A new phishing tactic has emerged, using PDF documents to trick victims by announcing expired Amazon Prime memberships. The campaign targets users via email, containing PDF attachments that lead to fake Amazon pages requesting personal and credit card information. Researchers from Palo Alto Networks Unit42 discovered 31 PDF files linking to these phishing sites, none of which had been submitted to VirusTotal. The attack chain begins with an email containing a PDF attachment, which redirects victims to subdomains of duckdns[.]org hosting the phishing website. The campaign uses cloaking techniques to redirect scans and analysis attempts to benign domains. Four initial links were identified as potential threats in this sophisticated phishing operation.