The phishing attack starts with an HTML file disguised as a voice message, which leads to the download of a file hosted on a disguised AWS URL. The attackers initially impersonate Zoom but later switch to spoofing Outlook and Teams login pages.