Listen to the episode
TLDR
Researchers at SANS Internet Storm Center have observed a new twist on credential stealing phishing: HTML attachments padded with thousands of HTML comments to swell the file to ~2.5 MB. The goal is to overwhelm AI based email scanners...
How it works
Researchers at SANS Internet Storm Center have observed a new twist on credential stealing phishing: HTML attachments padded with thousands of HTML comments to swell the file to ~2.5 MB. The goal is to overwhelm AI based email scanners...
Red flags
- Unexpected Teams/SharePoint notification asking you to "approve" something, with an .xls.html (double extension) attachment. Outlook shows "None" instead of a date, or the file is suspiciously large ( 1 MB) for an HTML page. Sender domain doesn't match a real Microsoft address, even if the display name looks legit. What to do Never open HTML attachments from unsolicited mail
- treat .html files as executable. Verify approval requests by logging into Teams/SharePoint directly, never via the attached form. Report suspicious mail and oversized attachments to your IT/security team before clicking anything
What to do
- 1Outlook shows "None" instead of a date, or the file is suspiciously large ( 1 MB) for an HTML page.
- 2What to do Never open HTML attachments from unsolicited mail; treat .html files as executable.
- 3Verify approval requests by logging into Teams/SharePoint directly, never via the attached form.
Source
FAQ
Is HTML phishing attachments stuffed with comments to dodge AI email scanners a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Unexpected Teams/SharePoint notification asking you to "approve" something, with an .xls.html (double extension) attachment. Outlook shows "None" instead of a date, or the file is suspiciously large ( 1 MB) for an HTML page. Sender domain doesn't match a real Microsoft address, even if the display name looks legit. What to do Never open HTML attachments from unsolicited mail; treat .html files as executable. Verify approval requests by logging into Teams/SharePoint directly, never via the attached form. Report suspicious mail and oversized attachments to your IT/security team before clicking anything
What should I do first?
Outlook shows "None" instead of a date, or the file is suspiciously large ( 1 MB) for an HTML page.; What to do Never open HTML attachments from unsolicited mail; treat .html files as executable.; Verify approval requests by logging into Teams/SharePoint directly, never via the attached form.
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.