Phishing Campaign Uses SHTML Files to Redirect Users to Malicious Websites

A novel new phishing campaign has been detected that uses an unusual method of directing users to malicious websites that harvest credentials.

Phishing campaigns typically use embedded hyperlinks in the message body. Advanced email security solutions can detect and assess the URLs to determine whether they are malicious. To get around this, hyperlinks are often hidden in documents or macros or scripts are hidden in other types of email attachments such as office files.

The latest campaign uses server-parsed HTML (SHTML) attachments, which are most commonly used by web servers. Many users will be unfamiliar with these files, but they are likely to recognize the HTML part and may be fooled into opening the attachment thinking it is benign. The file attachments may not be detected as malicious as the URL is hidden using JavaScript.

The emails claim to be receipts for a payment of thousands of pounds. If the emails are opened and the SHTML file is clicked, the user will be automatically redirected to the attacker’s website which attempts to obtain login credentials by masquerading as an official login page.

The phishing campaign was detected by researchers at Mimecast. More than half of the emails captured by the firm were directed to UK targets and, to a lesser extent, Australia, and South Africa. The attacks were mostly focused on targets in the banking and financial sector in the UK and the higher education sector in Australia

The company has written a custom rule that can identify the malicious redirect and block the site. Since introducing the new rule, Mimecast has blocked more than 100,000 redirects to the website.

This method of attack may not be particularly sophisticated, but it is likely to be effective. The unusual file type could well sneak past many organization’s defenses undetected and fool employees.

An advanced anti-phishing and anti-spam solution will block the majority of these phishing emails, but it is important not to totally rely on technical solutions. End user training is also vital. Employees should be taught how to identify phishing emails and what to do if a suspicious email is received.

As the latest campaign shows, tactics commonly change. It is therefore important to provide regular security awareness training sessions to employees, to ensure they are kept up to date on the latest threats that could be arriving in their inboxes.  Forewarned is forearmed

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of