Skip to main content
Abnormal Intelligence

Credential Phishing

HTML Attachment Renders Local Phishing Page and Exfiltrates Credentials via Telegram

This phishing attack uses an HTML attachment to render a local sign-in page, steals credentials, and exfiltrates them via Telegram API.

November 29, 2024

Attack Target Summary

Attack Overview

Step 1: Email

The attack starts with an email containing an HTML attachment and a vague message referencing a remittance payment. There are no links in the body of the message—only a single attachment: SWIFT_COPY.html.

Attack Library Repo 2 15 Nov Image 1
  • Email passes SPF, DKIM, and DMARC checks.
  • Message contains no suspicious links.
  • A single HTML attachment is used to initiate the attack.

Step 2: Local Phishing Interface

Opening the HTML file launches a local web page mimicking a document sharing login prompt. The page is rendered entirely on the user’s device to avoid network detection.

Attack Library Repo 2 15 Nov Image 2
  • The page mimics a legitimate login interface.
  • Operates without external content or requests.
  • Target is prompted to enter email and password.

Step 3: Redirection + Exfiltration via Telegram

After the target submits their credentials, they are redirected to a decoy OneDrive page hosting a harmless PDF. Meanwhile, their credentials, IP address, and geolocation are silently sent to a Telegram bot via the Telegram API.

Attack Library Repo 2 15 Nov Image 3 Attack Library Repo 2 15 Nov Image 4
  • Target lands on a decoy file download page.
  • Credentials and metadata are exfiltrated covertly.
  • Telegram is used as the exfiltration channel.

Step 4: Final Destination (Spoofed Microsoft Login)

Attack Library Threat Actors Exploit Docusign 6 Nov Portal

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • The HTML file is rendered locally and does not generate external requests.
  • The attachment appears benign and contains no links or malware.
  • Exfiltration occurs via Telegram API, a legitimate communication platform.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Sender behavior and email context anomalies.
  • Attachment analysis that revealed HTML smuggling techniques.
  • NLP flagged the vague financial message as a phishing indicator.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingPayload-basedExternal Party - OtherCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.