HTML attachments are more of a security risk than ever - here's what you need to know

News
By
published

The number of malicious HTML attachments is surging

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

A growing number of emails are arriving loaded with malicious or harmful HTML attachments, new research has warned.

A report from Barracuda found almost half (46%) of HTML attachment in emails it scanned was found to be malicious. Barracuda says the Hypertext Markup Language (HTML) is growing increasingly popular in phishing, credential theft, and other forms of cyberattacks. 

“If a recipient opens the HTML file, multiple redirects via JavaScript libraries hosted elsewhere will take them to a phishing site or other malicious content controlled by the attackers. Users are then asked to enter their credentials to access information or download a file that may contain malware,” Barracuda CTO, Fleming Shi, said in a blog post.

Protecting your business from the biggest threats online

Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?) 

View Deal

Phishing threat

“However, in some cases seen by Barracuda researchers, the HTML file itself includes sophisticated malware which has the complete malicious payload embedded within it, including potent scripts and executables. This attack technique is becoming more widely used than those involving externally hosted JavaScript files.”

The CTO also said that the HTML threats are being distributed via countless individual attacks, rather than a handful of mass events. 

“On March 7, there were 672,145 malicious HTML artifacts detected in total, comprising 181,176 different items. This means that around a quarter (27%) of the detected files were unique and the rest were repeat or mass deployments of those files,” Shi said. “However, on March 23, almost nine in ten (85%) of the total 475,938 malicious HTML artifacts were unique – which means that almost every single attack was different.”

Read more

> Google is killing off passwords in favor of something new - here's what you need to know

> Everything you need to know about phishing

> Here's our list of the best firewalls around

The figures are pointing to HTML attachments remaining one of the most common ways to deliver malware through email, the blog concludes, saying that it’s pivotal for businesses to have the right security solutions set up. “This means having effective, AI-powered email protection in place that can evaluate the content and context of an email beyond scanning links and attachments,” it was said.

Multi-factor authentication, zero-trust access controls, as well as automation in response and attack remediation, is also essential to any organization’s cybersecurity tech stack, right next to employee training, Shi concluded.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Man holding a mobile phone with warning notification and spam message icon
Businesses received over 20 billion spam emails this year
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
SVG files are offering cybercriminals an easy way in with new phishing attacks
Fraude en ligne phishing
Phishing clicks nearly tripled in 2024 as criminals aim for smarter attacks
email
Hidden text "salting" is letting hackers craft devious email attacks to evade detection
email
A Windows filetype update may have complicated cyber threat detection efforts
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Close up of PS5 DualSense controller leaning on a PS5
Sony goes full Xbox Insider with new Beta Program at PlayStation initiative, offering the testing of new games and features before release
Artificial Intelligence
Amazon is apparently going all-in on agentic AI
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
Close up of PS5 DualSense controller leaning on a PS5

Sony goes full Xbox Insider with new Beta Program at PlayStation initiative, offering the testing of new games and features before release
See more latest
Most Popular
Close up of PS5 DualSense controller leaning on a PS5
Sony goes full Xbox Insider with new Beta Program at PlayStation initiative, offering the testing of new games and features before release
Artificial Intelligence
Amazon is apparently going all-in on agentic AI
A collage of Daredevil in Daredevil: Born Again and Tom Holland's Peter Parker in Spider-Man: Far From Home
Daredevil: Born Again episode 2 just gave me hope that the titular hero will join forces with Spider-Man in the MCU, but it won't happen on Disney+
Circular Ring 2
The Circular Ring 2 solves a crucial smart ring problem, and it's available to pre-order now
HTC Viverse
The company formerly known as HTC is doubling down on immersive worlds, AI, spatial computing and ... 6G?
A business woman looking at AI on a transparent screen
Businesses are facing an "AI Divide" - which could be the difference between success and failure
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
Samsung 18.1-inch foldable OLED monitor
Samsung has launched a flexible portable monitor complete with a briefcase, one that seems to come straight from a James Bond movie
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results