Attacks increasingly use malicious HTML email attachments

Researchers warn that attackers are relying more on malicious HTML files in their attacks, with malicious files now accounting for half of all HTML attachments sent via email. This rate of malicious HTML prevalence is double compared to what it was last year and doesn’t appear to be the result of mass attack campaigns that send the same attachment to a large number of people.

“When it comes to attack tactics and tools, the fact that something has been around for a while doesn’t appear to make it any less potent,” researchers from security firm Barracuda Networks said in a new report. “Malicious HTML is still being used by attackers because it works. Getting the right security in place is as important now as it has ever been, if not more so.”

Why is HTML an attacker favorite?

HTML, the standard markup language for displaying Web content, has many legitimate uses inside email communications. For example, enterprise users often receive reports that various applications and tools generate and send by email. This doesn’t make them suspicious when they see this type of attachment and the attachment type can’t be outright banned by email security gateway filters.

HTML is also flexible in terms of what types of attacks it can enable. One of the most common use cases is credential phishing with attackers crafting HTML attachments that, when opened, masquerade as the login page for various services. This can also be dynamic, with the HTML including JavaScript code that redirects the user to a phishing site. Imagine receiving an email that seems like an automated notification for a DHL parcel, opening the HTML attachment, and seeing a copy of the DHL login page.

In other cases, the HTML attachments include links and lures that try to convince users to download a secondary file that’s actually a malware payload. The benefit for attackers is that this method of malware delivery has a much higher chance of bypassing the email security gateway compared to attaching a malware payload directly inside a zip archive or as a different file type. Since the lure is now in front of the user, if they agree to download the file locally to their computer, it’s up to the endpoint protection solution to detect it, so attackers have already defeated the first layer of defense.

“However, in some cases seen by Barracuda researchers, the HTML file itself includes sophisticated malware which has the complete malicious payload embedded within it, including potent scripts and executables,” the researchers said. “This attack technique is becoming more widely used than those involving externally hosted JavaScript files.”

The prevalence of malicious HTML attachments

Barracuda used its telemetry to perform an analysis in May 2022 and found that 21% of the HTML attachments its products scanned that month were malicious. This was by far the highest malicious-to-clean ratio of any file type sent via email, but it progressively got worse since then, reaching 45.7% in March this year.

So, for anyone who receives an HTML attachment via email right now there’s a one in two chance it’s malicious. However, to make sure the data is not skewed by a few massive attacks the researchers also looked at the uniqueness of the files.

The researchers picked two dates from January to March where large spikes of malicious HTML files were detected, suggesting possible mass attacks. On March 7, the company’s products scanned 672,145 malicious HTML artifacts of which 181,176 were different, meaning around a quarter of the attachments were the result of unique attacks. For the second spike, on March 23, things were much worse. Of 475,938 malicious HTML detections, 85% or almost nine in ten, were unique.

“Protection against malicious HTML-based attacks should take into account the entire email carrying HTML attachments, looking at all redirects, and analyzing the content of the email for malicious intent,” the researchers said.

How to mitigate malicious HTML attachments

The company’s recommendation is to choose email security solutions that can evaluate the entire email context and not just the attachment’s contents. Training employees to spot and report malicious HTML attachments and to be wary of such attachments from unknown sources is also very important. It’s also important for the company to have incident response tools and processes that allow removing an attachment from all mailboxes it might have reached once it’s flagged as malicious by the security team.

Using two-factor authentication coupled with zero-trust access solutions that evaluate not only the credentials, but also the user’s device, location, time zone, and history, can limit breaches even if users fall victim to phishing and credential theft. Accounts should also have post-login monitoring that can alert the security team if any suspicious behavior is detected.