Scam Radar

How can you recognize HTML phishing attachments stuffed with comments to dodge AI email scanners?

Published

Listen to the episode

TLDR

Researchers at SANS Internet Storm Center have observed a new twist on credential stealing phishing: HTML attachments padded with thousands of HTML comments to swell the file to ~2.5 MB. The goal is to overwhelm AI based email scanners...

How it works

Researchers at SANS Internet Storm Center have observed a new twist on credential stealing phishing: HTML attachments padded with thousands of HTML comments to swell the file to ~2.5 MB. The goal is to overwhelm AI based email scanners...

Red flags

  • Unexpected Teams/SharePoint notification asking you to "approve" something, with an .xls.html (double extension) attachment. Outlook shows "None" instead of a date, or the file is suspiciously large ( 1 MB) for an HTML page. Sender domain doesn't match a real Microsoft address, even if the display name looks legit. What to do Never open HTML attachments from unsolicited mail
  • treat .html files as executable. Verify approval requests by logging into Teams/SharePoint directly, never via the attached form. Report suspicious mail and oversized attachments to your IT/security team before clicking anything

What to do

  1. 1Outlook shows "None" instead of a date, or the file is suspiciously large ( 1 MB) for an HTML page.
  2. 2What to do Never open HTML attachments from unsolicited mail; treat .html files as executable.
  3. 3Verify approval requests by logging into Teams/SharePoint directly, never via the attached form.

Source

sans-isc

Source reviewed by Mythos Forensic Team

https://isc.sans.edu/diary/rss/33144

FAQ

Is HTML phishing attachments stuffed with comments to dodge AI email scanners a real scam pattern?

Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.

What are the first warning signs?

Unexpected Teams/SharePoint notification asking you to "approve" something, with an .xls.html (double extension) attachment. Outlook shows "None" instead of a date, or the file is suspiciously large ( 1 MB) for an HTML page. Sender domain doesn't match a real Microsoft address, even if the display name looks legit. What to do Never open HTML attachments from unsolicited mail; treat .html files as executable. Verify approval requests by logging into Teams/SharePoint directly, never via the attached form. Report suspicious mail and oversized attachments to your IT/security team before clicking anything

What should I do first?

Outlook shows "None" instead of a date, or the file is suspiciously large ( 1 MB) for an HTML page.; What to do Never open HTML attachments from unsolicited mail; treat .html files as executable.; Verify approval requests by logging into Teams/SharePoint directly, never via the attached form.

Can LegalAudit check my case?

Yes. Start a free chat and paste the message, link, sender, or payment details for triage.