Researchers from Avanan have seen the worldwide spread of a new threat known as 'Blank Image,' where hackers attach blank images to HTML messages. The user is instantly sent to a malicious URL once they open the attachment.
Blank Image attack
Based on the bogus emails, you need to sign a DocuSign document. It is cryptically called "Scanned Remittance Advice.htm". An SVG picture encoded with Base64 is in the HTML file, these SVG vector pictures encoded in HTML attachments are used by scammers to get around the security features that are often turned on automatically in email inboxes.
SVGs, are based on XML and are vector images, that can contain HTML script elements, in contrast to raster images like JPG and PNG. An SVG image is displayed and the JavaScript embedded in it is executed when an HTML document uses a <embed> or <iframe> tag to display the image.
Although the message's body seems fairly safe, opening the HTML attachment lets its malicious payload loose on your device. This file contains the attack's script rather than the XML information that a typical SVG would include.
As per researchers, this is a creative approach to mask the message's genuine intention. It avoids being scanned by conventional Click-Time Protection and VirusTotal, most security services are defenseless against these assaults because of the piling of obfuscation upon obfuscation.
Therefore, users should keep away from any emails that have HTML or.htm attachments. Administrators should consider preventing HTML attachments and treating them the same as executables (.exe, .cab).
This attack can be linked to a prior 'MetaMorph' assault initially discovered by Avanan a few years ago, wherein phishing actors employ meta refresh to drive users away from a locally hosted HTML attachment and onto a phishing website on the open internet. A meta refresh is a feature that tells a web browser to automatically reload the current web page after a specified amount of time.
HTML-containing emails and .HTM attachments should be handled carefully by users. Avanan also advises admins to think about blocking them.