Attackers send phishing emails with a (non-)password-protected PDF purporting to be a faxed document or convincingly spoofed Microsoft OneDrive page. The automated email security scanner must extract the destination URL from a PDF document and solve the CAPTCHA. These conditions prevent email security scanners from detecting phishing URLs in attachments, or provides attachment previews allowing users to determine the contents of the email. The inability of automated email security features to solve the captcha and generate a preview forces users to download the attachment.
When a victim opens the document, it redirects them to a CAPTCHA page. After solving the puzzle, the page redirects the user to the actual phishing page resembling a Microsoft login screen. The phishing page then prompts the victim to enter their credentials, which end up in the attacker’s database.
NL 
EN