The HTML attachment contained zero forms. Zero external URLs. Zero embedded links of any kind. Static analysis scored it LOW risk, because from a markup perspective there was nothing malicious to find.
That was the point.
The phishing links did not exist until the file was opened in a browser. Inline JavaScript assembled them character by character at runtime, pulling a base64-encoded recipient token from a variable declaration to personalize the attack. The file had no malicious content until it had a victim.
The email arrived from Advocacy@cdr-ct[.]org, a nonprofit advocacy domain sending to a cybersecurity vendor for the first time. SPF and DKIM passed for the sender domain. The subject line referenced the target organization's brand, giving the message the appearance of an internal HR communication arriving through external infrastructure.
The body was a single image. No selectable text anywhere. The image displayed an "EMPLOYEE HANDBOOK" banner with a "Reminder Acknowledgement request terms form" call to action. Because the entire message was rendered as a graphic, text-based analysis engines (keyword matching, NLP, sentiment detection) had nothing to process. The lure existed only as pixels.
The attachment filename mimicked an internal document: a 2025 handbook reference with an alphanumeric tracking code appended. An additional .eml attachment was also present but could not be analyzed by the scanning infrastructure, producing a FileNotFoundError during automated inspection.
Inside the HTML file, a variable declaration stored the obfuscated recipient token: a base64 string wrapped in delimiter characters. Decoded, the token resolved to the target's email address. A String.fromCharCode sequence then assembled the credential harvesting URL character by character, concatenated the decoded email as a parameter, and rendered the result as a clickable element in the DOM.
No eval() call appeared in the source. The script relied on standard DOM manipulation to inject the link, which is why automated sandbox evasion scoring flagged it as MEDIUM for obfuscated script rather than HIGH. Without eval(), without document.write(), without any of the typical red-flag functions, the JavaScript fell below the heuristic threshold that triggers dynamic execution in most scanning environments.
This is the detection gap that runtime link construction exploits. Static scanners see clean markup. Dynamic scanners need to actually execute the JavaScript and inspect the resulting DOM, a step many email security pipelines skip for HTML attachments because of performance and resource constraints.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Email | Advocacy@cdr-ct[.]org | First-time sender, nonprofit advocacy domain |
| Attachment | HTML file with alphanumeric tracking code in filename | Runtime link construction via obfuscated JS |
| Script Pattern | String.fromCharCode + base64 recipient token variable | Obfuscated URL assembly, no static URLs |
| Attachment | .eml file (unanalyzable) | FileNotFoundError during automated scan |
| Technique | ID | Context |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | HTML attachment with obfuscated JavaScript payload |
| Obfuscated Files or Information | T1027 | String.fromCharCode + base64 token conceals phishing URL |
| User Execution: Malicious File | T1204.002 | Opening HTML file in browser triggers runtime link construction |
| Attack | What happened |
|---|---|
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| 136 Bytes Was All It Took: The SVG That Redirected to a Credential Harvest | A 136-byte SVG attachment used a JavaScript onload event to redirect the browser to a credential-harvesting page. |
| The Tooltip Said Coupa. The Link Said Genesis Cleaning. Only One of Them Was Real. | A phishing email passed SPF, DKIM, and DMARC for a UAE law firm domain while its CTA button displayed a Coupa procurement portal tooltip but linked to an... |
| Three Domains, Two Brands, One Frankenphish: The DocuSign Lure That Led to Mailchimp | A DocuSign-themed email stitched together Lloyds Banking Group Qualtrics survey blocks, resolved its CTA to Mailchimp. |
| The Fax Notification That Was Just a Pregnancy Test for Your Curiosity | A Gmail account sent a fax notification with a 24KB HTML attachment. |