HTML attachment phishing used in new credential theft campaign

Cybersecurity researchers at Cyble have discovered a sophisticated phishing campaign in Central and Eastern Europe that employs HTML attachments to steal credentials, as reported by The Cyber Express.

This phishing operation embeds malicious JavaScript within HTML attachments disguised as legitimate business documents. The attack targets organizations across various industries, presenting convincing login interfaces impersonating trusted brands like Adobe and Microsoft. The operation bypasses traditional email security measures by directly capturing victim credentials and transmitting them to attacker-controlled Telegram bots, evading detection.

The attack's technical sophistication, including encryption and anti-forensics measures, poses challenges for security teams. The decentralized infrastructure and customized targeting indicate a well-organized and adaptable threat. To defend against such threats, organizations are advised to monitor for unusual connections to Telegram and implement content inspection for HTML attachments. End users should exercise caution with unsolicited HTML attachments and verify authentication requests independently. Cyble has shared indicators of compromise to assist security teams in detecting and preventing this evolving threat.

Source: The Cyber Express