Barracuda Report Reveals HTML Attachments Remain the Most Dangerous File

A new Barracuda Threat Spotlight shows how, in March, 2023 just under half (45.7%) of all HTML attachments scanned by the company were malicious. The follows a steady upward trend in the proportion of malicious HTML files since Barracuda’s last report on the threat in May 2022 when the proportion was less than half (21%) of the current value. In comparison only 0.03% and 0.009% the highly popular Microsoft Office and PDF file types were found to be malicious.

HTML stands for Hypertext Markup Language, and it is used to create and structure content that is displayed online. It is also used in email communication – for example in automated newsletters, marketing materials, and more. In many cases, reports are attached to an email in HTML format (with the file extension .html, .htm or .xhtml, for example). Attackers can successfully leverage HTML as an attack technique in phishing and credential theft or for the delivery of malware.

The data follows analysis by Barracuda researchers of many millions of messages and files scanned by the company’s security technologies. “The security industry has been highlighting the cybercriminal weaponising HTML for years – and evidence suggests it remains a successful and popular attack tool,” said Fleming Shi, Chief Technology Officer, Barracuda.

Barracuda’s analysis further shows that not only is the overall volume of malicious HTML attachments increasing, nearly a year on since the company’s last report, HTML attachments remain the file type most likely to be used for malicious purposes.

“Getting the right security in place is as important now as it has ever been. This means having effective, AI-powered email protection in place that can evaluate the content and context of an email beyond scanning links and attachments. Other important elements include implementing robust multifactor authentication or – ideally – Zero Trust Access controls; having automated tools to respond to and remediate the impact of any attack; and training people to spot and report suspicious messages,” said Shi.