Insurance Claim PDF Hides JavaScript Behind AcroForm Fields and SendGrid Redirects

A Spanish-language brand-impersonation phishing campaign delivered an 84 KB PDF (CartaCierreSolicitud.pdf) containing interactive AcroForm fields and compressed/obfuscated JavaScript with /JS and /AA tokens enabling auto-execution; the attacker used a SendGrid tracking redirect (u22037540.ct.sendgrid.net) and controlled the authenticated sending domain (zurichsantandermexico.com.mx) so SPF/DKIM/DMARC passed, and the report lists IOCs (relay IP 167.89.23.152, attachment SHA-256 95b3413da7b8ab587747643e6ed0536e, template token |.TrSite.EMAIL.|) and actionable mitigations such as blocking PDFs with scripting, unwrapping redirects, and treating authentication as insufficient.