Malicious HTML attachments a popular cyber threat: Barracuda
The security industry has been highlighting the cybercriminal misuse of HTML for years, and evidence suggests it remains a successful and popular attack tool.
"Last year, we reported that around one-in-five (21%) of all HTML attachments scanned by Barracuda in May 2022 were malicious. Ten months on, that figure has more than doubled - 45.7% of scanned HTML files were found to be malicious in March 2023," says Fleming Shi, chief technology officer at Barracuda Networks.
HTML stands for Hypertext Markup Language, and it is used to create and structure content that is displayed online. HTML is also commonly used in email communication. For example, automated reports that users might receive regularly, such as newsletters, marketing materials, and more. Reports are often attached to an email in HTML format (with the file extension .html, .htm or .xhtml, for example).
The recipient is unlikely to be suspicious if the communication appears to come from a known or trusted brand.
However, attackers can successfully leverage HTML as an attack technique by using well-crafted messages and/or compromised websites and malicious HTML file attachments to trick users.
Attackers use this approach to conceal malicious intentions such as phishing, credential theft, and more.
If the recipient opens the HTML file, multiple redirects via JavaScript libraries hosted elsewhere will take them to a phishing site or other malicious content controlled by the attackers. Users are then asked to enter their credentials to access information or download a file that may contain malware.
However, in some cases seen by Barracuda researchers, the HTML file itself includes sophisticated malware with the complete malicious payload embedded within it, including potent scripts and executables. As a result, this attack technique is becoming more widely used than those involving externally hosted JavaScript files.
Protection against malicious HTML-based attacks should consider the entire email carrying HTML attachments, looking at all redirects and analysing the content of the email for malicious intent.
Recent examples of malicious HTML attachments are often similar to those seen in the past. For example, the phishing attachment that looks like a Microsoft login has been popular for years. However, their continued and widespread use in attacks suggests attackers remain successful in trapping victims.
"If you compare the total number of malicious HTML detections to how many different (unique) files were detected, it becomes clear that the growing volume of malicious files detected is not simply the result of a limited number of mass attacks, but the result of many different attacks each using specially crafted files. For example, daily detection data for the three months from January to March 2023 reveals two significant attack peaks, on March 7 and March 23," says Shi.
"On March 7, there were 672,145 malicious HTML artifacts detected in total, comprising 181,176 different items. This means that around a quarter (27%) of the detected files were unique, and the rest were repeat or mass deployments of those files. However, on March 23, almost nine in ten (405,438 - 85%) of the total 475,938 malicious HTML artefacts were unique, which means that almost every single attack was different."
Barracuda's analysis further shows that not only is the overall volume of malicious HTML attachments increasing, but nearly a year after its last report, HTML attachments remain the file type most likely to be used for malicious purposes.
The fact that something has been around for a while doesn't appear to make it any less potent when it comes to attack tactics and tools. Attackers are still using malicious HTML because it works. So getting the proper security in place is as important now as ever, if not more so.
On the ways to protect against malicious HTML attachments, Shi explains, "It is essential is to have effective email protection in place and ensure that your security scanning can identify and block malicious HTML attachments. Because these are not always easy to identify for the reasons above, the best solutions will include machine learning and static code analysis that will evaluate the content of an email and not just an attachment."
Training people to spot and report potentially malicious HTML attachments is also important. Given the volume and diversity of these attacks, it's probably good to be wary of all HTML attachments, especially those coming from sources they haven't seen before. Also, remind people not to share their login credentials with anyone.
Multifactor authentication (MFA) remains a reasonable access control, but attackers increasingly use advanced social engineering techniques, such as MFA fatigue, to bypass many types of MFA protection. Consider turning to Zero Trust Access measures to enhance security.
"An effective Zero Trust solution such as Barracuda CloudGen Access dynamically monitors multiple parameters, which makes it much more difficult for attackers to compromise your network using stolen credentials," adds Shi.
"If a malicious HTML file does get through, make sure you have post-delivery remediation tools to quickly identify and remove malicious emails from all user inboxes. An automated incident response can help to do this before the attack spreads through an organisation. In addition, account takeover protection can monitor and alert you to any suspicious account activity if login credentials were to be compromised. Barracuda has identified 13 email threat types, and published a guide explaining how they target and compromise victims, and how to defend against them," concludes Shi.