Recently we investigated a phishing incident involving a dental practice where a staff member clicked a suspicious email link. At first glance the activity appeared harmless, but deeper inspection revealed a targeted credential phishing attack designed to steal Microsoft 365 login details.
This type of attack is becoming increasingly common because it does not rely on malware. Instead, attackers attempt to trick users into entering their credentials on a fake login page.
What Happened
The user clicked a link from an email which downloaded a very small HTML file onto the computer:
- File name: practice-document.html
- File size: approximately 200 bytes
- Location: Downloads folder
When we inspected the file, it contained a simple piece of JavaScript designed to immediately redirect the browser to a phishing page.
The Redirect Mechanism
The file contained only a few lines of code:
<pre><script>
self.location = 'hxxps://example-bucket[.]s3[.]amazonaws[.]com/login-page.html';
</script></pre>
The script forces the browser to redirect to a website hosted on an Amazon AWS S3 storage bucket.
Note: The domain above has been intentionally altered to prevent accidental access.
Why Attackers Use AWS
Phishing attackers frequently host malicious pages on cloud platforms such as Amazon AWS, Google Cloud, or Microsoft Azure. These platforms are trusted by default and are less likely to be blocked by traditional email filtering systems.
Because of this, phishing pages hosted on cloud infrastructure can appear more legitimate and bypass some security controls.
A Targeted Attack
The redirect URL contained a Base64 encoded value which represented the email address of the intended victim.
Base64 encoded identifier
When decoded, it revealed the target email account that the phishing page was designed for.
This indicates the phishing page was configured specifically for that mailbox, increasing the likelihood that the victim would trust the page and enter their password.
What the Attackers Were Trying to Do
The purpose of this attack was almost certainly to steal Microsoft 365 credentials. If successful, attackers can:
- Access the business mailbox
- Send phishing emails to customers and suppliers
- Intercept invoices and financial communications
- Launch invoice fraud attacks
- Create hidden mailbox rules to maintain access
This is why phishing attacks remain one of the most significant threats facing small businesses today.
Was the Computer Infected?
After performing a full investigation using endpoint detection tools, we confirmed that no malware had been executed on the workstation.
The only file downloaded was the small HTML redirect file, which was removed from the system.
However, even without malware, phishing attacks can still be extremely dangerous if credentials are entered into a fake login page.
How Businesses Can Protect Themselves
Phishing attacks are becoming more sophisticated and increasingly target healthcare and dental organisations. Businesses should implement multiple layers of protection including:
- Security awareness training for staff
- Advanced email filtering
- Multi-Factor Authentication (MFA)
- Endpoint detection and response tools
- Regular security assessments
Regular cyber security awareness training is one of the most effective ways to reduce the risk of phishing attacks, as employees learn how to recognise suspicious emails and links.
Organisations should also conduct periodic cyber security assessments to identify vulnerabilities before attackers do.
Endpoint Protection Matters
Modern endpoint detection and response platforms can help identify suspicious activity even when attacks do not involve traditional malware. Solutions like CrowdStrike Falcon provide visibility into processes, downloads, and suspicious behaviour across endpoints.
Combined with a comprehensive managed cyber security strategy, businesses can significantly reduce the impact of phishing incidents.
Final Thoughts
This attack demonstrates how little infrastructure attackers need to launch an effective phishing campaign. In this case, a tiny HTML file was enough to redirect a user to a credential harvesting page.
For small businesses, particularly healthcare and dental practices, phishing attacks remain one of the most common entry points for cyber incidents.
Security awareness, strong authentication, and proper monitoring are critical to preventing these attacks from becoming serious breaches.