www.csoonline.com
Open in
urlscan Pro
151.101.130.165
Public Scan
URL:
https://www.csoonline.com/article/3695075/attacks-increasingly-use-malicious-html-email-attachments.html
Submission: On May 04 via api from TR — Scanned from DE
Submission: On May 04 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="Start Searching"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online GERMANY * United States * ASEAN * Australia * India * United Kingdom * Germany × search More from the Foundry Network * About Us | * Contact | * Republication Permissions | * Privacy Policy | * Cookie Policy | * European Privacy Settings | * Member Preferences | * Advertising | * Foundry Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * HTML smuggling campaigns impersonate well-known brands to deliver malware * RELATED STORIES * Researchers warn of two new variants of potent IcedID malware loader * SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed * 5 top threats from 2022 most likely to strike in 2023 * 5 top threats from 2022 most likely to strike in 2023 * Home * Security * Email Security News Analysis ATTACKS INCREASINGLY USE MALICIOUS HTML EMAIL ATTACHMENTS NEW RESEARCH SHOWS THAT UP TO A HALF OF ALL HTML EMAIL ATTACHMENTS ARE MALICIOUS, AND NOT JUST BECAUSE OF A FEW MASSIVE CAMPAIGNS. * * * * * * * By Lucian Constantin CSO Senior Writer, CSO | 3 May 2023 12:34 Rawpixel/Shutterstock Researchers warn that attackers are relying more on malicious HTML files in their attacks, with malicious files now accounting for half of all HTML attachments sent via email. This rate of malicious HTML prevalence is double compared to what it was last year and doesn't appear to be the result of mass attack campaigns that send the same attachment to a large number of people. "When it comes to attack tactics and tools, the fact that something has been around for a while doesn’t appear to make it any less potent," researchers from security firm Barracuda Networks said in a new report. "Malicious HTML is still being used by attackers because it works. Getting the right security in place is as important now as it has ever been, if not more so." WHY IS HTML AN ATTACKER FAVORITE? HTML, the standard markup language for displaying Web content, has many legitimate uses inside email communications. For example, enterprise users often receive reports that various applications and tools generate and send by email. This doesn't make them suspicious when they see this type of attachment and the attachment type can't be outright banned by email security gateway filters. HTML is also flexible in terms of what types of attacks it can enable. One of the most common use cases is credential phishing with attackers crafting HTML attachments that, when opened, masquerade as the login page for various services. This can also be dynamic, with the HTML including JavaScript code that redirects the user to a phishing site. Imagine receiving an email that seems like an automated notification for a DHL parcel, opening the HTML attachment, and seeing a copy of the DHL login page. In other cases, the HTML attachments include links and lures that try to convince users to download a secondary file that's actually a malware payload. The benefit for attackers is that this method of malware delivery has a much higher chance of bypassing the email security gateway compared to attaching a malware payload directly inside a zip archive or as a different file type. Since the lure is now in front of the user, if they agree to download the file locally to their computer, it's up to the endpoint protection solution to detect it, so attackers have already defeated the first layer of defense. "However, in some cases seen by Barracuda researchers, the HTML file itself includes sophisticated malware which has the complete malicious payload embedded within it, including potent scripts and executables," the researchers said. "This attack technique is becoming more widely used than those involving externally hosted JavaScript files." THE PREVALENCE OF MALICIOUS HTML ATTACHMENTS Barracuda used its telemetry to perform an analysis in May 2022 and found that 21% of the HTML attachments its products scanned that month were malicious. This was by far the highest malicious-to-clean ratio of any file type sent via email, but it progressively got worse since then, reaching 45.7% in March this year. So, for anyone who receives an HTML attachment via email right now there's a one in two chance it's malicious. However, to make sure the data is not skewed by a few massive attacks the researchers also looked at the uniqueness of the files. The researchers picked two dates from January to March where large spikes of malicious HTML files were detected, suggesting possible mass attacks. On March 7, the company's products scanned 672,145 malicious HTML artifacts of which 181,176 were different, meaning around a quarter of the attachments were the result of unique attacks. For the second spike, on March 23, things were much worse. Of 475,938 malicious HTML detections, 85% or almost nine in ten, were unique. "Protection against malicious HTML-based attacks should take into account the entire email carrying HTML attachments, looking at all redirects, and analyzing the content of the email for malicious intent," the researchers said. HOW TO MITIGATE MALICIOUS HTML ATTACHMENTS The company's recommendation is to choose email security solutions that can evaluate the entire email context and not just the attachment's contents. Training employees to spot and report malicious HTML attachments and to be wary of such attachments from unknown sources is also very important. It's also important for the company to have incident response tools and processes that allow removing an attachment from all mailboxes it might have reached once it's flagged as malicious by the security team. Using two-factor authentication coupled with zero-trust access solutions that evaluate not only the credentials, but also the user's device, location, time zone, and history, can limit breaches even if users fall victim to phishing and credential theft. Accounts should also have post-login monitoring that can alert the security team if any suspicious behavior is detected. Next read this * The 10 most powerful cybersecurity companies * 7 hot cybersecurity trends (and 2 going cold) * The Apache Log4j vulnerabilities: A timeline * Using the NIST Cybersecurity Framework to address organizational risk * 11 penetration testing tools the pros use Related: * Email Security * Phishing * Cyberattacks Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection. Follow * * * * * Copyright © 2023 IDG Communications, Inc. 7 hot cybersecurity trends (and 2 going cold) CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Republication Permissions * Privacy Policy * Cookie Policy * European Privacy Settings * Member Preferences * Advertising * Foundry Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2023 IDG Communications, Inc. Explore the Foundry Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World CSO WANTS TO SHOW YOU NOTIFICATIONS -------------------------------------------------------------------------------- YOU CAN TURN OFF NOTIFICATIONS AT ANY TIME FROM YOUR BROWSER Accept Do not accept POWERED BY SUBSCRIBERS