Alert: Malformed HTML helps phishing emails evade Office ATP

In the past week or two, our team at BitDam observed a spike in phishing emails that use illegal HTML structure in order to get into our customers’ inboxes. BitDam ATP detected and blocked these attack attempts at first encounter, but they did bypass Microsoft Office ATP among other solutions. 

A Real Attack Example 

As many other phishing attacks targeting businesses, this one too aims to get the user’s Microsoft credentials. The HTML email body fools the user to click a link in order to access a document on SharePoint. In this particular case, a financial document. 


Clicking the “open” button would take the victim to a fake SharePoint login page that is used for collecting the credentials once entered.   

So far this looks like any other phishing attempt and you would think most email protections solutions will detect it. So how come it went below the radar of Office ATP? 

The Evasion Technique: Malformed HTML x2

Instead of just using the phishing link as part of the HTML, the attackers inserted the malicious code to the end of the HTML, after the <html> tag. In the below screenshot, you can see that the HTML code frame ends at row 38, while rows 40-60 contain some extra code, which is the malicious script.


Most security solutions miss the second body  which means they would not identify the malicious part of the email in this case. 

The attackers take advantage of the fact that most security products scanning emails wouldn’t scan the code that appears after the closing <html> tag, while browsers will try running the full code. The result – email security products won’t see the malicious part of the email (i.e. the phishing link), but end-users will see it and are likely to click it. 

Moreover, the structure of the javascript malicious code that the attack should run, is incorrect as it contains unclosed rows. This makes it even harder on security engines to run this code and identify that it is malicious. 

To summarize, the attackers are counting on the fact that most security product scanning emails wouldn’t scan the code that appears after the closing <html> tag and even if they would, they won’t be able to run the javascript since the malicious HTML code is malformed.

What Can You Do About It? 

Keep watching out, as phishing attempts continuously become more sophisticated with attackers developing new tricks to evade traditional security tools.  

Be aware that Microsoft’s email security (The basic EOP but also Office ATP) is only effective to some extent and it is recommended to augment it with more sophisticated protection as an additional defense layer. 

And if you aren’t sure how good your current security is, and if it would detect such attacks, you’re welcome to use BitDam BAS2.0 called “Lucky Meter” which uses the latest attacks from the wild in real time to continuously test your security. 

Top Tips for MSPs to Protect Customers from Phishing and Ransomware

Unlike a couple of years ago, small and medium-sized businesses now deal with cyberthreats on a daily basis. Cybercriminals no longer overlook SMEs. They rather see them as valid targets, and a much easier prey than larger organizations. The fact that many small and medium businesses moved to working from home last year and started using collaboration tools like O365, OneDrive, Teams and Zoom makes the opportunity for bad actors even bigger. In fact, 43% of cyber attacks target small businesses. Ransomware and phishing attacks turned into significant threats for SMEs in 2020, with 66% of SMEs reporting that they are concerned or extremely concerned about cyber security risk.

How can you as an MSP help SMEs stay protected from these threats?

Many SMEs use external managed IT services and therefore want to trust their MSP to handle their cybersecurity too. There are some simple actions you can take in order to check your customers’ current security vulnerabilities, and then bridge these gaps. In this blog post, we will focus on what to consider when securing the customer’s email and other collaboration platforms used to exchange content internally and externally such as OneDrive, Sharepoint, Google Drive, Teams, Zoom and more.  

Assess the current security posture

Cyberthreats are constantly evolving (on a daily or even hourly basis) in order to bypass security solutions. With email being the main attack vector for such threats, it’s important to test your customers’ email security and better understand their current gaps. It’s recommended to do this regularly to accurately assess what’s going on. And even more crucial to do it before making any decision related to securing the customer. 

The good news is that there are free vulnerability assessment tools that are easy to use. Within less than an hour you can know your customer’s real exposure to cyberthreats. You can start by trying BitDam’s Breach & Attack Simulation (BAS) and BitDam BAS2.0 – Lucky Meter or search for similar tools online. 

Protect all collaboration platforms

The most burning need for most SMEs is protecting their email. We believe all organizations should use an Advanced Threat Protection solution for email (as a side note, Microsoft Defender/Office ATP doesn’t perform well when it comes to advanced threats). In addition to email, the risk of cyberthreats being delivered and spread via other collaboration tools is constantly growing. Ideally, you want to use a security solution that protects different channels, but is managed from one place. This will ensure your SME is protected, while reducing overhead and costs on your end.  

Considering that many SMEs use Office 365 or G-Suite for all their collaboration needs, or might be using additional tools such as Zoom, Slack or Dropbox, it’s relatively easy to find ONE security solution that covers ALL these tools. This will allow your team to manage the security of all customers and all their collaboration channels from one dashboard in a frictionless manner.   

Minimize your team’s overhead 

Providing your customers with effective cybersecurity doesn’t have to involve additional overhead. Just like you should select a security solution that helps you secure various collaboration tools at once, you should also choose a solution that makes it easier to manage many customers from one place. Selecting the right product allows you to quickly gather insights and easily take action across the different customers you manage, can save your team many hours, increase productivity, and make your business more competitive.

Being cautious of your team’s time, you should also check the ease of deployment and required maintenance before committing to a specific solution. Assuming that you’re planning to deploy the same security solution among many of your customers, you want to make sure the process is quick and doesn’t require any configuration or changes. It’s best to avoid products that require periodical maintenance or updates. There is just no reason to waste your team’s time on such activities. 

Try before you buy

Effective protection does not necessarily mean heavy commitment. In the world of cloud solutions, you can try several products before you engage with one. There are plenty of security tools that offer free trials so you can explore all options to ensure a good fit, and only then make a commitment. For Office 365 clients, the Azure Marketplace is a good place to start from. You can search for Email Protection, OneDrive Protection, Teams Protection and so on, and get a variety of solutions that are ready to install. Many of which offer free trials!  

Used by dozens of MSPs worldwide, BitDam Advanced Threat Protection ATP brings enterprise-grade security to small and medium-sized businesses while securing their email, cloud drives, chat and video conferencing from malware, phishing and more. You’re welcome to sign up for a free 30-day trial or read more about how we partner with MSPs

Learn more about our MSP Console by watching this short demo video below:

Schedule a Demo

Enter your email to get a free trial invitation