The popularity of phishing emails using HTML attachments started spiking in 2019, but have continued to be a significant issue in 2022. In just the first 4 months of this year, cybersecurity provider Kaspersky detected almost 2 million malicious emails using HTML attachments, making it one of the most popular forms of attachment used in phishing attacks so far this year. Use of this form of attack peaked in March when Kaspersky reported 851,328 detections, which is nearly twice the amount of these types of email detected in the previous month.
The use of HTML attachments for phishing emails allows the attacker to redirect users to dangerous sites through an attachment rather than requiring them to click on an embedded link. It is also possible for the HTML to trigger the download of files, or display local phishing forms in a browser. HTML attachments may not be blocked by security software such as antispam solutions, as HTML itself is not malicious – although given its potential for abuse Security Managers should consider adding all HTML files to the list of blocked attachment types for their network.
Attackers very commonly use Java Script to hide the problematic elements of the HTML files in what is known as HTML smuggling. This has gained popularity recently, as well as hiding malicious intent through the use of freely available java script obfuscator tools, both of which increase the likelihood that this phishing email will evade detection and reach it’s intended target.
These malicious actors often include encoding through Java Script functions, including the no longer supported “unescape()” function, which substitutes “%xx” character sequences in the string with their ASCII equivalents. The use of deprecated functions could speak to reduced detection compared to the replacement functions such as decodeURI() and decodeURIComponent(), which might be more commonly detected by antispam tools.
HTML attachments on emails should always be regarded as highly suspicious, even if they are not flagged by security software, and this messaging should be re-enforced through Security Awareness Training.