Notifications
Clear all
Topic starter
27/06/2026 2:06 pm
TL;DR: Attackers are using delayed redirects, iframe loading tricks, XOR obfuscation, and legitimate infrastructure such as Amazon SES to make phishing emails look normal while evading static detection, according to Abnormal AI. The lesson is that email security now depends on behavioral analysis and authentication context, not link filtering alone.
NHIMG editorial — based on content published by Abnormal AI: HTML and JavaScript phishing campaigns that evade static email defenses
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams detect phishing emails that hide behaviour behind HTML and JavaScript?
A: Use behaviour-aware inspection that executes the attachment, waits for delayed redirects, and evaluates iframe loading and script deobfuscation.
Q: Why do authenticated phishing emails still fool users and filters?
A: Because SPF, DKIM, or even legitimate email infrastructure only prove that a message was sent through a valid path, not that the sender is trustworthy.
Q: What breaks when static scanners do not execute delayed JavaScript in attachments?
A: The scanner sees inert content, while the user’s browser later sees a live redirect or payload.
Practitioner guidance
- Inspect rendered behaviour before delivery decisions Run HTML attachments and embedded scripts in a controlled environment that executes delayed actions, iframe loads, and redirect chains for long enough to expose hidden payloads.
- Treat sender authentication as a trust input, not a trust decision Correlate SPF, DKIM, DMARC, Reply-To consistency, and infrastructure reputation before deciding whether an authenticated message deserves user exposure.
- Block deceptive attachment patterns that mimic common file types Flag filenames and extensions that imitate audio, meeting, or invoice artefacts, especially when the extension does not match the real file behaviour.
What's in the full article
Abnormal AI's full blog post covers the operational detail this post intentionally leaves for the source:
- Line-by-line JavaScript examples showing how each phishing payload is constructed and obfuscated
- Specific indicators of compromise for the voicemail, meeting, and payment-themed campaigns
- Detection logic for delayed redirects, iframe manipulation, and XOR-based decryption
- Additional examples of authentication mismatches and infrastructure abuse that support response tuning
👉 Read Abnormal AI's analysis of HTML and JavaScript phishing campaigns →
HTML and JavaScript phishing: what email teams need to watch?
Explore further
27/06/2026 3:43 pm
Email trust is now an identity problem, not only a content-filtering problem. When attackers can pass SPF and DKIM through legitimate infrastructure, the trust signal is no longer whether a message authenticated, but whether the identity behind it deserves that trust. That shifts the governance question from message acceptance to sender intent and delegated legitimacy. Practitioners should treat authenticated delivery as necessary but never sufficient.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when phishing uses trusted infrastructure to deliver malicious email?
A: Accountability sits with the organisation's layered email and identity controls, not with transport authentication alone. Security teams need shared ownership across messaging, identity, and endpoint functions because the threat spans all three. Governance should define how authenticated delivery, brand spoofing, and user exposure are jointly evaluated before the message reaches the inbox.
👉 Read our full editorial: HTML and JavaScript phishing bypasses static email defenses
