blog.barracuda.com
Open in
urlscan Pro
20.252.42.4
Public Scan
URL:
https://blog.barracuda.com/2023/05/03/threat-spotlight-malicious-html-attachments-doubles/
Submission: On May 04 via api from TR — Scanned from GB
Submission: On May 04 via api from TR — Scanned from GB
Form analysis 1 forms found in the DOM
GET https://blog.barracuda.com/search/
<form method="GET" class="cmp-search-box__form" action="https://blog.barracuda.com/search/">
<input class="cmp-search-box__form__input" type="search" name="searchTerm" aria-label="Search for" placeholder="Search" value="" data-cmp-hook-header="searchInput">
<a href="#" class="cmp-search-box__form__search-btn" aria-label="Search" data-cmp-hook-header="searchSubmit">
<span class="cmp-search-box__form__search-btn__icon"></span>
</a>
</form>Text Content
* Home
* Ransomware Protection
* Email Protection
* Research
* Remote Work
* Home
* Ransomware Protection
* Email Protection
* Research
* Remote Work
TYPE AND PRESS ENTER TO SEARCH
THREAT SPOTLIGHT: PROPORTION OF MALICIOUS HTML ATTACHMENTS DOUBLES WITHIN A YEAR
Topics:
May. 3, 2023
|
Fleming Shi
Tweet
Share
Share
Tweet
Share
Share
The security industry has been highlighting the cybercriminal misuse of HTML for
years — and evidence suggests it remains a successful and popular attack tool.
Last year we reported that around one-in-five (21%) of all HTML attachments
scanned by Barracuda in May 2022 were malicious. Ten months on, that figure has
more than doubled — 45.7% of scanned HTML files were found to be malicious in
March 2023.
THE LEGITIMATE USE OF HTML
HTML stands for Hypertext Markup Language, and it is used to create and
structure content that is displayed online. HTML is also commonly used in email
communication — for example in automated reports that users might be receiving
on regular basis, such as newsletters, marketing materials, and more. In many
cases, reports are attached to an email in HTML format (with the file extension
.html, .htm or .xhtml, for example).
If the communication appears to come from a known or trusted brand, the
recipient is unlikely to be suspicious.
THE MALICIOUS USE OF HTML
However, attackers can successfully leverage HTML as an attack technique by
using well-crafted messages and/or compromised websites and malicious HTML file
attachments to trick users.
This approach is used by attackers to conceal malicious intentions such as
phishing and credential theft, and more.
If recipient opens the HTML file, multiple redirects via JavaScript libraries
hosted elsewhere will take them to a phishing site or other malicious content
controlled by the attackers. Users are then asked to enter their credentials to
access information or download a file that may contain malware.
However, in some of cases seen by Barracuda researchers, the HTML file itself
includes sophisticated malware which has the complete malicious payload embedded
within it, including potent scripts and executables. This attack technique is
becoming more widely used than those involving externally hosted JavaScript
files.
Protection against malicious HTML- based attacks should take into account the
entire email carrying HTML attachments, looking at all redirects and analyzing
the content of the email for malicious intent. More on that below.
RECENT EXAMPLES OF MALICIOUS HTML ATTACHMENTS ARE OFTEN SIMILAR TO THOSE SEEN IN
THE PAST.
For example, the following phishing attachment that looks like a Microsoft login
has been popular for some years, but their continued and widespread use in
attacks suggests attackers remain successful in trapping victims.
PROPORTION OF UNIQUE ATTACKS
If you compare the total number of malicious HTML detections to how many
different (unique) files were detected, it becomes clear that the growing volume
of malicious files detected is not simply the result of a limited number of mass
attacks, but the result of many different attacks each using specially crafted
files.
For example, daily detection data for the three months from January to March
2023 reveals two significant attack peaks, on March 7 and March 23.
On March 7, there were 672,145 malicious HTML artifacts detected in total,
comprising 181,176 different items. This means that around a quarter (27%) of
the detected files were unique and the rest were repeat or mass deployments of
those files.
However, on March 23, almost nine in ten (405,438 — 85%) of the total 475,938
malicious HTML artefacts were unique ― which means that almost every single
attack was different.
HTML ATTACHMENTS CONTINUE TO DOMINATE THE LIST OF FILE TYPES USED FOR MALICIOUS
PURPOSES
Barracuda analysis further shows that not only is the overall volume of
malicious HTML attachments increasing, nearly a year on from our last report,
HTML attachments remain the file type most likely to be used for malicious
purposes.
In 2022
In 2023
When it comes to attack tactics and tools, the fact that something has been
around for a while doesn’t appear to make it any less potent. Malicious HTML is
still being used by attackers because it works. Getting the right security in
place is as important now as it has ever been, if not more so.
HOW TO PROTECT AGAINST MALICIOUS HTML ATTACHMENTS
* Email protection – It is essential is to have effective email protection in
place and ensure that your security scanning can identify and block malicious
HTML attachments. Because these are not always easy to identify for the
reasons above, the best solutions will include machine learning and static
code analysis that will evaluate the content of an email and not just an
attachment.
* User education and awareness – Train people to spot and report potentially
malicious HTML attachments. Given the volume and diversity of these type of
attacks, it’s probably good to be wary of all HTML attachments, especially
those coming from sources they haven’t seen before. Remind people not to
share their login credentials with anyone, ever.
* Robust authentication and access controls – Multifactor authentication (MFA)
remains a good access control, but attackers are increasingly turning to
advanced social engineering techniques, such as MFA fatigue to bypass many
types of MFA protection. Consider turning to Zero Trust Access measures to
enhance security. An effective Zero Trust solution such as Barracuda CloudGen
Access dynamically monitors multiple parameters — user, device, location,
time, resources being accessed, and more — which makes it much more difficult
for attackers to compromise your network using stolen credentials.
* If a malicious HTML file does get through – Make sure you have post-delivery
remediation tools to quickly identify and remove malicious emails from all
user inboxes. An automated incident response can help to do this before the
attack spreads through an organization. In addition, account takeover
protection can monitor and alert you to any suspicious account activity if
login credentials were to be compromised.
Barracuda has identified 13 email threat types, and published a guide explaining
how they target and compromise victims, and how to defend against them.
E-book: 13 email threat types to know about right now
Fleming Shi
Fleming Shi is Chief Technology Officer at Barracuda, where he leads the
company’s threat research and innovation engineering teams in building future
technology platforms. He has more than 20 patents granted or pending in network
and content security. Connect with him on LinkedIn.
Related Posts:
Threat Spotlight: Proportion of malicious HTML attachments doubles within a year
Cybersecurity Threat Advisory: EvilExtractor malware surge detected
Cybersecurity Threat Advisory: New QBot malware delivering campaigns discovered
2023 RSA Conference is full of opportunities to connect and share
Tweet
Share
Share
Tweet
Share
Share
--------------------------------------------------------------------------------
Popular Posts
Threat Spotlight: 3 novel phishing tactics From portfolio to platform: Barracuda
turns 20 Stay ahead of attackers trying to capitalize on recent bank failures
OWASP Top 10 API security risks: 2023 update Repeat ransomware attacks: What’s
putting victims at risk?
Topics
13 Email Threat Types Ransomware Protection Microsoft 365 Email Protection
Network Protection Application and Cloud Protection Data Protection and Recovery
Healthcare Education Industrial and IoT Security Managed Services Digital
Transformation Barracuda Engineering
Resources
Barracuda Security Insights Barracuda Email Threat Scan Security Glossary
2023 © Journey Notes
* Email Protection
* Application and Cloud Security
* Network Protection
* Data Protection
HOW BARRACUDA USES COOKIES
YOUR PRIVACY
YOUR PRIVACY
Barracuda Sites may request cookies to be set on your device. We use cookies to
let us know when you visit our Barracuda Sites, to understand how you interact
with us, to enrich and personalize your user experience, to enable social media
functionality and to customize your relationship with Barracuda, including
providing you with more relevant advertising. Note that blocking some types of
cookies may impact your experience on our Barracuda Sites and the services we
are able to offer.
* STRICTLY NECESSARY COOKIES
STRICTLY NECESSARY COOKIES
Always Active
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be
switched off in our systems. They are usually only set in response to actions
made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your browser
to block or alert you about these cookies, but some parts of the site will
not then work.
* ANALYTICS COOKIES
ANALYTICS COOKIES
Analytics Cookies
These cookies help Barracuda to understand how visitors to our pages engage
within their session. Analytics Cookies assist in generating reporting site
usage statistics which do not personally identify individual users.
* PERFORMANCE COOKIES
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our site. They help us to know which pages are
the most and least popular and see how visitors move around the site. If you
do not allow these cookies we will not know when you have visited our site,
and will not be able to monitor its performance.
* TARGETING COOKIES
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They
may be used by those companies to build a profile of your interests and show
you relevant adverts on other sites. They do not directly identify you, but
are based on uniquely identifying your browser and internet device. If you do
not allow these cookies, you will experience less targeted advertising.
* FUNCTIONAL COOKIES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
* REPLACE-WITH-DYANMIC-HOST-ID
33ACROSS
33ACROSS
View Third Party Cookies
* Name
cookie name
* REPLACE-WITH-DYANMIC-VENDOR-ID
33ACROSS
3 Purposes
View Privacy Notice
33ACROSS
3 Purposes
View Privacy Notice
REPLACE-WITH-DYANMIC-VENDOR-ID
Consent Purposes
Location Based Ads
Consent Allowed
Legitimate Interest Purposes
Personalize
Require Opt-Out
Special Purposes
Location Based Ads
Features
Location Based Ads
Special Features
Location Based Ads
Clear Filters
Information storage and access
Apply
Confirm My Choices
COOKIE ACCEPTANCE
We use cookies to make our website work. We and our partners would also like to
set optional cookies for analytics purposes, as well as to measure and improve
the performance of the website, and to remember your preferences and provide you
enhanced functionality and personalization. Click on the Cookies Preferences
button to find out more and set your preferences.
Click on the Accept All button if you consent to the use of all such cookies. If
you choose to allow the use of such cookies, you will be able to withdraw your
consent at any time. Please refer to our Privacy Policy to better understand
your rights.Privacy Policy
Accept All Cookies
Cookie Preferences