HTML/Fraud Trojan: Meaning, Email Warning, and Cleanup

Daniel Zimmermann
Daniel Zimmermann
10 Min Read
HTML/Fraud Trojan trap poster showing a fraudulent HTML attachment and fake login page.
A fraudulent HTML attachment can disguise the real destination behind a safe-looking message.

HTML/Fraud Trojan is a detection name security tools use for fraudulent HTML content: a scam email body, an attached .html file, a cached web page, or a fake login page that hides where a link really goes. It does not always mean a full Windows infection is installed. The right response depends on the affected path, whether you opened the file or entered credentials, and whether the alert returns after cache cleanup.

Keep the item quarantined or blocked first. Do not restore the HTML file, do not add an exclusion, and do not sign in through any page opened by the message. Copy the detection name and the affected path, then use the checks below to decide whether this was a blocked page, a suspicious email attachment, or a sign of recurring browser/adware activity.

What HTML/Fraud Trojan Means

HTML/Fraud detections focus on the content of an HTML page, not on a normal Windows executable. The page may display a harmless-looking bank, mailbox, document, delivery, crypto, or support message while the underlying link points somewhere else. F-Secure describes this family as fraudulent email messages and website HTML, often caused by a mismatch between the visible link text and the real href destination.

Microsoft Defender and other tools may use related names such as Trojan:HTML/Fraudload.C!MTB, Trojan:HTML/Phishing..., HTML/Phishing, or vendor-specific labels such as HTML/Fraud.EK. Treat the exact family name as useful context, but make the decision from the source path and what you did with the page.

Check The Path First

The affected path usually tells you how urgent the cleanup is.

Where the detection appeared Risk and what to do
Browser cache, temporary internet files, or email preview cache Often a blocked page or message preview. Close the tab or message, clear browser/mail cache, keep quarantine, and scan if the alert returns.
%USERPROFILE%\Downloads, Desktop, or a saved .html/.htm attachment Higher risk because the file was saved locally. Delete or quarantine it, check whether it opened a login page, and scan the PC.
Startup, Task Scheduler, extension folders, or a recently installed app path Treat as possible persistence or bundled adware. Remove suspicious apps/extensions, reset browser settings, and run a full scan.
Outlook, Thunderbird, Gmail offline cache, or a mail-client storage folder The message itself may be the source. Delete it from Inbox, Junk, Sent, Deleted Items, and synced devices; then rescan the mail store.

What An HTML/Fraud Email Can Look Like

Fraudulent HTML messages often pretend to be account reviews, invoices, secure documents, mailbox notices, or delivery updates. The attachment opens in a browser and shows a fake login form, or the button text looks safe while the destination goes to an unrelated site.

Generic email client showing a suspicious Account_Review.html attachment and Review Document button.
A typical HTML/Fraud lure may arrive as a message with an HTML attachment, a review button, and wording that pushes you to sign in quickly.

Safe text example:

Subject: Account Review Required
From: Account Support <notice [at] example [dot] com>
Body: Dear user, please review the attached HTML document to keep your account active.
Attachment: Account_Review.html
Button: Review Document

That wording is generic by design, but it shows the pattern: vague sender, HTML attachment, account pressure, and a button that asks for sign-in. If you need to check a suspicious message before clicking, paste the sender, subject, visible links, and body text into the Gridinsoft Email Scam Checker instead of opening the attachment.

What To Do If You See The Detection

  1. Leave quarantine in place. Restoring the HTML file only makes sense after you verify the sender, destination, and false-positive path.
  2. Close the triggering app. Close the browser tab, email preview pane, PDF viewer, or mail client that accessed the file.
  3. Clear the matching cache. Clear browser cache and site data for the suspicious domain. If the alert came from a mail client, remove the message from Inbox, Junk, Sent, Deleted Items, and server-side webmail.
  4. Delete saved HTML attachments. Remove suspicious .html, .htm, .svg, or zipped document files from Downloads and Desktop.
  5. Check what happened after opening it. If you typed a password, approved MFA, downloaded a viewer, installed an extension, or allowed notifications, treat it as an account and browser recovery case, not only as a file cleanup.
  6. Run a scan if the alert returns. Recurrence after reboot, repeated redirects, new browser policies, unknown extensions, or detections outside cache can point to adware, a loader, or leftover persistence.

If the page or attachment opened before it was blocked, a scan is useful for checking hidden files, scheduled tasks, startup entries, bundled apps, browser changes, and persistence that a blocked HTML file alone would not explain.

Scan files downloaded from this scam.

If the page or email made you download an invoice, coupon, tracking app, browser extension, or support tool, scan the PC before opening it again or logging into sensitive accounts.

Scan after opening a suspicious HTML file

If You Entered A Password

HTML/Fraud is often about credential theft. If you signed in through a page opened by the message or attachment, act as if that password was exposed:

  • Change the password from a clean browser session by typing the real site address manually.
  • Sign out of other sessions where the account provider allows it.
  • Reset MFA methods and recovery email/phone if the account settings look changed.
  • Check forwarding rules, mailbox filters, connected apps, payment methods, and recent login history.
  • Warn your workplace or school IT team if the account is organizational.

Could It Be A False Positive?

Yes, but only decide that after checking the path and context. A local HTML homework file, exported report, internal web page, or newsletter template can sometimes look suspicious because it contains forms, redirects, obfuscated script, or link mismatch patterns. Do not whitelist it just because you recognize the filename. Verify the sender or creator, open the file only in a safe test environment if needed, and submit it to your security vendor for review when the source is legitimate.

False-positive confidence is higher when the file came from a trusted internal workflow, the real link destinations match the visible text, no credentials or downloads are requested, and a fresh full-system scan finds no other suspicious items. It is lower when the file arrived unexpectedly by email, came from a shortened link, asks for mailbox/bank/payment credentials, or triggers alerts from multiple tools.

If the alert is closer to a redirect or browser-cache problem, compare it with our Trojan:JS/Redirector and HTML/Redirector guide. If the risky file is an image-like attachment, see the malicious SVG phishing cleanup guide. For general suspicious-message review, use the Gridinsoft Email Scam Checker guide.

FAQ

Is HTML/Fraud Trojan a real virus?

It can be a real threat, but it is usually fraudulent HTML content rather than a traditional Windows program. The danger is the phishing page, hidden destination, download, extension, or credential theft that the HTML tries to trigger.

Should I delete the detected HTML file?

Yes, if it came from an unexpected email, download, redirect, or cache entry. Keep the security-tool quarantine and remove the original message or saved attachment. Restore only after you verify the source and submit a likely false positive.

Why does the alert come back after I clear the browser?

It may be syncing from another browser profile, sitting in a mail-client cache, coming from a saved attachment, or being recreated by an extension, notification permission, adware app, or startup item. That is when a full scan and browser cleanup are needed.

What if I only viewed the email preview?

If the tool blocked the preview and you did not click, download, or enter credentials, delete the message and clear the mail trash. If the same alert returns while the mail client is closed, investigate local cache or sync copies.

Do I need to change passwords?

Change passwords if you entered them into the page, approved MFA, downloaded a helper app, or cannot confirm where the form submitted data. If the HTML was only blocked in cache and no credentials were entered, password changes are usually not necessary.

References

  1. F-Secure. “Trojan-Spy:HTML/Fraud.” F-Secure Threat Descriptions, accessed June 24, 2026. https://www.f-secure.com/v-descs/trojan-spy-html-fraud
  2. Microsoft Security Intelligence. “Trojan:HTML/Fraudload.C!MTB threat description.” Microsoft, published and updated June 16, 2025, accessed June 24, 2026. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AHTML%2FFraudload.C%21MTB&ThreatID=2147943742
eBay Scams: Fake Deals and Recovery Steps
Meduza Stealer
VirusTotal 2/70 but Hybrid Analysis 100/100: Is It Safe?
Fake Virus Alert: Remove Pop-Ups and Browser Notifications
Windows Defender Security Center Scam: Remove the Fake Alert
TAGGED:
Share This Article
ByDaniel Zimmermann
Follow:
With a strong background in consumer safety and fraud prevention, Daniel specializes in providing actionable tips and advice to users. His focus is on helping individuals understand the risks of interacting with fraudulent sites and services
Previous Article Jpgiframe alert poster showing a suspicious image file redirecting through a hidden iframe. Trojan:Win32/Jpgiframe.A
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?