From Voicemail to Compromised: How a Tiny HTM File Packs a Big Threat
Quick Read:
| Phishing Method: | Uses a HTM attachment containing a redirector script. |
| Evasions | Redirects to a fake login page, requiring CAPTCHA verification. |
| Detection Evasion: | |
| HTM attachment: | Only 3 out of 62 engines classified it as malicious. |
| Phishing URL: | Only 1 out of 96 VirusTotal classified it as malicious. |
| Landing Phishkit page | 0 out of 61 engines in Virus Total classified it as malicious. |
| Deployment: | NACETM deployed behind Microsoft 365 Security |
Phishing Attack: RingCentral Voicemail Scam
Cybercriminals have launched a phishing campaign impersonating RingCentral, leveraging an HTML attachment to redirect victims to a fake login page. RingCentral, Inc. is an American provider of cloud-based communication and collaboration products and services. Unlike traditional phishing emails, this attack does not contain any text in the email body. Instead, it displays RingCentral and Microsoft logos, making it appear as an official voicemail notification.
Attack Breakdown
HTM Redirector Attachment
The phishing email includes an HTM file attachment that acts as a silent redirector. When opened, the script immediately forwards the victim to a phishing page designed to steal credentials. This method avoids traditional link analysis by embedding the redirection logic within the file.
CAPTCHA Evasion Mechanism
To further evade automated detection, the phishing page includes a CAPTCHA verification step. This ensures that security crawlers and automated scanners fail to access the phishing page, making detection more difficult.
VirusTotal Analysis
| The HTM attachment was scanned on VirusTotal, with only 3 out of 62 security engines flagging it as malicious. |  |
| The final phishing redirector URL was detected by just 1 out of 96 security engines. |  |
| The final phishing-kit page was not detected by any of 61 security engines on VirusTotal. This shows how traditional engines fail in absence of final payload. |  |
NACETM Threat Coverage: AI-Powered Threat Detection by Inception Cyber
The Inception Cyber NACETM detection engine successfully intercepted this phishing attempt using semantic and thematic analysis to understand the deeper meaning of the email and using that as a feature set to detect malicious attachments. Key detection indicators include:
- Voicemail Subject Indicator: Recognized the use of voicemail-related prompts designed to lure recipients into interacting with the attachment.
- HTM Redirector Analysis: The attached HTM file contained a redirection script that led to an unknown server. Instead of waiting for the final phishing page.
The contextual relationship between voicemail semantics, external redirection, and other features aided NACE™ in classifying the attachment as a phishing attempt.
Conclusion
This phishing campaign demonstrates how attackers evolve their techniques to bypass traditional security controls. By using HTM attachments as simple redirectors, they evade legacy detection mechanisms that rely on scanning links or analysing payloads. Traditional security tools struggle against these multi-stage, evasive threats, as AI-generated phishing kits continue to refine their obfuscation tactics.
Inception Cyber is leading the charge in next-gen email threat detection with Intent AI. Our NACETM platform leverages advanced semantic and contextual analysis to detect malicious intent without relying solely on threat indicators. By understanding the relationships between email headers, body content, URLs, and attachments, NACETM proactively prevents emerging threats that evade conventional security measures.