Fake Voicemail Notification Delivering HTML Smuggling Payload

On 13 April 2026, employees received phishing emails with subject “New Secure Voicemail” and an HTML attachment (Voice_Message_0413.html) that used JavaScript HTML smuggling to reconstruct and download message_review.zip containing review_message.exe; the executable ran when the user extracted and launched it and communicated with exfil domain sync-messagehub.com. Observed IOCs include notify@voice-securecenter.com, Voice_Message_0413.html, message_review.zip, review_message.exe, sync-messagehub.com, and SHA1 c7f29fd21c7638ec7c9eb8b9d3a48d6ad89a337f; the activity demonstrates phishing leveraging HTML smuggling to bypass email security and deliver malware.