Hidden credential phishing within EML attachments

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Microsoft 365

ATTACK TYPE: Credential Phishing

The attack

EML attachments are ubiquitous, often containing longer threads or related information to the parent email. Some email clients, including Outlook, will automatically render EML attachments within the parent email without user interaction, making it an attractive evasion technique. In this attack, an attached EML file is used to hide a malicious link from detection. Attack characteristics:

• Recipient receives a blank email with an attached EML file.
• When the EML loads within the client, it is a fake invite to a Microsoft Teams meeting.
• When the recipient clicks Join Meeting, they are quickly passed through multiple redirects, starting with an open redirect.
• The user is then redirected through a Cloudflare Turnstile CAPTCHA and finally a fake Microsoft login page.

Detection signals

Sublime's AI-powered detection engine prevented this attack. The top signals in these attacks are:

• Suspicious EML attachment: The EML attachment contains language resembling credential theft. Additionally, the EML attachment contains the recipient's email address in the message body, a common technique used in credential theft attacks.
• Suspicious body: The length of the message body is unusually short, often uncommon in legitimate messages.
• Suspicious sender behavior: The message originated from a virtual private server (VPS), often indicative of disposable sending infrastructure associated with threat actors.

See the full MQL that detected these attacks in these publicly available Rules in the Core Feed: EML attachment with credential theft language (unknown sender) and EML with suspicious indicators.

Prevent credential phishing with Sublime

Sublime detects and prevents credential phishing and other email-based threats – for free. Start your free account today (managed or self-managed) for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

• Living Off the Land: Credential Phishing via Docusign abuse
• Living Off the Land: Callback Phishing via Docusign comment
• Adversarial ML: Extortion via LLM Manipulation Tactics