t get their account stolen. 
 

More importantly though, DO NOT OPEN SUSPICIOUS FILES. 

[+Nik Louch Subscriber²]

On 09/11/2025 at 09:05, xillibit said:

Hello,

Someone that i know i received a mail on Outlook 2021 (on Win 11 25H2 with the patch tuesday ot 14th october installed) which contains a PDF trapped she thought it was legitimate and she has opened the PDF. Just after she has noticied that there was a huge amount of spam send which is mail address. By opening the PDF the hacker has stolen his password of sessions/ M365 account (it's the same password for the windows sessions and his M365 account). The hacked has set a rule to move automatically the mails arriving in the inbox to a specific folder. 

How is-it possible to stole the password just by opening the PDF ?

Thanks by adance

There is a missing part of the story. 

[adrynalyne]

On 09/11/2025 at 09:58, Nik Louch said:

There is a missing part of the story. 

Indeed. The part where they signed in. 😂

[xillibit]

The mail has disappeared just couple of minutes after she has opened the pdf from his inbox by itself. She said that hasn't signed in, there is nothing which have asked his password.

[+Warwagon MVC]

If she in fact didn't enter her credentials, then it sounds like it stole her sessions cookies.

Didn't the same thing happen to Linus Tech tips?

Per the Verge

Quote

According to Sebastian, someone on the Linus Media Group’s team downloaded “what appeared to be a sponsorship offer from a potential partner” and launched the included PDF with the terms of that offer. But Sebastian says this offer actually included malware that accessed “all user data from both their installed browsers” — including session tokens — which effectively gave the bad actor “an exact copy” of the browsers that they could export and use to wreak havoc without needing to enter security credentials.

Are we even sure what she was trying to open was a PDF or an executable? 

 

[Gerowen]

On 09/11/2025 at 11:47, adrynalyne said:

It isn’t. I’ve seen and investigated this phishing attempt dozens of times. They open it, it triggers a prompt to login (usually via SSO), and they do. It’s all over after that. If they don’t login, they don’t get their account stolen. 
 

More importantly though, DO NOT OPEN SUSPICIOUS FILES. 

@Warwagon sounds like he's on the right track, given what we know. It's called "cookie hijacking" or "session hijacking".  Malicious PDFs, or sometimes, .exe files disguised as PDFs, since Windows hides file extensions by default, have been used in the past to steal locally stored session cookies for already signed-in accounts without requiring any manual login activity or further interaction from the target user.  If this is what has happened to the OP and they still have access to the account; invalidating all currently logged in sessions, then logging back in and changing your password should be enough to boot the hackers from your account.  The longer you leave them with access however, the more likely it is they either already have, or will eventually do something like change the password the something of their choosing, remove 2FA authenticators or otherwise take greater ownership of the account.

Linus of "Linus Tech Tips" was a victim of this a couple of years ago.

 

[xillibit]

It can't be an executable because the extensions of files are set to showed

[adrynalyne]

On 10/11/2025 at 10:55, xillibit said:

It can't be an executable because the extensions of files are set to showed

It doesn’t matter at this point. Either login consent was given or session cookies were stolen. You have two very plausible explanations. 
 

At the end of the day, never open suspicious files or unexpected attachments.