In the first four months of 2022, HTML files remained one of the most common attachments used in phishing attacks. This shows that the strategy is still successful against spam detection engines. Malicious actors often use HTML documents included in phishing emails.
HTML (HyperText Markup Language) is a markup language for text that will be displayed in a web browser. The files are digital content documents that are meant to be read in web browsers. These files are commonly used in phishing emails to link victims to malicious websites.
When it comes to hiding phishing information, HTML has more options than plain text email. Because HTML is not in itself malicious, email security software is less likely to detect attachments of concern. As a result, the email is often delivered successfully to the victims inbox.
According to Kaspersky’s own statistics, the pattern of sending infected emails with HTML files is still strong. In the first four months of the year, the security firm discovered 2 million such emails targeted at its clients. The highest number of detections was 851,000 in March 2022. But there was reduction to 387,000 in April might be a temporary glitch.
How does HTML stay undetected?
Another method for concealing phishing material in email attachments is to encode or compress the code. This will look considerably smaller than it actually is. Threat actors obfuscate their code to make malicious scripts even more difficult to find, using publicly accessible tools. That allows unique custom setups which are less likely to be identified.
According to Kaspersky threat actors employed “morse code” in their HTML attachment to hide a phishing form that would be shown when the HTML attachment was accessed.
Threat actors in such circumstances employ deprecated functions like “unescape(),” according to Kaspersky. In the string, this replaces ” % xx” character sequences with their ASCII values.
Although decodeURI() and decodeURIComponent() have mostly replaced it, most modern browsers still support them. It is likely that security tools and spam detection engines that are more focused on existing tactics would miss it.
Phishing sites exist in many shapes and sizes, but they’re frequently made to seem exactly like real web pages so that visitors don’t hesitate to submit their credentials.
Consider the following
Even though HTML attachment distribution had its “glory days” in 2019, it is no longer recommended. It’s necessary to keep alert since threat actors use this tactic frequently in phishing attacks.
Even if your email security system doesn’t issue any alerts, HTML attachments should always be treated with caution.
Avoid opening emails from unknown senders, or any attachments they may include, to keep from falling victim to phishing scams. Although Word files, PDFs, and other documents are often attached to emails, HTML attachments are hardly shared. If you see one in your inbox, it’s almost certainly a phishing email.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.