A new GMAIL PDF based phishing scam is widely circulating.  When users click on a PDF attachment that appears to be in genuine email message of a trusted contact, it launches a FAKE GMAIL login page that is designed to captures ID and password information.  Attackers can later use those captured credentials to break into the users email and send out legitimate looking emails to contacts in the address book.  

http://time.com/4638214/google-phishing-scam/

https://blogs.technet.microsoft.com/mmpc/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/

Security researchers have identified a “highly effective” phishing scam that’s been fooling Google Gmail customers into divulging their login credentials. The scheme, which has been gaining popularity in the past few months and has reportedly been hitting other email services, involves a clever trick that can be difficult to detect.  Here’s how the swindle works. The attacker, usually disguised as a trusted contact, sends a boobytrapped email to a prospective victim. Affixed to that email, there appears to be a regular attachment, say a PDF document. Nothing seemingly out of the ordinary.

But the attachment is actually an embedded image that has been crafted to look like a PDF. Rather than reveal a preview of the document when clicked, that embedded image links out to a fake Google login page. And this is where the scam gets really devious.  Everything about this sign-in page looks authentic: the Google logo, the username and password entry fields, the tagline. By all indications, the page is a facsimile of the real thing. Except for one clue: the browser’s address bar.

In fact, the text in the address bar is what’s known as a “data URI,” not a URL. A data URI embeds a file, whereas a URL identifies a page’s location on the web. If you were were to zoom out on the address bar, you would find a long string of characters, a script that serves up a file designed to look like a Gmail login page. This is the trap. As soon as a person enters her username and password into the fields, the attackers capture the information. To make matters worse, once they gain access to a person’s inbox, they immediately reconnoiter the compromised account and prepare to launch their next bombardment. They find past emails and attachments, create boobytrapped-image versions, drum up believable subject lines, and then target the person’s contacts.