Researchers at IT security firm Barracuda Networks recently analysed data on the millions of attachments scanned by Barracuda systems over the past month. They found almost 21% of all HTML attachments scanned by the company to be malicious.
HTML attachments are commonly used for email communication. These are particularly used for system-generated email reports that users might receive regularly. These messages include URL links to the actual report. Attackers have been embedding HTML attachments in emails disguised as a weekly report, tricking users into clicking on phishing links. This is a successful technique because hackers no longer need to include malicious links in an email, allowing them to easily bypass anti-spam and anti-virus systems.
The malicious HTML attachments are being used for credentials phishing. They include a link to a phishing site, which, when opened, gets redirected to a third-party machine that requests the users to enter their credentials to access information or download a file that may contain malware. Hackers don’t always need to create a fake website. They can create a phishing form directly embedded in the attachment, ultimately sending phishing sites as attachments instead of links.
“These attacks are difficult to detect because HTML attachments per se are not malicious,” says Parag Khurana, country manager, Barracuda Networks India.
Considering such attachments are hard to identify accurately, machine learning and static code analysis offer the best solutions to deal with them, as they evaluate an email to identify and block malicious HTML attachments. Meanwhile, given the volume of such attacks, users should be wary of all HTML attachments, especially those from sources they haven’t encountered before.
In case malicious emails do get through, it is necessary to keep post-delivery remediation tools ready to quickly identify and remove such emails from all user inboxes. Automated incident response can help do this quickly before attacks spread through an organisation, and account takeover protection can monitor and alert the users to suspicious account activity if login credentials are compromised.