Hidden credential phishing within EML attachments

Sublime's Attack Spotlight series aims to inform users about the email threat landscape by showcasing real attack samples, detailing adversary tactics and techniques, and explaining detection methods. One highlighted attack involves credential phishing via EML attachments in Microsoft 365 emails, where a malicious link is hidden within a fake Microsoft Teams invite. The attack process includes multiple redirects through an open redirect, a Cloudflare Turnstile CAPTCHA, and a fake Microsoft login page, with detection signals such as suspicious EML attachments, short message bodies, and originating from a virtual private server. Sublime's AI-powered detection engine effectively prevents such attacks by identifying key indicators like credential theft language and disposable infrastructure, offering free accounts with customizable threat handling to enhance email security.