⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could ⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could
← Back to articles
Incident Report 23 March 2026 8 min read

The HTML Invoice Trap: Anatomy of the Phishing Campaign Targeting Swiss Companies Right Now

The NCSC's Week 11 alert describes a sophisticated attack chain — ZIP attachment, HTML file, CAPTCHA evasion, and rate-limited malware delivery — that is actively hitting Swiss organisations. Here is how it works and what to do about it.

MS

Marco Scarito

23 March 2026

8 min read

On 17 March 2026, the Swiss National Cyber Security Centre published its Week 11 alert — one of the most technically detailed phishing incident reports the NCSC has released this year. The campaign described is actively targeting Swiss companies with what initially appears to be a routine invoice email. It is not. The attack chain is a layered evasion system designed specifically to defeat both automated security controls and human reviewers.

The Attack Chain: Step by Step

Stage 1 — The Invoice Email

Target organisations receive an email referencing a supposed invoice number and instructing the recipient to open the attached document. The attachment is a ZIP file. This is the first evasion layer: many email security gateways scan for malicious file types in attachments but may not fully inspect compressed archives, particularly if the ZIP contains only an HTML file — a combination that does not pattern-match to classic malware delivery.

Stage 2 — The HTML File and the False Invoice

Inside the ZIP is a single HTML file. When opened in a browser, it displays what appears to be a legitimate invoice — no suspicious links, no unusual formatting, no obvious malware indicators. The NCSC notes explicitly that at first glance, the document appears completely harmless. Attackers often use double file extensions — for example, invoice.pdf.html — to disguise the true file type in environments where extensions are hidden by default, a common Windows configuration.

Stage 3 — The CAPTCHA Gate

Embedded within the HTML file is a JavaScript payload. When triggered, the script loads a webpage that presents the appearance of a PDF document. Before the document can be accessed, the user is told they must solve a CAPTCHA. This is a well-established evasion technique: CAPTCHA completion signals human interaction, which prevents automated analysis tools — sandboxes and antivirus engines — from proceeding through the attack chain.

Stage 4 — Rate-Limited Malware Delivery

The most technically sophisticated aspect of this campaign is rate-limited payload delivery. The malicious JavaScript is only served for a limited number of requests. After the initial requests have been processed, subsequent connections to the same URL receive no malicious content. This has a direct and serious consequence: by the time an incident is reported and security teams attempt to retrieve and analyse the payload, the malware delivery infrastructure has already stopped serving it.

◆ Key Takeaway

This campaign is specifically engineered to defeat the two most common defences: automated sandbox analysis (bypassed by CAPTCHA and rate-limiting) and human visual inspection (defeated by the realistic invoice display). Neither technical controls nor awareness alone are sufficient.

Why Standard Defences Fail

This campaign defeats sequential standard controls: email attachment scanning may pass the ZIP file if its content policy does not flag HTML files within archives as high-risk; sandbox detonation of the HTML file may not reach the malicious payload because the CAPTCHA blocks automated execution; reputation-based URL filtering cannot block a URL that has already stopped serving malicious content by the time the indicator is submitted; and human review fails because the displayed invoice is visually credible.

Defensive Measures: What Swiss Organisations Should Implement Now

  • Block ZIP attachments containing only HTML files at the email gateway. There is no legitimate business reason for an invoice to be delivered as an HTML file inside a ZIP archive. This file type combination should be treated as high-risk and quarantined for review.
  • Enable file extension display on all managed endpoints. Windows hides file extensions by default. Enable extension display in Windows Explorer across your environment so that double extensions such as invoice.pdf.html are visible to end users.
  • Configure JavaScript files to open in a text editor by default. The NCSC explicitly recommends this measure: setting .js files to open in Notepad or another text editor by default prevents accidental execution of malicious JavaScript via Windows Script Host.
  • Update security awareness content. Employees should be aware that invoice emails may not contain traditional phishing indicators. Training scenarios should include this specific pattern: invoice email, ZIP attachment, HTML file, CAPTCHA request.
  • Report to the NCSC immediately upon detection. Given the rate-limited payload delivery, rapid reporting is operationally valuable — early reports allow the NCSC to attempt payload retrieval before the rate limit is reached.