The average person interacts with HTML every day while surfing the internet. Unless they are a UX developer or designer, however, they probably shouldn’t expect to receive HTML attachments in their emails.
If you’ve recently received an email with an HTML attachment, then there’s a growing chance that it’s a phishing attack. These HTML attachments host webpages on the victim’s device instead of the public internet, which is a strategic way for hackers to avoid URL reputation checks.
- Be suspicious of any email that contains an HTML or .htm attachment.
- Admins should consider blocking HTML attachments and treating them just like executables (.exe, .cab).
How an HTML attachment attack works
While users typically have to click on a link to reach a fake cloud/bank login page, hackers are now tricking them into downloading a fake login page. When a user downloads and opens an HTML attachment in the browser, the webpage is hosted on their device and not the internet, which requires a public URL.
Without a URL pointing to the phishing page, there is no reputation associated with it. This is convenient to the hacker because he or she escapes the strict HTML limitations enforced in email bodies while saving them the headache of hosting a phishing page on a compromised site.
1. Hackers send a phishing email with an HTML attachment to victims.
The HTML attachment contains a <script> tag, fetching a script from what appears to be HTML entities:
2. When the victim opens the attachment in the browser, HTML rendering converts the HTML entities into a URL.