For the first four months of 2022, HTML files remained one of the most frequent attachments used in phishing attacks, demonstrating that the approach is still effective against antispam engines and on the victims themselves.
HTML (HyperText Markup Language) is a markup language for web content that determines its meaning and structure. HTML files are interactive content documents that are designed to be viewed in web browsers.
HTML files are frequently used in phishing emails to link victims to malicious websites, download files, or even show phishing forms locally within the browser.
Due to the fact that HTML is not harmful, attachments are often overlooked by email security software, resulting in a successful inbox landing.
According to Kaspersky statistics, the use of HTML attachments in malicious emails is continuing on the rise, with the security firm detecting 2 million such emails targeting its clients in the first four months of this year.
The highest number of detections was 851,000 in March 2022, according to Kaspersky’s telemetry data, with a decline to 387,000 in April maybe simply a blip.
How HTML avoids being detected
Various methods are used to build phishing forms, redirection mechanisms, and data-stealing components in HTML attachments, ranging from basic redirects to obfuscating JavaScript to hide phishing forms.
When attachments are present in email messages, they are base64 encoded, allowing secure email gateways and antivirus software to scan them for dangerous URLs, scripts, and other behavior.
Threat actors frequently use JavaScript in the HTML attachments that will be used to construct the malicious phishing form or redirect to avoid detection.
HTML smuggling is the use of JavaScript in HTML attachments to disguise dangerous URLs and behavior. It has been a fairly popular approach in recent years.
To make malicious scripts even more difficult to identify, threat actors obscure them with freely accessible tools that accept bespoke setup for a unique, and thus less likely to be detected, result, and thus elude detection.
In November, for example, we observed that threat actors employed morse code in their HTML attachment to hide a phishing form that would be displayed when the HTML attachment was accessed.
In some circumstances, the threat actors use obsolete routines like “unescape(),” which replaces ” percent xx” letter sequences in the string with their ASCII equivalents, according to Kaspersky.
Most current browsers still support this function, which has been replaced by decodeURI() and decodeURIComponent(). However, security tools and antispam engines that rely on current methods may overlook it.
Conclusion
HTML attachment distribution spiked in 2019, but it remains a frequent method in phishing campaigns in 2022, thus it should be considered a red flag.
Remember that simply viewing these files can cause JavaScript to start on your system, potentially resulting in automatic malware assembly on the disk and evading security measures.
Because the protection software fails to detect a malicious attachment, recipients are more likely to open it and become infected.
Even if your email security solution doesn’t issue any warnings, HTML attachments should still be treated with caution.
