A recent phishing campaign used a clever trick to deliver the fraudulent web page that collects Microsoft Office 365 credentials by building it from chunks of HTML code stored locally and remotely.
Hidden building blocks
Victims received an email with just an attachment claiming to be an Excel file (.XLSX) about an investment. In reality, the file is an HTML document with a chunk of URL Encoded text.
In one of them, the researchers found the beginning of the phishing page and code that validates the email and password from the victim.