KnowBe4 Alert: Cyber Criminals Switch to Malicious HTML Attachments

Share Article

While ransomware attacks and new strains explode, organizations are reminded to be aware of new forms of social engineering that leave them open to attack

Spoofed Navy Federal email

While many users may recognize that .EXE and .PDF files are potentially dangerous, those same users will likely regard .HTML attachments as harmless.

KnowBe4, the US’s most popular security awareness training and integrated phishing platform, warned customers this week of a new wave of social engineering tactics being introduced by cyber criminals. While ransomware continues to surge, a new form of social engineering attack is showing up and bypassing antivirus and secure email gateway products: malicious attachments using the HTML format which is used by banks for secure messaging.

KnowBe4’s phish-alert button (free plugin for Outlook, Office 365, Gmail and Notes) allows users to send suspicious phishing emails to IT or an internal incident response team with just one click. From these alerts, KnowBe4 analyzes which phishing attempts are making it through all the filters.

Over the past six to nine months .DOC and .JS file attachments have dominated the news surrounding the rise in phishing attacks. The reasons are obvious and understandable: those two file types (usually packaged in .ZIP files) are commonly used to deliver extremely dangerous ransomware and banker trojans. However, employees should be trained to be wary of another file type that now can be a malicious attachment: .HTML files.

KnowBe4 CEO Stu Sjouwerman said, “Fresh KnowBe4 Lab analysis shows that although not nearly as prevalent as .JS and .DOC file attachments, .HTML attachments are now potentially dangerous enough that we alert our customers and organizations in general to adjust their email gateway filters to include .HTML attachments if possible, and train their users to be aware.”

HTML attachments are commonly used by financial institutions to deliver secure documents and messages as well as to enable users to conduct banking business in a secure environment. HTML attachments we've analyzed recently have typically been used for a very prevalent phishing attack: the credentials phish, aimed at tricking users into believing they are being asked to log in to a trusted online institution. The login form they see, though, is fake, and the usernames and passwords they enter are quietly being harvested by the bad guys for future exploitation.

  • Bank credentials phishes are a familiar affair. The email body warns recipients of some urgent problem or issue requiring them to log in to their online bank accounts. The HTML pages used for these phishes more often resemble the targeted bank's home page than any actual HTML attachment used by a bank.
  • The bad guys also spoof popular online services, creating login pages that are nearly indistinguishable from the real thing. However, not all spoofed login forms are service or brand specific. KnowBe4 has seen an increasing number of brand-agnostic email login forms, delivered both as .HTML attachments and live online web pages. Although this .HTML attachment prominently features the Google brand, it advertises to victims that the form will accept credentials for any manner of email address or account. Users could easily use their work email logins, opening a door directly into their employers' corporate networks.
  • Bad guys often use the ruse of spoofing a secure document or message delivery service to trick users into opening potentially malicious file or coughing up secure credentials. Such as use of an Adobe ID login.

Sjouwerman also noted, “Your best defense is to educate users. Employees who aren't security awareness trained often work with relatively simple models of how the online threat landscapes operate. While many users may recognize that .EXE and .PDF files are potentially dangerous or "bad," those same users will likely regard .HTML attachments as harmless and "good." Employees need to be educated about the wide variety of potentially malicious email attachments -- including .HTML attachments -- they may encounter in their inboxes.”

Effective training and frequent simulated phishing attacks are a vital step managing the problem of social engineering and enabling employees to recognize and correctly respond to the actual threats they will encounter.

For more information visit:

About KnowBe4
KnowBe4 is the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was being seriously neglected, KnowBe4 was created by two of the best known names in cybersecurity, Kevin Mitnick (the World’s Most Famous Hacker), and Inc. 500 alum serial security entrepreneur Stu Sjouwerman, to help organizations manage the problem of social engineering tactics through new school security awareness training. The company maintains a top spot in the Cybersecurity 500, the definitive list of the world’s hottest and most innovative companies in cybersecurity. More than 3,500 organizations use KnowBe4’s platform to keep employees on their toes with security top of mind. KnowBe4 is used across all industries, including highly regulated fields such as finance, healthcare, energy, government and insurance.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Michael Becce
Visit website