Windows Defender detects Trojan:HTML/Phish.PH!MTB in a simple HTML file

Question

I have two laravel-mix projects which I maved for a client, with packages like jquery, bootstrap, sweet alert installed through npm. Nothing complicated.

I worked on the first project for a couple of weeks and cloned it into another directory and worked for another couple of weeks.

The problem:

I tried to open the index.html file on chrome (with double click just to preview) and Windows Defender detected it as a thread and proceeded to delete it.

I checked a backup I had online and the code doesn't have any redirects or code I didn't wrote. Tried to download the backup and detected it again as thread.

I had to allow the thread to make a zip and send it to a client but I'm still worried if this is something serious or just a Windows Defender mistake.

Any advice would be helpful.

Answer 1

I've just had the same issue. I couldn't check all my views, but it seems to me that Windows Defender detects those views as threats that reference SweetAlerts. So far I simply choose the option in Windows Defender to allow these files. I've made some of these views months ago, so I believe it could be a bug in Windows Defender. Nothing fishy is going on in my views, believe me :-)

Answer 2

I had same problem with an html file. And the warning seems legitimate.

What happens is, there are links inside the html file that points to a dodgy domain, for example, js, css or form actions links. These domains have been flagged as phising sites.

Windows Defender immediately detects this variant, but when I scan with Kaspersky it picks up nothing. It's only when I open the page in a browser, Kaspersky blocked it.

This usually happens if the page was saved from the internet. The easy solution would just be to delete those links.