The spam emails vary from fake forwarded Xerox scans and invoices from various companies to bogus suspended bank account notice:
As many mail clients have default settings that don't favor the automatic opening of attached HTML documents, the user must click on the document in order to open it.
The webpage in question hosts the Phoenix exploit code, which tries to exploit a number of browser and plugin vulnerabilities in order to download and install malware - in this particular case, the data-stealing Cridex Trojan.
The researchers also managed to get a peek into the server’s “Phoenix Exploit’s Kit” admin page, and it seems that some 15 percent of the users landing on the exploit page by way of the malicious HTML documents get compromised.
"Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future," they concluded with a warning.
I would also add - make sure your browser and its plugins are always up to date, as well as other software you use that you know is often buggy and popular both with endpoint users and attackers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.