Phishing has evolved, and attackers no longer rely on suspicious links or poorly designed fake websites. Today, a new campaign is using HTML file attachments in emails to impersonate well-known brands like Microsoft 365, Adobe, WeTransfer, FedEx, and DHL. Their goal? To trick you into revealing your corporate or personal credentials.
This new wave of attacks, targeting organizations in Central and Eastern Europe, is highly sophisticated. According to an analysis by cybersecurity firm Cyble, the attackers understand business processes well and use advanced social engineering tactics to infiltrate sectors like agriculture, automotive, construction, and education.
Instead of redirecting users to fraudulent websites, attackers include a malicious HTML file directly within the email. When opened, the file presents a login page that mimics the real branding — logos, colors, layout — of the spoofed company.
This technique gives cybercriminals a key advantage: they don’t need suspicious URLs or external servers that might be flagged by email security filters. All malicious content is embedded within the file itself.
The emails usually have believable subject lines and filenames, such as RFQ_4460-INQUIRY.HTML (RFQ stands for Request for Quotation), which adds legitimacy. For companies that regularly deal with quotes or procurement workflows, these messages appear entirely authentic.
Unlike traditional phishing, this technique avoids centralized servers. The stolen data is sent straight to Telegram, making the attack harder to trace for cybersecurity teams.
Campaign Overview (Source: Cyble)
Cyble’s analysis revealed that the attackers use embedded JavaScript within the HTML file to collect usernames, passwords, IP addresses, and browser details.
This level of sophistication shows how criminals now use refined methods to blend into normal network traffic, avoiding alerts from tools like EDR (Endpoint Detection & Response) or DLP (Data Loss Prevention).
Its success lies in how well attackers understand business environments. These aren’t generic phishing attempts — they are tailored to industries where RFQs, invoices, or pricing requests are common.
Messages use the right tone, impersonate real vendors or partners, and catch employees off guard. Because attackers use HTML attachments instead of links, they bypass standard email security tools. Most filters still don’t analyze these files in-depth, leaving a blind spot in enterprise defenses.
Learn more: Phishing Simulation: How to Successfully Train Your Team
Traditionally, stolen credentials were sent to a remote server or stored in hidden repositories. But this campaign reveals a growing trend: using legitimate messaging platforms like Telegram for data exfiltration.
Telegram offers anonymity, encryption, and a decentralized structure ideal for cybercriminal coordination. By using its Bot API, attackers:
At TecnetOne, we recommend a layered strategy that combines education, technology, and real-time monitoring:
Similar titles: Do you know how to spot a phishing attack?
These campaigns show that traditional security models are no longer enough. Organizations need end-to-end visibility — from web traffic and emails to file attachments and in-browser activity.
The use of HTML files as attack vectors marks a shift in strategy. Rather than hacking systems, attackers exploit trust and routine workflows.
At TecnetOne, we emphasize proactive digital education and strong policies to block these threats before they start. Preventing a single wrong click can be the difference between a secure operation and a massive data breach.
Phishing is no longer limited to badly written emails or shady links. Attackers now impersonate major brands, use advanced tech, and exploit user inattention.
Next time you receive an unexpected attachment, remember: social engineering is cybercrime’s most effective tool. Don’t open what you weren’t expecting. Always verify the source, and most importantly — keep your defenses updated.