- HTML analysis
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: HTML analysis
HTML analysis looks at the HTML code in emails, web pages, or attachments to spot potentially malicious elements or deceptive structures. It examines both what’s visible and hidden in the HTML to uncover tactics often used in phishing or malware attacks.
HTML analysis can help you detect:
- Hidden scripts or iframes that might run harmful code
- Obfuscated JavaScript designed to avoid detection
- Misleading hyperlinks where the displayed text doesn’t match the real URL
- Forms made to steal credentials or sensitive data
- Suspicious HTML comments with hidden instructions
- CSS tricks used to hide malicious content
For example, phishing emails often use HTML to replicate trusted login pages. HTML analysis can catch the hidden forms and scripts trying to steal your credentials.
Blog Posts
Tactics & Techniques (21):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail | 15h ago Mar 4th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-hungerrush-domain-with-sendgrid-tracking-targeting-protonmail-73f62e74 | |
Link: Apple App Store link to apps impersonating AI adveristing | 20h ago Mar 4th, 2026 | Sublime Security | /feeds/core/detection-rules/link-apple-app-store-link-to-apps-impersonating-ai-adveristing-19b556e6 | |
Brand impersonation: Zoom via HTML styling | 6d ago Feb 27th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-zoom-via-html-styling-b717920d | |
Link: Credential theft with invisible Unicode character in page title from unsolicited sender | 20d ago Feb 13th, 2026 | Sublime Security | /feeds/core/detection-rules/link-credential-theft-with-invisible-unicode-character-in-page-title-from-unsolicited-sender-5fe14d53 | |
Brand impersonation: Microsoft Teams invitation | 27d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8 | |
Service abuse: Apple TestFlight with suspicious developer reference | 27d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-apple-testflight-with-suspicious-developer-reference-e7ea0ee0 | |
Link: Common hidden directory observed | 30d ago Feb 3rd, 2026 | Sublime Security | /feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6 | |
Service abuse: Trello board invitation with VIP impersonation | 30d ago Feb 3rd, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-trello-board-invitation-with-vip-impersonation-fedfc94b | |
Brand impersonation: Aramco | 1mo ago Jan 28th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-aramco-96e87699 | |
Brand impersonation: File sharing notification with template artifacts | 1mo ago Jan 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-file-sharing-notification-with-template-artifacts-37d89611 | |
Link: Tycoon2FA phishing kit (non-exhaustive) | 1mo ago Jan 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2 | |
Spam: Commonly observed formatting of unauthorized free giveaways | 1mo ago Jan 14th, 2026 | Sublime Security | /feeds/core/detection-rules/spam-commonly-observed-formatting-of-unauthorized-free-giveaways-8bc49fa3 | |
Attachment: HTML smuggling with concatenation obfuscation | 1mo ago Jan 12th, 2026 | @vector_sec | /feeds/core/detection-rules/attachment-html-smuggling-with-concatenation-obfuscation-108ab346 | |
Attachment: HTML smuggling with decimal encoding | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-decimal-encoding-f99213c4 | |
Attachment: HTML smuggling with eval and atob | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-9f521ca2 | |
Attachment: HTML smuggling with base64 encoded JavaScript function | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-base64-encoded-javascript-function-4e8a12ec | |
Attachment: HTML smuggling with excessive line break obfuscation | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440 | |
Attachment: HTML smuggling with RC4 decryption | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765 | |
Attachment: HTML smuggling with setTimeout | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32 | |
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-with-high-entropy-and-suspicious-text-329ac12d |
Page 1 of 6