Cybercriminals increasingly leverage sophisticated HTML techniques to circumvent email security filters, putting users and organizations at greater risk of falling victim to phishing attacks.
These attacks, often disguised as legitimate documents such as invoices or HR policies, exploit various HTML functions to deceive both users and security systems alike.
HTML attachments have become a favored tool for attackers due to their versatility and ability to bypass traditional security measures. These attachments can contain embedded JavaScript, which executes malicious actions when opened, such as redirecting users to phishing sites or harvesting credentials directly from the user’s device.
One of the most prevalent techniques employed by attackers is JavaScript obfuscation. This method involves disguising the malicious code within the HTML attachment, making it extremely difficult for security systems to identify and block.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
For example, cybercriminals often use ready-made tools like JavaScript Obfuscator to obscure either the phishing link itself or the entire script, sometimes even obfuscating the whole HTML file, reads Broadcom report.
HTML Evasion Techniques
Attackers are employing a range of sophisticated evasion techniques to bypass email security filters:
- Deprecated JavaScript Methods: Surprisingly, some attackers are utilizing deprecated JavaScript methods like unescape() instead of modern alternatives such as decodeURI() and decodeURIComponent(). This unusual choice may be because older methods are less likely to be interpreted and detected by antispam engines.
- Unicode and HTML/CSS Tricks: Cybercriminals are exploiting Unicode characters and HTML/CSS properties to disguise phishing emails. For instance, they use the Unicode “soft hyphen” to break up suspicious phrases, making them undetectable to security scanners while appearing normal to users.
- Content Escaping: Attackers use techniques like URL encoding and Base64 encoding to obfuscate content. These methods transform malicious code into seemingly innocuous strings that are only revealed when executed on the victim’s machine.
- Dynamic Content Injection: JavaScript is used to dynamically insert phishing forms into webpages after user interaction, a method known as client-side cloaking. This prevents traditional detection systems from recognizing the phishing intent until it’s too late.
The prevalence of these attacks is alarming. According to recent statistics, spear-phishing emails were used by almost two-thirds (65%) of all known groups carrying out targeted cyber attacks. Moreover, there has been a 45% increase in spear-phishing, social engineering, and smishing attacks.
The emergence of AI tools like ChatGPT has further complicated the landscape. Attackers can use these tools to create more convincing phishing emails and fake login pages with minimal coding expertise.
However, AI also offers potential defensive capabilities, with some AI-powered tools showing promise in detecting phishing links, albeit with current limitations in accuracy.
The accessibility of these attack methods is concerning. Custom phishing pages can be purchased for as little as $3-$12 on the dark web, while template phishing kits tailored to specific targets are available for around $40. This low barrier to entry has contributed to the proliferation of these attacks.
As these HTML-based phishing techniques continue to evolve, both individuals and organizations must remain vigilant and invest in advanced security solutions capable of detecting and mitigating these sophisticated threats.
Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free