Bytesize Security: A Guide to HTML Phishing Attachments
Darktrace guides you through the common signs of HTML phishing attachments, including common phishing emails, clever impersonations, fake webpages, and more.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
One of the most common types of phishing email seen by the Darktrace SOC, involves the use of HTML attachments (Figure 1). These emails make use of an attachment to hide redirects to overtly malicious or suspicious domains. Some even impersonate legitimate web pages and send any entered or captured information back to the attacker's infrastructure once opened or filled out by the recipient. Indicators of these attempts can be identified from a few key patterns found across multiple emails.
Figure 1: An example of a suspicious HTML attachment containing dynamic content
A typical feature of these HTML attachments is the use of a generic-sounding filename that relates to the message's subject line, but with no specific information pertaining to the recipient or their line of business. These files almost always contain some form of Javascript code, as they often make use of external Javascript libraries to accomplish whatever goal is being pursued. For example, an attacker might use Javascript to convincingly impersonate a trustworthy website and trick the recipient into providing credentials or sensitive information, or they might use it to deploy malware and get a foothold on the device for further compromise once opened. This can be further identified by the presence of certain links in the HTML file itself (Figure 2).
Figure 2: The HTML file previously referenced contained multiple rare and suspicious links
Figure 2 above is an example of an HTML file containing multiple links with calls for .js files. This shows that the attachment contains Javascript and is making calls for external libraries for an undetermined purpose.
Another common red flag is when the file contains links to common Product or Service images from domains wholly unrelated to those services, as seen below (Figure 3).
Figure 3: An example of an unusual .png call from a rare domain. The subsequent image called is for a company with no apparent relation to the hosting domain
The examples above imply an obvious (and poor) attempt by the HTML file to impersonate a Microsoft webpage, likely a fake login page set up for credential harvesting, as the ‘Microsoft’ logo is being pulled from a domain entirely unrelated to Microsoft or any common image-hosting service.
Rather than impersonating a website directly in the file and loading resources from external sources, these HTML files will instead directly point toward a webpage that already contains these elements. This comes with its own set of pros and cons: by hosting their phishing page in a public setting, they are far more likely to be taken down, however it may be easier to appear legitimate than if they were to build it all out in the HTML file itself.
The final routine element in these types of HTML phishing emails is the mechanism by which the attacker intends to receive any successfully scammed credentials or information. If the fake webpage is entirely contained in the HTML file, this often presents as a suspicious PHP link present in the file itself (Figure 4).
Figure 4: Phishing HTMLs often include links to rare domains with PHP destinations as an indication that it will engage in some form of HTTP POST communication
PHP calls suggest that some part of the webpage is intended to submit an HTTP POST or equivalent ‘submission’ call, often present in the ‘Login’ button in these scenarios. After the victim clicks this button, the webpage sends all the form-submission items to the endpoint hosting the PHP page, which is commonly an indicator of the webserver hosting the attacker infrastructure running the phishing attack.
If the HTML file redirects to an externally hosted phishing page, identical PHP links are often found in the source code of those pages (Figure 5). This serves the same function as sending any entered credentials back to the attacker.
Figure 5: The source-code of an external-hosted phishing page, showing calls for PHP pages hosted on alternate attacker infrastructure
The process of HTML attacks is so standardized that they are commonly released in the form of easily deployable phishing kits. These can be deployed on unsuspecting compromised webservers with little to no modification, resulting in virtually identical attacks being seen year-round. WordPress seems to be a prime target for hosting such attacks, with the site owners often becoming unsuspecting victims in propagating these phishing campaigns. An unfortunate side effect of these kits being readily available is that the attackers often don't bother to set any sort of access restrictions on their phishing servers once established, which can result in their entire setup being publicly viewable with a simple link modification. One example is seen below (Figure 6).
Figure 6: The parent directory of the website hosting a suspicious PHP page was fully accessible without restriction
In this incident, the website hosting the PHP link seen earlier had a publicly accessible parent directory structure, where both the PHP file above and an additional suspicious .txt file could be seen. This .txt file appears to be where any information submitted by victims ultimately ended up written to (Figure 7).
Figure 7: The TXT file in the parent directory above appeared to contain the login information that was likely submitted to the PHP page referred to in the initial HTML attachment
Figure 7 above presents the unusual risk of not only having the victims’ credentials at the disposal of the original attacker, but also potentially exposed to any malicious actor that can get creative with a web-crawler to identify key elements of the files used by these particular phishing kits.
Fortunately, due to the standardized nature of these ready-made phishing kits, these types of attacks often conform to a series of common behaviors that Darktrace / EMAIL excels in identifying. Despite being a popular technique, it is extremely rare for attempts using this HTML attachment method to successfully get through a correct Darktrace / EMAIL deployment. Overall, this means one less risk for the end user to worry about.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Introducing the adaptive era of email security: a unified platform that connects personalized coaching, collaboration tools, and user behavior into a self-improving defense system.
Why Organizations are Moving to Label-free, Behavioral DLP for Outbound Email
Modern data loss doesn’t always look like a regex match. It can look like everyday communication slightly out of context. Here’s how a domain specific language model paired with behavioral learning protects labeled and unlabeled data without slowing business down.
Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace
During a customer trial of Darktrace / EMAIL and Darktrace / IDENTITY, Darktrace detected an adversary-in-the-middle (AiTM) attack that compromised a user’s Office 365 account via a business email compromise (BEC) phishing email. Following the breach, the compromised account was used to launch both internal and external phishing campaigns.
In today's threat landscape, blending in to normal activity is the key to success for attackers and the growing reliance on residential proxies shows a significant shift in how threat actors are attempting to bypass IP detection tools.
The increasing dependency on residential proxies has exposed how prevalent proxy services are and how reliant a diverse range of threat actors are on them. From cybercriminal groups to state‑sponsored actors, the need to bypass IP detection tools is fundamental to the success of these groups. One malware that has quietly become notorious for its ability to avoid anomaly detection is GhostSocks, a malware that turns compromised devices into residential proxies.
What is GhostSocks?
Originally marketed on the Russian underground forum xss[.]is as a Malware‑as‑a‑Service (MaaS), GhostSocks enables threat actors to turn compromised devices into residential proxies, leveraging the victim's internet bandwidth to route malicious traffic through it.
How does Ghostsocks malware work?
The malware offers the threat actor a “clean” IP address, making it look like it is coming from a household user. This enables the bypassing of geographic restrictions and IP detection tools, a perfect tool for avoiding anomaly detection. It wasn’t until 2024, when a partnership was announced with the infamous information stealer Lumma Stealer, that GhostSocks surged into widespread adoption and alluded to who may be the author of the proxy malware.
Written in GoLang, GhostSocks utilizes the SOCKS5 proxy protocol, creating a SOCKS5 connection on infected devices. It uses a relay‑based C2 implementation, where an intermediary server sits in between the real command-and-control (C2) server and the infected device.
How does Ghostsocks malware evade detection?
To further increase evasion, the Ghostsocks malware wraps its SOCKS5 tunnels in TLS encryption, allowing its malicious traffic to blend into normal network traffic.
Early variants of GhostSocks do not implement a persistence mechanism; however, later versions achieve persistence via registry run keys, ensuring sustained proxy operational time [1].
While proxying is its primary purpose, GhostSocks also incorporates backdoor functionality, enabling malicious actors to run arbitrary commands and download and deploy additional malicious payloads. This was evident with the well‑known ransomware group Black Basta, which reportedly used GhostSocks as a way of maintaining long‑term access to victims’ networks [1].
Darktrace’s detection of GhostSocks Malware
Darktrace observed a steady increase in GhostSocks activity across its customer base from late 2025, with its Threat Research team identifying multiple incidents involving the malware. In one notable case from December 2025, Darktrace detected GhostSocks operating alongside Lumma Stealer, reinforcing that the partnership between Lumma and GhostSocks remains active despite recent attempts to disrupt Lumma’s infrastructure.
Darktrace’s first detection of GhostSocks‑related activity came when a device on the network of a customer in the education sector began making connections to an endpoint with a suspicious self‑signed certificate that had never been seen on the network before.
The endpoint in question, 159.89.46[.]92 with the hostname retreaw[.]click, has been flagged by multiple open‑source intelligence (OSINT) sources as being associated with Lumma Stealer’s C2 infrastructure [2], indicating its likely role in the delivery of malicious payloads.
Figure 1: Darktrace’s detection of suspicious SSL connections to retreaw[.]click, indicating an attempted link to Lumma C2 infrastructure.
Less than two minutes later, Darktrace observed the same device downloading the executable (.exe) file “Renewable.exe” from the IP 86.54.24[.]29, which Darktrace recognized as 100% rare for this network.
Figure 2: Darktrace’s detection of a device downloading the unusual executable file “Renewable.exe”.
Both the file MD5 hash and the executable itself have been identified by multiple OSINT vendors as being associated with the GhostSocks malware [3], with the executable likely the backdoor component of the GhostSocks malware, facilitating the distribution of additional malicious payloads [4].
Following this detection, Darktrace’s Autonomous Response capability recommended a blocking action for the device in an early attempt to stop the malicious file download. In this instance, Darktrace was configured in Human Confirmation Mode, meaning the customer’s security team was required to manually apply any mitigative response actions. Had Autonomous Response been fully enabled at the time of the attack, the connections to 86.54.24[.]29 would have been blocked, rendering the malware ineffective at reaching its C2 infrastructure and halting any further malicious communication.
Figure 3: Darktrace’s Autonomous Response capability suggesting blocking the suspicious connections to the unusual endpoint from which the malicious executable was downloaded.
As the attack was able to progress, two days later the device was detected downloading additional payloads from the endpoint www.lbfs[.]site (23.106.58[.]48), including “Setup.exe”, “,.exe”, and “/vp6c63yoz.exe”.
Figure 4: Darktrace’s detection of a malicious payload being downloaded from the endpoint www.lbfs[.]site.
Once again, Darktrace recognized the anomalous nature of these downloads and suggested that a “group pattern of life” be enforced on the offending device in an attempt to contain the activity. By enforcing a pattern of life on a device, Darktrace restricts its activity to connections and behaviors similar to those performed by peer devices within the same group, while still allowing it to carry out its expected activity, effectively preventing deviations indicative of compromise while minimizing disruption. As mentioned earlier, these mitigative actions required manual implementation, so the activity was able to continue. Darktrace proceeded to suggest further actions to contain subsequent malicious downloads, including an attempt to block all outbound traffic to stop the attack from progressing.
Figure 5: An overview of download activity and the Autonomous Response actions recommended by Darktrace to block the downloads.
Around the same time, a third executable download was detected, this time from the hostname hxxp[://]d2ihv8ymzp14lr.cloudfront.net/2021-08-19/udppump[.]exe, along with the file “udppump.exe”.While GhostSocks may have been present only to facilitate the delivery of additional payloads, there is no indication that these CloudFront endpoints or files are functionally linked to GhostSocks. Rather, the evidence points to broader malicious file‑download activity.
Shortly after the multiple executable files had been downloaded, Darktrace observed the device initiating a series of repeated successful connections to several rare external endpoints, behavior consistent with early-stage C2 beaconing activity.
Cyber AI Analyst’s investigation
Figure 7: Darktrace’s detection of additional malicious file downloads from malicious CloudFront endpoints.
Throughout the course of this attack, Darktrace’s Cyber AI Analyst carried out its own autonomous investigation, piecing together seemingly separate events into one wider incident encompassing the first suspicious downloads beginning on December 4, the unusual connectivity to many suspicious IPs that followed, and the successful beaconing activity observed two days later. By analyzing these events in real-time and viewing them as part of the bigger picture, Cyber AI Analyst was able to construct an in‑depth breakdown of the attack to aid the customer’s investigation and remediation efforts.
Figure 8: Cyber AI Analyst investigation detailing the sequence of events on the compromised device, highlighting its extensive connectivity to rare endpoints, the related malicious file‑download activity, and finally the emergence of C2 beaconing behavior.
Conclusion
The versatility offered by GhostSocks is far from new, but its ability to convert compromised devices into residential proxy nodes, while enabling long‑term, covert network access—illustrates how threat actors continue to maximise the value of their victims’ infrastructure. Its growing popularity, coupled with its ongoing partnership with Lumma, demonstrates that infrastructure takedowns alone are insufficient; as long as threat actors remain committed to maintaining anonymity and can rapidly rebuild their ecosystems, related malware activity is likely to persist in some form.
Credit to Isabel Evans (Cyber Analyst), Gernice Lee (Associate Principal Analyst & Regional Consultancy Lead – APJ) Edited by Ryan Traill (Content Manager)
AI is already embedded in day-to-day enterprise activity, with 78% of participants in one recent survey reporting that their organizations are using generative AI in at least one business function. Generative AI now acts as an always-on assistant, researcher, creator, and coach across an expanding array of departments and functions. Autonomous agents are performing multi-step operational workflows from end to end. AI features have been layered on top of every SaaS application. And vibe coding is making it possible for employees without deep technical expertise to build their own AI-powered automations.
According to Gartner, more than 80% of enterprises will have deployed GenAI models, applications, or APIs in production environments by the end of this year, up from less than 5% in 2023. Companies report a 130% increase in spending on AI over the same period, with 72% of business leaders using AI tools at least weekly. The outsized efficiency and productivity gains that were once a future vision are quickly becoming everyday reality.
AI is currently driving business growth and innovation, and organizations risk falling behind peers if they don’t keep up with the pace of adoption, but it is also quietly expanding the enterprise attack surface. The modern CISO is challenged to both enable innovation and protect the business from these emerging threats.
AI agents introduce new risks and vulnerabilities
AI agents are playing growing roles in enterprise production environments. In many cases, these agents act with broad permissions across multiple software systems and platforms. This means they’re granted far-reaching access – to sensitive data, business-critical applications, tokens and APIs, and IT and security tools. With this access comes risk for security leaders – 92% are concerned about the use of AI agents across the workforce and their impact on security.
These agents must be governed as identities, with least-privilege access and ongoing monitoring. They can’t be thought of as invisible aspects of the application estate. Understanding how AI agents behave, and how to manage their permissions, control their behavior, and limit their data access will be a top security priority throughout 2026.
Generative AI prompts: The next frontier
Prompts are how users – both human and agentic – interact with AI systems, and they’re where natural language gets translated into model behavior. Natural language is infinite in its potential combinations and permutations, making this aspect of the attack surface open-ended and far more complex than traditional CVEs. With carefully crafted prompts, bad actors may be able to coax models into disclosing sensitive data, bypassing guardrails, or initiating undesirable actions.
Among security leaders, the biggest worries about AI usage in their environments all involve ways that systems might be manipulated to bypass traditional controls.
61% are most concerned about the exposure of sensitive data
56% are most concerned about potential data security and policy violations
51% are most concerned about the misuse or abuse of AI tools
The more employees rely on AI in their day-to-day workflows, the more critical it becomes for security teams to understand how prompt behavior determines model behavior – and where that behavior could go wrong.
What does “securing AI” mean in practice?
AI adoption opens new security risks that blur the boundaries between traditional security disciplines. A single malicious interaction with an AI model could involve identity misuse, sensitive data exposure, application logic abuse, and supply chain risk – all within a single workflow. Protecting this dynamic and rapidly evolving attack surface requires an approach that spans identity security, cloud security, application security, data security, software development security, and more.
The task for security leaders is to implement the tools, policies, and frameworks to mitigate these novel, expansive, and cross-disciplinary risks.
However, within most enterprises, AI policy creation remains in its infancy. Just 37% of security leaders report that their organization has a formal AI policy, representing a small but worrisome decrease from last year. Conversations about AI abound: in 52% of organizations, there’s discussion about an AI policy. Still, talk is cheap, and leaders will need to take action if they’re to successfully enable secure AI innovation.
To govern and protect their AI systems, organizations must take a multi-pronged approach. This requires building out policies, but it also demands that they are able to:
Monitor the prompts driving GenAI assistants and agents in real time. Organizations must be able to inspect prompts, sessions, and responses across enterprise GenAI tools, low- and high-code environments, and SaaS and SASE so that they can detect clever conversational prompt attacks and malicious chaining.
Secure all business AI agent identities. Security teams need to identify all the agents acting within their environment and supply chain, map their connections and interactions via MCP and services like Amazon S3, and audit their behavior across the cloud, SaaS environments, and on the network and endpoint devices.
Maintain centralized, comprehensive visibility. Understanding intent, assessing risks, and enforcing policies all require that security teams have a single view that spans AI interactions across the entire business.
Discover and control shadow AI. Teams need to be able to identify unsanctioned AI activities, distinguish the misuse of legitimate tools from their appropriate use, and apply policies to protect data, while guiding users towards approved solutions.
Scaling AI safely and responsibly
The approach that most cybersecurity vendors have taken – using historical patterns to predict future threats – doesn’t work well for AI systems. Because AI changes its behavior in response to the information it encounters while taking action, previous patterns don’t indicate what it will do next. Looking at past attacks can’t tell you how complex models will behave in your individual business.
Securing AI requires interpreting ambiguous interactions, uncovering subtleties that reveal intent within extended conversations, understanding how access accumulates over time, and recognizing when behavior – both human and machine – begins to drift towards areas of risk. To do this, you need to understand what “normal” looks like in each unique organization: how users, systems, applications, and AI agents behave, how they communicate, and how data flows between them.
Darktrace has spent more than a decade designing AI-powered solutions that can understand and adapt to evolving behavior in complex environments. This technology learns directly from the environment it protects, identifying malicious actions that deviate from normal operations, so that it can stop AI-related threats on the very first encounter.
As AI adoption reshapes enterprise operations, humans and machines will collaborate more and more often. This collaboration might dramatically expand the attack surface, but it also has the potential to be a force multiplier for defenders.
Explore the full State of AI Cybersecurity 2026 report for deeper insights into how security leaders are responding to AI-driven risks.
.avif)
![Darktrace’s detection of suspicious SSL connections to retreaw[.]click, indicating an attempted link to Lumma C2 infrastructure.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69c5739b43fdfed6f1b02053_Screenshot%202026-03-26%20at%2010.57.44%E2%80%AFAM.png)
![Darktrace’s detection of a malicious payload being downloaded from the endpoint www.lbfs[.]site.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69c57465977a5ae3f07c6d69_Screenshot%202026-03-26%20at%2011.01.05%E2%80%AFAM.png)
