- HTML analysis
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: HTML analysis
HTML analysis looks at the HTML code in emails, web pages, or attachments to spot potentially malicious elements or deceptive structures. It examines both what’s visible and hidden in the HTML to uncover tactics often used in phishing or malware attacks.
HTML analysis can help you detect:
- Hidden scripts or iframes that might run harmful code
- Obfuscated JavaScript designed to avoid detection
- Misleading hyperlinks where the displayed text doesn’t match the real URL
- Forms made to steal credentials or sensitive data
- Suspicious HTML comments with hidden instructions
- CSS tricks used to hide malicious content
For example, phishing emails often use HTML to replicate trusted login pages. HTML analysis can catch the hidden forms and scripts trying to steal your credentials.
Blog Posts
Tactics & Techniques (21):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Link: Credential theft with invisible Unicode character in page title from unsolicited sender | 4d ago Feb 13th, 2026 | Sublime Security | /feeds/core/detection-rules/link-credential-theft-with-invisible-unicode-character-in-page-title-from-unsolicited-sender-5fe14d53 | |
Brand impersonation: Microsoft Teams invitation | 11d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8 | |
Service abuse: Apple TestFlight with suspicious developer reference | 11d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-apple-testflight-with-suspicious-developer-reference-e7ea0ee0 | |
Link: Common hidden directory observed | 14d ago Feb 3rd, 2026 | Sublime Security | /feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6 | |
Service abuse: Trello board invitation with VIP impersonation | 14d ago Feb 3rd, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-trello-board-invitation-with-vip-impersonation-fedfc94b | |
Brand impersonation: Aramco | 20d ago Jan 28th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-aramco-96e87699 | |
Brand impersonation: File sharing notification with template artifacts | 25d ago Jan 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-file-sharing-notification-with-template-artifacts-37d89611 | |
Link: Tycoon2FA phishing kit (non-exhaustive) | 25d ago Jan 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2 | |
Spam: Commonly observed formatting of unauthorized free giveaways | 1mo ago Jan 14th, 2026 | Sublime Security | /feeds/core/detection-rules/spam-commonly-observed-formatting-of-unauthorized-free-giveaways-8bc49fa3 | |
Attachment: HTML smuggling with eval and atob via calendar invite | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd | |
Sharepoint link likely unrelated to sender | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489 | |
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/cve-2023-5631-roundcube-webmail-xss-via-crafted-svg-8405d61b | |
Link: Multistage landing - Scribd document | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d | |
Open redirect: Shibboleth SSO Logout Return Parameter | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/open-redirect-shibboleth-sso-logout-return-parameter-374b7517 | |
Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-html-smuggling-attachment-a47a5755 | |
URI protocol handler: search-ms | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/uri-protocol-handler-search-ms-ee27d9c0 | |
Zoom Events newsletter abuse | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/zoom-events-newsletter-abuse-c8fce846 | |
Attachment: HTML smuggling with ROT13 | 1mo ago Jan 12th, 2026 | @Kyle_Parrish_ | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
Service abuse: Random Google Firebase sender address with suspicious content | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-random-google-firebase-sender-address-with-suspicious-content-9f8899a9 | |
Attachment: EML file contains HTML attachment with login portal indicators | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158 |
Page 1 of 5