Alert: Malformed HTML helps phishing emails evade Office ATP

In the past week or two, our team at BitDam observed a spike in phishing emails that use illegal HTML structure in order to get into our customers’ inboxes. BitDam ATP detected and blocked these attack attempts at first encounter, but they did bypass Microsoft Office ATP among other solutions. 

A Real Attack Example 

As many other phishing attacks targeting businesses, this one too aims to get the user’s Microsoft credentials. The HTML email body fools the user to click a link in order to access a document on SharePoint. In this particular case, a financial document. 


Clicking the “open” button would take the victim to a fake SharePoint login page that is used for collecting the credentials once entered.   

So far this looks like any other phishing attempt and you would think most email protections solutions will detect it. So how come it went below the radar of Office ATP? 

The Evasion Technique: Malformed HTML x2

Instead of just using the phishing link as part of the HTML, the attackers inserted the malicious code to the end of the HTML, after the <html> tag. In the below screenshot, you can see that the HTML code frame ends at row 38, while rows 40-60 contain some extra code, which is the malicious script.


Most security solutions miss the second body  which means they would not identify the malicious part of the email in this case. 

The attackers take advantage of the fact that most security products scanning emails wouldn’t scan the code that appears after the closing <html> tag, while browsers will try running the full code. The result – email security products won’t see the malicious part of the email (i.e. the phishing link), but end-users will see it and are likely to click it. 

Moreover, the structure of the javascript malicious code that the attack should run, is incorrect as it contains unclosed rows. This makes it even harder on security engines to run this code and identify that it is malicious. 

To summarize, the attackers are counting on the fact that most security product scanning emails wouldn’t scan the code that appears after the closing <html> tag and even if they would, they won’t be able to run the javascript since the malicious HTML code is malformed.

What Can You Do About It? 

Keep watching out, as phishing attempts continuously become more sophisticated with attackers developing new tricks to evade traditional security tools.  

Be aware that Microsoft’s email security (The basic EOP but also Office ATP) is only effective to some extent and it is recommended to augment it with more sophisticated protection as an additional defense layer. 

And if you aren’t sure how good your current security is, and if it would detect such attacks, you’re welcome to use BitDam BAS2.0 called “Lucky Meter” which uses the latest attacks from the wild in real time to continuously test your security. 

Schedule a Demo

Enter your email to get a free trial invitation