- HTML analysis
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: HTML analysis
HTML analysis looks at the HTML code in emails, web pages, or attachments to spot potentially malicious elements or deceptive structures. It examines both what’s visible and hidden in the HTML to uncover tactics often used in phishing or malware attacks.
HTML analysis can help you detect:
- Hidden scripts or iframes that might run harmful code
- Obfuscated JavaScript designed to avoid detection
- Misleading hyperlinks where the displayed text doesn’t match the real URL
- Forms made to steal credentials or sensitive data
- Suspicious HTML comments with hidden instructions
- CSS tricks used to hide malicious content
For example, phishing emails often use HTML to replicate trusted login pages. HTML analysis can catch the hidden forms and scripts trying to steal your credentials.
Blog Posts
Tactics & Techniques (21):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Brand impersonation: File sharing notification with template artifacts | 16m ago Jan 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-file-sharing-notification-with-template-artifacts-37d89611 | |
Link: Tycoon2FA phishing kit (non-exhaustive) | 12h ago Jan 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2 | |
Spam: Commonly observed formatting of unauthorized free giveaways | 9d ago Jan 14th, 2026 | Sublime Security | /feeds/core/detection-rules/spam-commonly-observed-formatting-of-unauthorized-free-giveaways-8bc49fa3 | |
Link: Common hidden directory observed | 10d ago Jan 13th, 2026 | Sublime Security | /feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6 | |
Service abuse: Random Google Firebase sender address with suspicious content | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-random-google-firebase-sender-address-with-suspicious-content-9f8899a9 | |
Attachment: HTML smuggling with eval and atob via calendar invite | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd | |
Attachment: HTML smuggling with atob and high entropy via calendar invite | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-via-calendar-invite-94d84614 | |
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/cve-2023-5631-roundcube-webmail-xss-via-crafted-svg-8405d61b | |
URI protocol handler: search-ms | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/uri-protocol-handler-search-ms-ee27d9c0 | |
Attachment: EML file contains HTML attachment with login portal indicators | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158 | |
Attachment: HTML smuggling with ROT13 | 11d ago Jan 12th, 2026 | @Kyle_Parrish_ | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
Sharepoint link likely unrelated to sender | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489 | |
Service abuse: Trello board invitation with VIP impersonation | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-trello-board-invitation-with-vip-impersonation-fedfc94b | |
Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-html-smuggling-attachment-a47a5755 | |
Zoom Events newsletter abuse | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/zoom-events-newsletter-abuse-c8fce846 | |
Low reputation link to auto-downloaded HTML file with smuggling indicators | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6 | |
Credential phishing: Suspicious e-sign agreement document notification | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/credential-phishing-suspicious-e-sign-agreement-document-notification-9b68c2d8 | |
Attachment: EML containing a base64 encoded script | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445 | |
Attachment: HTML attachment with login portal indicators | 11d ago Jan 12th, 2026 | @ajpc500 | /feeds/core/detection-rules/attachment-html-attachment-with-login-portal-indicators-3aabf4a7 | |
Attachment: HTML file with excessive padding and suspicious patterns | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-file-with-excessive-padding-and-suspicious-patterns-0a6aee1e |
Page 1 of 5