In the last three years, one of the most popular vectors for malware and other types of malicious code has been the humble email attachment. More specifically, attachments coded in the Hypertext Markup Language or HTML, have become an increasingly popular way of enacting a number of different (and increasingly sophisticated) cybercrimes, including identity fraud via remote access Trojans (RATs), ransomware attacks, and phishing scams. Worryingly, this is not an isolated incident or some sort of mass attack from one threat agent; malicious HTML attachments now seem to be the preferred choice of many individual hackers around the world in 2023. Sometimes referred to as “HTML Smuggling” in more sophisticated cases where the malicious payload is in the HTML attachment itself, this technique (although long known and used by various cybercriminals over the years) came to prominence via a spear-phishing campaign by notable threat actor NOBELIUM. In recent years, this technique has been used to deliver a range of notable malware, including Mekotio (the infamous banking Trojan), Trickbot, and AsyncRAT/NJRAT. With the rise of this type of cybercrime and one in three US homes being infected with some sort of malware, it’s important to understand how malicious HTML attachment (and HTML smuggling) attacks work, and how to protect against it. That’s why we created this guide to HTML attachments and HTML smuggling, so you can have peace of mind wherever you want to access your emails.
Malicious HTML attachments are a type of malware that is usually found in emails in the form of their attachments. They are activated, primarily, when the user clicks on the infected HTML file attachment. Once opened, the user is redirected via externally hosted JavaScript libraries to the hacker’s phishing website (or another form of malicious content controlled by the attacker, such as a login page). The most well-known forms of this kind of HTML phishing scam often look like a Microsoft pop-up window. The window will ask the user for some kind of personal credential/login details that will allow them to download the HTML file attachment received in the hacker’s email. Once entered, the user’s details are sent to the hacker for further exploitation, including financial theft, identity fraud, and extortion through ransomware.
HTML smuggling, known as a more technical form of an HTML attachment malware attack, makes use of HTML 5 and JavaScript to allow a cybercriminal to “smuggle” malicious code onto the victim’s computer via a uniquely crafted script, which is embedded in the HTML attachment itself. When the victim of the attack opens the malicious HTML attachment in their web browser, the browser decodes the embedded script, which assembles the payload on the victim’s own computing device. This allows the hacker to build the malware locally behind the victim’s firewall. This type of attack takes advantage of the fact that both HTML and JavaScript are some of the most common and important parts of trusted day-to-day computing (in the context of business and personal use). As a result, this technique can then bypass standard security control software (such as web proxies and email gateways) that are only checking for traffic-based signatures or conventionally suspicious attachment types like .EXE, .ZIP, or .DOCX. As the malicious files are created after the file is loaded via the browser on the victim’s machine, standard security solutions will only register benign HTML and JavaScript traffic. In addition, more advanced cybercriminal techniques such as “obfuscation” allow hackers to successfully hide their malicious scripts from more advanced security software. HTML smuggling works by leveraging the “download” attribute for anchor tags and the use of JavaScript Blobs to assemble the payload on the victim’s device. Once the “download” attribute has been clicked, it allows an HTML file to automatically download a malicious file referenced in the “href” tag. With the use of JavaScript, a similar process is enacted: the JavaScript Blobs store the encoded data of the malicious file, which is then decoded when passed to a JavaScript API that expects a URL. This means that the malicious file is automatically downloaded and constructed locally on the victim’s device using JavaScript codes.
With HTML being one of the most popular types of attachment to smuggle malware onto a user’s system, it’s important to be aware of other popular file types that could be equally as dangerous:
As previously mentioned, .EXE files or executable files on a Windows operating system are a popular (and well-known) threat vector that you should be on the lookout for. If you see one of these in an email (from a trusted sender or otherwise), you should avoid downloading and actioning the file.
ISO files are usually used to store and exchange a copy of everything on a computer’s disk drive and distribute systems like Apple or Windows. As Windows can now mount these files without any extra software, this type of malware attachment has gained popularity in recent years. However, if you receive these via a personal or professional email account and have not asked for an entire system or are not partitioning your computer to run multiple operating systems, there is no need to have this file. So, in almost all cases, do not download it and delete this file from your inbox, as it is almost certainly malware.
As Microsoft Office files (such as .DOCX, .XLSX, or .PPTX) are ubiquitous as the standard business formats around the world, they are the ideal vehicle to deliver all kinds of malware to unsuspecting businesses. They are also one of the hardest to guard against and are usually seen in the form of an urgent invoice or final demand, which tricks the victim into opening the files.
Fortunately, there are a number of steps that you can take to mitigate and defend against the threat posed by malicious HTML attachments.
A dedicated email scanning and protection system is the first defense against malicious email attachments and embedded scripts. However, as noted above, standard security systems aren’t enough to control the evolving threat posed by today’s cybercriminals. Today, cybersecurity specialists recommend an antivirus solution that includes machine learning and static code analysis, which evaluates the actual content of an email and not just its attachment. For an advanced online cybersecurity solution, we recommend Kaspersky Premium. An award-winning system for both businesses and personal users, our premium package comes with remote assistance and 24/7 support.
Even if a breach or a loss of credentials occurs, limiting user access to essential personnel is a great way of reducing the damage that a cybercriminal can realistically inflict. You should also make sure that users who do have access to vital systems use multi-factor authentication (sometimes referred to as MFA, two-factor verification, or 2FA) to further reduce exposure by adding another layer to your cybersecurity strategy. Additionally, an important way to protect your vital assets from employee access errors (particularly if they are working remotely) is by using a Virtual Private Network or VPN. Kaspersky’s VPN allows its users to connect to their company’s servers remotely via an encrypted digital tunnel. This tunnel protects their system from the potential dangers of public Wi-Fi and unsecured internet connections wherever they are in the world.
One of the easiest ways to keep any precious assets safe from an HTML attachment attack is to train your staff (or yourself) in cybersecurity best practices and how to spot suspicious emails, files, and attachments. This includes not sharing any passwords or business login credentials with colleagues, not reusing passwords for multiple software or accounts (we recommend using a Password Manager or Vault, which encrypts your passwords and auto-fills each one when needed), and always using a strong password or passphrase (10-12 characters long, containing a mix of special characters, numbers, uppercase, and lowercase letters).
HTML attachments are files attached to emails that are coded in the Hypertext Markup Language. In the last few years, malicious HTML attachments (those containing embedded malware or JavaScript-based links to phishing websites), have become popular vectors for cybercriminals looking to bypass email firewalls and protection systems.
Yes, HTML files can contain viruses and other sorts of malware, including phishing scams and ransomware. This type of cyberattack is known as a malicious HTML attachment or HTML smuggling attack. It involves using JavaScript links to fake login windows or embedded malware to exploit a user’s credentials and personal files.
Yes, HTML files (including attachments on emails) can be very dangerous to your system. In recent years, cybersecurity specialists have seen a rise in sophisticated cyberattacks using malicious HTML attachments to steal personal data. This type of attack is often referred to as HMTL smuggling.
Recommended products: