OPSWAT Announces FileScan.IO Asset Acquisition. Read More

Defense Against TA505 Phishing Attacks Using HTML Redirector with Deep CDR

TA505 is a cybercrime group that has been active since 2014, targeting Education and Financial institutions. In February 2020, Maastricht University, a public university in the Netherlands, reported that it was a victim of TA505’s massive ransomware attack using phishing emails. TA505 usually uses phishing emails to deliver malicious Excel files that drop payloads once they are opened. TA505’s phishing emails use attachments featuring an HTML redirector for delivering the malicious Excel files, according to research conducted by TrendMicro in July 2019. Recently, a new phishing email campaign using the same attack strategy was discovered by the Microsoft Security Intelligence team. In this blog post, we will take a look at the files used in the attack and explore how OPSWAT’s Deep Content Disarm and Reconstruction technology (Deep CDR) can help prevent similar attacks.

Attack vectors

The attack flow used is very common.:

  1. A phishing email with an HTML attachment is sent to a victim.
  2. When the victim opens the HTML file, it will automatically download a malicious macro Excel file.
  3. This Excel file drops a malicious payload when the victim opens it

The HTML and Excel files were examined on metadefender.opswat.com in early February 2020.

The HTML file was identified as a fake Cloudflare page with relatively simple JavaScript to redirect users to a download page after 5 seconds.

The Excel file contains several obfuscated Macros.

When the victim opens the file and enables Macro, a fake Windows Process UI, which is actually a Visual Basic form, appears making the victim think that Excel is configuring something.

In the background, the Macro runs and drops a couple of files on the victim’s system with the following file paths: C:\Users\user\AppData\Local\Temp\copy13.xlsx, C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sample_.dll (RAT)

How can Deep CDR protect you from the phishing attack?

If the HTML file is sanitized by Deep CDR, all risk vectors will be removed, including Javascript. After the process, the user opens the sanitized file without the mentioned redirection. As a result, the malicious Excel file can’t be downloaded either.

Additionally, TA505’s phishing campaigns used to send the malicious Excel file as an email attachment to its victims directly. Again, Deep CDR is effective in this case. It removes every Macros, OLE and also recursively sanitizes all images in the file.


It is witnessed that TA505 is very active with email phishing campaigns nowadays. Various sophisticated malware types have been used to increase the chances of getting into your system. Enterprises are advised to improve their employee phishing awareness training as well as their security system. MetaDefender Core leveraging 6 industry-leading cybersecurity technologies, in combination with MetaDefender Email Gateway Security, brings the most comprehensive protection to your organization. MetaDefender’s Multiscanning technology utilizes the power of more than 35 commercial AV engines to detect nearly 100% known malware, while Deep CDR against zero-day attacks by unknown threats. Besides, as an essential PII protection layer, Proactive DLP prevents sensitive data in files and emails from entering or leaving your organization.

Schedule a meeting with an OPSWAT technical expert to learn how to protect your organization from advanced cyber threats.


For more information, please contact one of our cybersecurity experts.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.