- HTML analysis
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: HTML analysis
HTML analysis looks at the HTML code in emails, web pages, or attachments to spot potentially malicious elements or deceptive structures. It examines both what’s visible and hidden in the HTML to uncover tactics often used in phishing or malware attacks.
HTML analysis can help you detect:
- Hidden scripts or iframes that might run harmful code
- Obfuscated JavaScript designed to avoid detection
- Misleading hyperlinks where the displayed text doesn’t match the real URL
- Forms made to steal credentials or sensitive data
- Suspicious HTML comments with hidden instructions
- CSS tricks used to hide malicious content
For example, phishing emails often use HTML to replicate trusted login pages. HTML analysis can catch the hidden forms and scripts trying to steal your credentials.
Blog Posts
Tactics & Techniques (21):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Brand impersonation: Microsoft Teams invitation | 6d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8 | |
Service abuse: Apple TestFlight with suspicious developer reference | 6d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-apple-testflight-with-suspicious-developer-reference-e7ea0ee0 | |
Link: Common hidden directory observed | 9d ago Feb 3rd, 2026 | Sublime Security | /feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6 | |
Service abuse: Trello board invitation with VIP impersonation | 9d ago Feb 3rd, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-trello-board-invitation-with-vip-impersonation-fedfc94b | |
Brand impersonation: Aramco | 15d ago Jan 28th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-aramco-96e87699 | |
Brand impersonation: File sharing notification with template artifacts | 20d ago Jan 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-file-sharing-notification-with-template-artifacts-37d89611 | |
Link: Tycoon2FA phishing kit (non-exhaustive) | 20d ago Jan 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2 | |
Spam: Commonly observed formatting of unauthorized free giveaways | 29d ago Jan 14th, 2026 | Sublime Security | /feeds/core/detection-rules/spam-commonly-observed-formatting-of-unauthorized-free-giveaways-8bc49fa3 | |
Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-html-smuggling-attachment-a47a5755 | |
Attachment: HTML smuggling with eval and atob via calendar invite | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd | |
Service abuse: Random Google Firebase sender address with suspicious content | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-random-google-firebase-sender-address-with-suspicious-content-9f8899a9 | |
Attachment: HTML smuggling with ROT13 | 1mo ago Jan 12th, 2026 | @Kyle_Parrish_ | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/cve-2023-5631-roundcube-webmail-xss-via-crafted-svg-8405d61b | |
Low reputation link to auto-downloaded HTML file with smuggling indicators | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6 | |
Attachment: HTML smuggling with base64 encoded JavaScript function | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-base64-encoded-javascript-function-4e8a12ec | |
Attachment: HTML smuggling with excessive line break obfuscation | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440 | |
Attachment: HTML smuggling with RC4 decryption | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765 | |
Attachment: HTML smuggling with setTimeout | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32 | |
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-with-high-entropy-and-suspicious-text-329ac12d | |
Attachment: HTML smuggling with unescape | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-unescape-0b0fed36 |
Page 1 of 5