This is what one cybersecurity firm noticed in surveying a month’s worth of attachments being scanned in its user base

In a cybersecurity firm’s analysis of millions of attachments scanned on its user base over a period of one month, HTML attachments were the most commonly used (21%) for malicious purposes, compared to text (9%), xHTML (4%), binaries (3%) scripts (JS, PS: 0.08%), PDFs (0.009%) and other types of attachments.

Attackers can embed HTML attachments in emails disguised as system-generated weekly reports, carrying a level of default trust that leads recipients into clicking on phishing links within the attachment.

This means hackers no longer need to include malicious links in the body of an email, allowing them to bypass anti-spam and anti-virus policies with ease. And because HTML attachments themselves are deem not malicious, they can easily bypass basic anti-spam and anti-virus software. This makes malicious HTML attachments more difficult to detect, compared to malicious links in the body of an email.

According to Mark Lukie, Systems Engineer Manager (Asia-Pacific), Barracuda, which conducted the analysis, HTML attachments are not only widely used for system-generated email reports, and in themselves are not malicious, thereby making such attacks more difficult to detect.

“Therefore, businesses should ensure that email protection (solutions) scan and block malicious HTML attachments by leveraging machine learning and static code analysis to evaluate the content of an email and not just an attachment. It’s also important to train users to identify and report potentially malicious HTML attachments by including examples of these attacks as part of phishing simulation campaigns. And if malicious email does get through, have post-delivery remediation tools ready to quickly identify and remove any instances of malicious email from all user inboxes.”

The firm recommends that email protection solutions take into account an entire email with HTML attachments, looking at all redirects and analyzing the content for malicious intent.