Threat Spotlight: Malicious HTML attachments
Barracuda researchers recently analyzed data on the millions of attachments scanned by Barracuda systems over the past month to identify which are most likely to be malicious.
Our research shows that, compared to other types of attachments, HTML attachments are used the most for malicious purposes. In fact, 21% of all HTML attachments scanned by Barracuda were malicious.
Let’s take a closer look at malicious HTML attachments, the ways cybercriminals are using them, and what you can do to protect against these types of attacks.
Malicious HTML attachments — HTML attachments are commonly used in email communication. These are particularly common in system-generated email reports that users might be receiving on regular basis. These messages include URL links to the actual report.
Attackers have been embedding HTML attachments in emails disguised as a weekly report, tricking users into clicking on phishing links. These are successful techniques because hackers no longer need to include malicious links in the body of an email, allowing them to bypass anti-spam and anti-virus policies with ease
There are a number of ways that hackers are using HTML attachments. First, credential phishing. Malicious HTML attachments will include a link to a phishing site. When opened, the HTML file uses a Java script to redirect to a third-party machine and request that users enter their credentials to access information or download a file that may contain malware.
Hackers don’t always need to create a fake website, though. They can create a phishing form directly embedded in the attachment, ultimately sending phishing sites as attachments instead of links.
These attacks a difficult to detect because HTML attachments themselves are not malicious. Attackers do not include malware in the attachment itself but instead use multiple redirects with Java script libraries hosted elsewhere. Potential protection against these attacks should take into account an entire email with HTML attachments, looking at all redirects and analyzing the content of the email for malicious intent.
How to protect against malicious HTML attachments
- Ensure your email protection scans and blocks malicious HTML attachments. These can be hard to identify accurately, and detection often include a large number of false positives. The best solutions will include machine learning and static code analysis that evaluate the content of an email and not just an attachment.
- Train your users to identify and report potentially malicious HTML attachments. Given the volume of these type of attacks, users should be wary of all HTML attachments, especially those coming from sources they haven’t seen before. Include examples of these attacks as part of your phishing simulation campaigns and train users to always double check before sharing their login credentials.
- If malicious email did get through, have your post delivery remediation tools ready to quickly identify and remove any instances of malicious email from all user inboxes. Automated incident response can help do this quickly before attacks spread through an organization, and account takeover protection can monitor and alert you of suspicious account activity if login credentials were to be compromised.