It’s become an increasingly popular trend of 2023 for clever internet jerks (and their spam bot minions) to attach malicious files to emails using the extension “.HTM.”
At a glance this looks like “.HTM” and a Windows PC will treat it like an HTML file regardless of the trailing period.
We have been using filters in Proofpoint to block the “.HTM” and “.HTML” attachments for years, but we realized recently that we also needed to specifically block that trailing period otherwise Proofpoint would not quarantine the emails. Therefore, we went about adjusting Proofpoint filters to fix this issue.
Adjusting Proofpoint Filters
If you want to block this filetype in Proofpoint, please block “.HTM*” or “.HTM.” Most people are not sending HTML files via email regardless, so I’m not worried about a false positive here or there.
Worth noting: This does not block actual links—just HTML files attached to the email itself.
Another thing to keep in mind, if you aren’t happy with Proofpoint’s ability to block certain attachments, or want a second set of virtual eyeballs, you could always enable a transport rule in Exchange to scan attachments and route accordingly. Everyone agrees that we shouldn’t be emailing executable files (but if you have to, read more about how to quarantine executables), so having a second set of eyes on that shouldn’t kill anyone.
As you might expect, these HTM(L) file attachments are almost always containing obfuscated code which will redirect the user to a phishing page if opened in a web browser. Want to learn more about the obfuscation techniques? I found this great article if you’re interested in learning more.
This topic falls right into our Layered Security Strategy – your email security is key when it comes to protecting your business, employees, and IT infrastructure. Reach out to us if you’re interesting in learning what proper email security can do for you.
If you’d like to learn more about how you can adjust Proofpoint filters or if you have any additional questions, please contact us and call 502-240-0404 or email us at info@mirazon.com.