HTML misused in a malicious manner

Banner HTML

HTML, or Hyper Text Markup Language, has been misused by malicious threat actors for years. In a report published by Barracuda, it was observed that roughly 21% of the HTML attachments scanned were found to be of malicious nature. Ten months after this report was published it has been observed that 45.7% of the HTML files scanned were of a malicious nature as of March 2023, which shows a trend where these type of attacks have doubled.

malicious HTML XML trends

Legitimate uses of HTML

HTML has many legitimate uses, some of the uses include creating structured content that is displayed online, in other words on a website. Another use is in email’s. For example automated reports, such as newsletters or marketing material. Reports usually get attached to emails in HTML format with the extension .html, .htm or .xhtml.

If the communication comes from a legitimate source one will not be suspicious of the attachment.

Malicious Uses of HTML

Attackers can use a well crafted email or compromised website and a malicious HTML file to get users to enter sensitive information such as credentials.

This allows attackers to hide their malicious intentions such as phishing, credential stealing, etc.

If an HTML attachment from an email, multiple redirects using JavaScript libraries hosted on a remote server will redirect the user to a phishing site or other harmful content that is under the control of the hackers where they would be asked to input credentials for access or it would download a file that would have malware.

It has been observed by Barracuda researchers that some HTML files include sophisticated malware that have the payload embedded within it. This includes potent scripts and executables. This type of attack is becoming more wide spread than those taking advantage of externally hosted JavaScript files.

It is important when protecting against these types of attacks the focus is not just on the attachment but the entire email.

History is bound to repeat itself, some malicious HTML attachments have been used in the past

The below screenshot is from an attachment opened from a phishing email.

phishing exampleThis is a popular type of attack to use for quite some time but victims still fall for this type of attack hence why attackers continue to use it.

Statistics related to unique HTML attacks

In this section we will look at the statistics that were compiled by Barracuda in regards to HTML attacks.

If one looks at how many unique malicious HTML files were detected it is clear that the growth of HTML based attacks is not due to a few massive attacks but a variety of attacks using highly specialized files.

If we look at the data analyzed by Barracuda from January to March 2023 we see that there are two peaks that can be observed, one on March 7th and the other on March 23rd.

Looking deeper into the statistics of March 7th, there were a total of 672,145 Malicious HTML files, of that 181,176 that were detected were unique items. Out of those, around 1/4 of them (27%)  of the detections were unique and the rest were repeat mass deployments.

total malicious artifacts

On the other hand on March 23rd, just about nine out of 10, around 405,438 or 85% of the total 475,938, of the Malicious HTML files were found to be unique, in other words every attack was different.

unique malicious artifacts

Statistics of the HTML file types used for malicious intent

With further analysis carried out by Barracuda analysts we see that HTML is the preferred method of choice to be used with malicious intent.

malicious artifacts by file type in May 2022

malicious artifacts by file type in March 2023

Given that HTML has been around for a long time it still is rather dangerous way to carry out attacks. The reason this is still being used is due to potentially weak security measures in place. Ensuring appropriate security measures are in place are more important than ever.

Keeping yourself safe against malicious HTML attachments

There are a number of things to keep in mind that will help to ensure you are safe from such attacks.

  1. Effective email protection which identifies and blocks HTML attachments
  2. User education and awareness of such attacks as well as phishing attacks.
  3. Strict authentication and access controls
  4. If a malicious HTML file does get through ensure you have a way to remove such an email from all user mailboxes you have.

Reach out to [email protected] to book your free consultation or to request a quote to keep your users and business safe.


Leave a Reply

Your email address will not be published. Required fields are marked *