The share of HTML attachments assessed to be malicious has more than doubled, from 21% last May to nearly 46% in March 2023, according to Barracuda.
The security vendor warned that, while Hypertext Markup Language (HTML) is commonly used for email newsletters, marketing materials and other types of content, it is also a popular tool for phishing, credential theft and other messaging threats.
“If a recipient opens the HTML file, multiple redirects via JavaScript libraries hosted elsewhere will take them to a phishing site or other malicious content controlled by the attackers. Users are then asked to enter their credentials to access information or download a file that may contain malware,” explained Barracuda CTO, Fleming Shi.
“However, in some cases seen by Barracuda researchers, the HTML file itself includes sophisticated malware which has the complete malicious payload embedded within it, including potent scripts and executables. This attack technique is becoming more widely used than those involving externally hosted JavaScript files.”
Read more on HTML threats: Phishers Use Blank Images to Disguise Malicious Attachments.
Shi claimed that HTML threats are increasingly being spread not by a limited number of mass campaigns, but by individual attacks.
“On March 7, there were 672,145 malicious HTML artifacts detected in total, comprising 181,176 different items. This means that around a quarter (27%) of the detected files were unique and the rest were repeat or mass deployments of those files,” he said.
“However, on March 23, almost nine in ten (85%) of the total 475,938 malicious HTML artifacts were unique – which means that almost every single attack was different.”
This surge in activity means HTML attachments remain the most common malicious file type in email threats this year, Barracuda said.
“Getting the right security in place is as important now as it has ever been. This means having effective, AI-powered email protection in place that can evaluate the content and context of an email beyond scanning links and attachments,” Shi argued.
“Other important elements include implementing robust multi-factor authentication or – ideally – zero trust access controls; having automated tools to respond to and remediate the impact of any attack; and training people to spot and report suspicious messages.”