- HTML analysis
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: HTML analysis
HTML analysis looks at the HTML code in emails, web pages, or attachments to spot potentially malicious elements or deceptive structures. It examines both what’s visible and hidden in the HTML to uncover tactics often used in phishing or malware attacks.
HTML analysis can help you detect:
- Hidden scripts or iframes that might run harmful code
- Obfuscated JavaScript designed to avoid detection
- Misleading hyperlinks where the displayed text doesn’t match the real URL
- Forms made to steal credentials or sensitive data
- Suspicious HTML comments with hidden instructions
- CSS tricks used to hide malicious content
For example, phishing emails often use HTML to replicate trusted login pages. HTML analysis can catch the hidden forms and scripts trying to steal your credentials.
Blog Posts
Tactics & Techniques (21):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Credential phishing: Suspicious e-sign agreement document notification | 18d ago Dec 15th, 2025 | Sublime Security | /feeds/core/detection-rules/credential-phishing-suspicious-e-sign-agreement-document-notification-9b68c2d8 | |
Brand impersonation: Microsoft Teams invitation | 18d ago Dec 15th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8 | |
Brand impersonation: Adobe Sign with suspicious indicators | 22d ago Dec 11th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-adobe-sign-with-suspicious-indicators-704d143a | |
Google presentation open redirect phishing | 22d ago Dec 11th, 2025 | Sublime Security | /feeds/core/detection-rules/google-presentation-open-redirect-phishing-5d01ee3a | |
Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag | 23d ago Dec 10th, 2025 | Sublime Security | /feeds/core/detection-rules/outlook-hyperlink-bypass-left-to-right-mark-lrm-in-base-html-tag-160cc681 | |
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification | 23d ago Dec 10th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-logo-in-html-with-fake-quarantine-release-notification-f12c615c | |
Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains | 23d ago Dec 10th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-fake-docusign-html-table-not-linking-to-docusign-domains-28923dde | |
Service abuse: Suspicious Zoom Docs link | 1mo ago Dec 2nd, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-suspicious-zoom-docs-link-064b2594 | |
Link: Tycoon2FA phishing kit (non-exhaustive) | 1mo ago Dec 2nd, 2025 | Sublime Security | /feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2 | |
Link: URL scheme obfuscation via split HTML anchors | 1mo ago Dec 2nd, 2025 | Sublime Security | /feeds/core/detection-rules/link-url-scheme-obfuscation-via-split-html-anchors-10375948 | |
Attachment: HTML smuggling with ROT13 | 1mo ago Dec 2nd, 2025 | @Kyle_Parrish_ | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
Link: Multistage landing - JotForm abuse | 1mo ago Dec 1st, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-jotform-abuse-5b64326f | |
Service abuse: Random Google Firebase sender address with suspicious content | 1mo ago Nov 26th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-random-google-firebase-sender-address-with-suspicious-content-9f8899a9 | |
Attachment: HTML smuggling with base64 encoded ZIP file | 1mo ago Nov 20th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-base64-encoded-zip-file-47e388de | |
Brand impersonation: Aramco | 1mo ago Nov 20th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-aramco-96e87699 | |
Brand impersonation: Paperless Post | 1mo ago Nov 6th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-paperless-post-e9ec5e09 | |
Credential theft: Gophish abuse with hidden tracking image | 1mo ago Nov 5th, 2025 | Sublime Security | /feeds/core/detection-rules/credential-theft-gophish-abuse-with-hidden-tracking-image-59915ceb | |
Attachment: HTML smuggling with atob and high entropy | 1mo ago Nov 4th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11 | |
Attachment: HTML file with reference to recipient and suspicious patterns | 1mo ago Nov 4th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d | |
Attachment: EML file contains HTML attachment with login portal indicators | 1mo ago Nov 4th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158 |
Page 1 of 5