Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

HTML File Attachments: Still A Threat


This past month, Trustwave SpiderLabs observed that HTML (Hypertext Markup Language) file attachments had become a common occurrence in our spam traps, which is not unusual since malware is often delivered through phishing spam. For the past 30 days, SpiderLabs has found the combination of .HTML (11.39%) and .HTM (2.7%) files are our second most spammed file attachment, totalling 14.09%, followed by .EXE files at 12.84%. 

Figure 1: HTML file attachment type percentages

These threat actors are phishers, the main purpose is to steal sensitive information (like login credentials and credit card information) either for identity theft, extortion, to get access to the victim's finances, to buy goods or services, etc.

According to Microsoft, cybercriminal group DEV-0238 and DEV-0253 have also been sending HTML attachments that use HTML smuggling to deliver keyloggers. Microsoft has also attributed HTML smuggling to cybercriminal group DEV-0193 with HTML smuggling to deliver Trickbot malware.

Phishing attacks using HTML attachments

The most common spammed HTML attachments seen are phishing pages. The HTML file itself is generally benign, meaning it does not have any malicious code that launches arbitrary code into the system. This attachment, however, should be treated with caution. It mimics the sign-in page for services like Microsoft, Google or online banking pages and the danger is when a user falls for the scam, enters their credentials into the form, and submits it.  

Figure 2: Samples of phishing email with HTML attachments

Figure 3: HTML attachments that mimic Microsoft sign-in page. The phishing page may also have the target user’s email address hard-coded in the page.

SpiderLabs noticed that recent phishing HTML files contained the hard-coded email addresses of the target user – this makes it more convincing to the victim. In the source level, adversaries would employ various levels of code obfuscation. JavaScript codes are usually obfuscated with open-source tools like JavaScript Obfuscator. HTML files are not stand-alone though, as they pull additional jQuery library, CSS and JavaScript code from various remote web servers for handling form objects, and form actions.

Hard-coding the email addresses helps trick the victim into believing they had previously signed-on to the page, since they only need to enter their password. Overall, this tactic makes the email appear more legitimate.

Below is an HTML source from one of the phishing attacks. It shows the level of JavaScript obfuscation.

Figure 4: Phishing HTML source code

In most instances, the HTML file is not fully autonomous. The JavaScript source injected as inline scripts are usually loaded from a remote server, from a mixture of legitimate CDN (content delivery network) hosts, or from the host operated by the actors. Usually, the JavaScript that handles the data exfiltration is hosted by the actor’s web server (or operated by them).  

Figure 5: Inspecting the HTML source shows the JavaScript files it pulls from the remote web server.

Figure 6: A JavaScript code loaded from the remote host (valdia.quatiappcn.pw) by the HTML attachment file. It handles additional HTML DOM form actions, jQuery objects, CSS styling as well as anti-debugging and URL form checking.

Malware Delivery using HTML smuggling

To evade email gateways, a technique called HTML smuggling is being utilized by adversaries to deliver malware binary to a target user. This method employs HTML 5 that could work offline by storing a binary in an immutable blob of data in the form of a JavaScript code. When opened through a web browser, the data blob gets decoded into a file object. A download notification bar is then displayed to the user. With a combination of social engineering, it lures the target user to save the binary to the disk to open it.

The screenshot below is an example of a spam campaign with an HTML file attachment.

Figure 7: An example of a Qakbot spam campaign that uses HTML file attachment

When loaded into a browser, the HTML file invokes a JavaScript that seemingly looks like a file was downloaded from a remote web server. The zip file, however, is smuggled within the HTML source as a data blob, gets decoded by the JavaScript code and converted into a ZIP file.

Figure 8: File smuggling

The HTML source would look something like the screenshot below:

Figure 8.1: HTML source example

Shown below is the attack flow overview:

Figure 9: Attack flow overview


As you can see, obfuscation is the common denominator of this spammed HTML attachment. This just shows how difficult it is to detect this kind of threat in the email gateway layer. Although most of the time HTML files are benign when opened, the danger is subsequent to the user’s action. Coupled with social engineering, this is what makes this type of attack successful.


















Phishing HTML attachment


ScannedDocuments_9720709.html : Qakbot

ScannedDocuments_9720709.img : Qakbot