A email comes that says it has remittance advice. 

Instead, it's set up to steal your password.

It's one of many attacks we've seen recently where obfuscated files or messages get past email scanners. (See the reCAPTCHA attack, the PhishGun attack, the Hidden Meaning attack and the ZeroFont attack, among others. This attack, missed by ATP, has a malicious attachment that hides behind encoded content. The email says it has remittance advice, but the htm file instead goes to a malicious Wordpress-hosted site.

Here's the email:

The file is hidden behind encoded content. Hackers use these obfuscation methods—in this case the "unescape" function—to bypass Natural Lanaguge Processing. 

Browsers decode URL-encoded content by default, so if the user clicked on the file, they would be presented with this phished Microsot login portal:

The site is an attacker-controlled Wordpress site where the listener is set up to intercept the password

Subscribe to Our Attack Briefs for More Research