A new phishing campaign is using fake brand-themed login pages hidden inside HTML email attachments to harvest user credentials.
According to GBHackers, researchers have identified an advanced phishing operation that uses realistic HTML attachments disguised as invoices or procurement documents to bypass traditional email filters. The campaign targets global and regional businesses by sending attachments named like RFQ_4460-INQUIRY.HTML, which appear to be standard business documents.
When opened, these attachments prompt users to “sign in to view” the file, imitating familiar login screens from trusted brands such as Adobe, Microsoft, and WeTransfer. Once a victim enters their credentials, the information, along with IP and device data, is silently exfiltrated via Telegram bots, a method that avoids traditional detection systems.
The phishing emails contain no external links or obvious red flags, as the malicious code is embedded directly within the HTML file. Once executed, it launches a JavaScript process to collect user data and send it to attacker-controlled Telegram channels using the Telegram Bot API.
Researchers analyzed two distinct samples from the campaign:
The phishing templates impersonate a wide range of global brands, including Adobe, Microsoft, DocuSign, FedEx, DHL, and Roundcube. Each variation is regionally localized for realism. The campaign is most active in Central and Eastern Europe, affecting industries such as manufacturing, healthcare, government, IT, and construction, sectors that frequently exchange documents by email.
Researchers described the operation as a “modular and scalable threat,” noting that the attackers’ toolkit allows rapid brand switching and language customization. Telegram’s API is being used as a decentralized exfiltration channel, complicating detection and mitigation.
Security experts recommend blocking HTML attachments at the email gateway, restricting access to Telegram APIs, and reviewing recent user activity for anomalous sign-ins.
Attackers are getting better at hiding inside everyday business workflows, and this campaign shows how far they’ve pushed it. Instead of suspicious links or poorly written emails, the entire trap sits inside a clean-looking HTML attachment that most filters allow through. Because the login pages mimic trusted brands and send stolen credentials straight to Telegram, the scam slips past many legacy tools that only look for known domains or external URLs.
Since phishing remains the top way attackers break into healthcare and enterprise systems, organizations need inbound email protection that doesn’t rely on static checks. Paubox Inbound Email Security analyzes behavior inside attachments, blocks credential-harvesting pages before they reach users, and stops these “brand impersonation” HTML phish even when they look perfect on the surface.
Telegram’s Bot API enables direct data transmission without needing traditional command-and-control servers, making detection and blocking much harder for security tools.
Embedding code inside the file allows phishing emails to bypass URL-based detection systems and appear benign until opened locally.
Localized branding and language significantly increase the success rate, as recipients are more likely to trust communications that reflect their regional context.
Sectors that frequently handle invoices and procurement documents, such as construction, government, IT, and manufacturing, are prime targets.
Implementing attachment scanning, blocking HTML file types, monitoring Telegram traffic, and reinforcing user education around suspicious document prompts are defense steps.