Attachment phishing

An unsolicited SMS containing an attached file (PDF, image, document) designed to deliver malware, harvest credentials, or compromise the recipient's device when opened. Distinct from hop seeding (no metadata edge needed) and from phantom account (no account is being maintained) — the payload is the point.

Also known as: bad attacher, smishing with payload, SMS-borne malware, PDF smishing
The formal term: Mobile phishing with weaponized attachment; SMS-vectored malware delivery.
Overlay / cover: legitimate carrier delivery notifications (FedEx, UPS, USPS, Amazon); ordinary spam advertising; legitimate document-signing requests (DocuSign, etc.).

Tactic entry to be written. Sections to fill in: definition + mechanism, how it looks on the receiving end (the urgency cue, the spoofed-brand identifier, the file or link), what it produces if opened (malware install / credential harvest / device compromise), the carrier-spoof and document-signing overlays that provide cover, and defensive posture (do not open, do not preview, report to the impersonated brand's abuse channel, block).

Where this appeared in the storm

Bad Attacher — fake UPS 'package delivery issue' PDF (2026-05-21)