A static HTML file isn't always what it seems.
This attack leverages a spoofed Excel spreadsheet to steal your credentials. The attack was missed by Google, but caught by Avanan.
Here's what the attack looks like:
Should you click on the HTML attachment, you'd be directed to this webpage that looks a lot like an Excel spreadsheet:
Should you enter your password, it immediately gets stolen.
A number of factors, including insignificant historical reputation with the sender and suspicious-looking email text, set off alarm bells for this to be blocked by Avanan.