Researchers with Trustwave SpiderLabs are warning of a phishing campaign that employs what it calls “HTML Lego” to deliver a fake login page.
The phishing campaign is aimed at Microsoft 365 users and designed to mimic a Microsoft login interface. Trustwave says the emails contain nothing in the email body but have an attachment that appears to be an Excel file offering information about an investment. This attachment is actually an HTML document with two sections of URL encoded text.
A detailed analysis of the campaign can be found here.