Email Poses as an Incoming ACH Payment with HTML Attachment Leading to Branded Credential Phishing Page

In this attack, the email simply indicated that a new payment had been sent to the recipient and the funds would be available in their account in two business days. Attached to the email was a supposed confirmation of this payment, the filename of which matched the username of the recipient’s email address. The email was sent from an account set up on Ziggo, a Dutch free webmail provider. The display name of the sender included the domain of the recipient’s company, making it look like the email was an automated message from an internal system.

Had the recipient opened the HTML attachment, it would have redirected them to a phishing page with a login prompt. The phishing page contained a branded background image from the recipient’s company. The login prompt contained the recipient’s company logo and was prefilled with the recipient’s email address.

The URL within the attachment is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The email was sent from a Ziggo account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious. HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. The sender’s display name resembles an administrator account; however, the email address has never been used to communicate with employees at the company.

Because the phishing page contained company-specific branding, it may lead an employee to mistakenly believe that it is a legitimate login page. If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.