Sublime Security Attack Spotlight: Credential phishing attack hidden within an EML attachment.

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Microsoft 365

ATTACK TYPE: Credential Phishing

The attack

EML attachments are ubiquitous, often containing longer threads or related information to the parent email. Some email clients, including Outlook, will automatically render EML attachments within the parent email without user interaction, making it an attractive evasion technique. In this attack, an attached EML file is used to hide a malicious link from detection. Attack characteristics:

  • Recipient receives a blank email with an attached EML file.
  • When the EML loads within the client, it is a fake invite to a Microsoft Teams meeting.
  • When the recipient clicks Join Meeting, they are quickly passed through multiple redirects, starting with an open redirect.
  • The user is then redirected through a Cloudflare Turnstile CAPTCHA and finally a fake Microsoft login page.
The attached EML is an invite to a Teams meeting.
Cloudflare Turnstile CAPTCHA authentication. Note the typo, an indicator of a fake Cloudfare challenge page.
Fake Microsoft login page

Detection signals

Sublime's AI-powered detection engine prevented this attack. The top signals in these attacks are:

  • Suspicious EML attachment: The EML attachment contains language resembling credential theft. Additionally, the EML attachment contains the recipient's email address in the message body, a common technique used in credential theft attacks.
  • Suspicious body: The length of the message body is unusually short, often uncommon in legitimate messages.
  • Suspicious sender behavior: The message originated from a virtual private server (VPS), often indicative of disposable sending infrastructure associated with threat actors.
Message details

See the full MQL that detected these attacks in these publicly available Rules in the Core Feed: EML attachment with credential theft language (unknown sender) and EML with suspicious indicators.

Prevent credential phishing with Sublime

Sublime detects and prevents credential phishing and other email-based threats – for free. Start your free account today (managed or self-managed) for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

About the Author

Aiden Mitchell

Detection

Aiden is a Threat Detection Engineer at Sublime. Drawing from early IT experiences, they bring a human-centered approach to mitigating devastating email attacks. They protect individuals and enterprises understanding that every threat puts a real person at risk.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.