According to Dave Michmerhuizen, a security researcher with Barracuda Networks, hackers are trying every trick in the book, from using trending news topics to sending deliberately vague messages, in the hope that users will be curious enough to open the HTML.
"After all, what harm can an HTML file do?" he says, adding that the answer to this rhetorical question is: "plenty."
In his security blog, Michmerhuizen notes that users have been warned for years of the potential dangers associated with clicking on a file or link that arrives in an email. But, he says, many people assume that an HTML file is just a web page and that web pages are safe.
"This assumption is misleading", he said, adding that on September 16, one of the latest campaigns started with spam tied to current Google trending topic and which evolved over the next few days, with subject lines changing from trend topics to more non-specific email subjects.
The bad news, the Barracuda Networks' researcher says, is that the attachments include 100% obfuscated JavaScript which, when opened in a browser window, route users to sites such as fake video codec sites that include malware executables rather than codec plugins.
The problem with many obfuscated JavaScript attachments, says Michmerhuizen, is that the absence of any visual feedback means users have no idea what has just happened or that they have contracted one of the most dangerous pieces of malware (Zeus) on the internet.
"So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless", he said.