Forcepoint noted that the succinct nature of the emails helps them to bypass email authentication checks like SPF, DKIM and DMARC, while the implied urgency of the request is designed to manipulate the receiver into following the instructions. If the user opens the PDF, they are asked to follow an embedded link to aid with the request. This link is written in AcroForm which minimizes the ability for security software to scan it.