The average person interacts with HTML every day while surfing the internet. Unless they are a UX developer or designer, however, they probably shouldn’t expect to receive HTML attachments in their emails.
If you’ve recently received an email with an HTML attachment, then there’s a growing chance that it’s a phishing attack. These HTML attachments host webpages on the victim’s device instead of the public internet, which is a strategic way for hackers to avoid URL reputation checks.
Malicious HTML attachments in these attacks use links, JavaScript, embedded images, HTML entities, and custom CSS to evade detection. Some attacks include sophisticated obfuscation techniques, such as the ones we found in the baseStriker and ZeroFont attacks. This attack is particularly dangerous in collaboration suites such as Office 365.
While users typically have to click on a link to reach a fake cloud/bank login page, hackers are now tricking them into downloading a fake login page. When a user downloads and opens an HTML attachment in the browser, the webpage is hosted on their device and not the internet, which requires a public URL.
Without a URL pointing to the phishing page, there is no reputation associated with it. This is convenient to the hacker because he or she escapes the strict HTML limitations enforced in email bodies while saving them the headache of hosting a phishing page on a compromised site.
The HTML attachment contains a <script> tag, fetching a script from what appears to be HTML entities:
This is the HTML-entity-decoded <script> tag looks like, revealing the hidden URL of a malicious JavaScript file:
The browser, rendering the HTML, automatically fetches the JavaScript file from the URL.
The code in the JavaScript file looks like gibberish but actually, it’s escaped JavaScript: code that has been converted into hexadecimal to make it unreadable to humans and most security tools.
The escape function is considered undesired/depreciated and is not recommended for usage under JavaScript’s current best practice.
After the browser fetches the JavaScript file, it executes the JavaScript unescape command. This converts the hexadecimals into code that creates HTML. The HTML, as seen in the image below, contains embedded images (base64 encoded), a form, and most importantly, a visually appealing page that begs for sensitive information. When the user submits their information into the HTML form, it is sent to an external server managed by the hacker.
These attacks bypass security features, especially when coupled with links, JavaScript, CSS, embedded images, and HTML entities. You should report any email with an HTML attachment for further investigation, because it likely leads to a credential harvesting page.