A recent Malwarebytes write-up covered a simple but effective phishing trick: send a file that looks like a PDF purchase order, open it in the browser, ask for a password, and quietly ship the credentials to a Telegram bot. It is not flashy. That is exactly why it works.
The reported attachment used a double extension, New PO 500PCS.pdf.hTM, to pose as a routine business document. Once opened, it did not display a real purchase order. It displayed a password prompt against a blurred background, with the victim's email address already filled in.
That is a very different psychological setup from an obvious fake website. The victim thinks they are one step away from opening a normal file.
Accounts-payable and sales teams do not experience this kind of lure as a “cyber event.” They experience it as another document to get through.
According to Malwarebytes, the page collected the victim's email, password, IP address, geolocation, and browser details. Instead of storing that information on some obvious attacker server, the page reportedly sent the data straight to a Telegram bot.
After the victim typed a password, the page displayed a believable error and encouraged a second attempt. Many people will try again with a corrected password or even with a different one they use elsewhere.
People are trained to fear macros, EXEs, and obviously dangerous downloads. They are less prepared for a browser page hiding inside something that still feels like an attachment.
The double-extension trick gives the attacker the familiarity of a document and the flexibility of a web page at the same time.
If your job involves quotes, invoices, purchase orders, approvals, or vendor communication, the lure does not feel weird. It feels like Tuesday. That is why attackers keep returning to these themes.
For business users, that speed matters because company credentials can be reused across email, file sharing, VPNs, and internal tools.
Change the password immediately, rotate any reused passwords, and alert your IT or security team so they can watch for account testing or follow-on phishing. If the account was a shared mailbox or high-trust business account, treat the incident as higher risk than a single personal login leak.
The browser is now part of the attachment story. A fake document can simply be a browser page wearing a document's name badge.
This post is based on Malwarebytes' March 2 article Purchase order attachment isn't a PDF. It's phishing for your password.
Why is a file named PDF.HTM dangerous?
Because it is not really a PDF. It is an HTML page that opens in the browser and can contain a phishing form or malicious script.
What did the report say the phishing page stole?
According to the report, the page collected the victim's email and password, IP address, geolocation, and browser details, then sent them to a Telegram bot.
What should someone do after typing a password into a fake document page?
Change the password immediately, rotate reused passwords, enable MFA, and notify the affected organization or IT team because business credentials may be tested against multiple services.
PhishClean helps detect suspicious pages and risky browser behavior before a routine attachment turns into credential theft.
Install PhishClean FreeIf this helped, save it for later, share it with someone who would benefit from it, or subscribe for new browser-security guides from PhishClean.
Get practical phishing and browser-safety articles in your inbox. No salesy drip, just new guides and product updates when they are worth sending.