{"id":168432,"date":"2023-05-08T04:10:18","date_gmt":"2023-05-08T11:10:18","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=168432"},"modified":"2025-06-04T04:02:54","modified_gmt":"2025-06-04T11:02:54","slug":"shtml-phishing-attack-with-blurred-image","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/","title":{"rendered":"New Wave of SHTML Phishing Attacks"},"content":{"rendered":"

Authored <\/span>By Anuradha<\/span><\/p>\n

McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information.<\/span>\u00a0<\/span><\/p>\n

SHTML Campaign in the field:<\/span><\/b>\u00a0<\/span><\/h2>\n

Figure 1. <\/span>shows the geological distribution of McAfee clients who detect malicious SHTML files.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>1. McAfee<\/span> Client Detection of SHTML<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

Attackers victimize users by distributing SHTML files as email attachments.<\/span>\u00a0<\/span>The sentiments used in such phishing emails include a payment confirmation, invoice, shipment etc., The email contains a small thread of messages to make the recipient more curious to open the attachment.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>2<\/span>. Email with SHTML attachment<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

Analysis:<\/span><\/b>\u00a0<\/span><\/h2>\n

When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser as shown in Figure 3. To read the document, however, the user must enter his\/her credentials. In some cases, the email address is prefilled.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>3<\/span>. <\/span>Fake <\/span>PDF document<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

\"\"<\/p>\n

Figure 4. Fake Excel document<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

\"\"<\/p>\n

Figure <\/span>5. Fake<\/span> DHL Shipping<\/span> document<\/span><\/span><\/strong><\/p>\n

 <\/p>\n

Attackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior.<\/span>\u00a0<\/span><\/p>\n

\u00a0<\/span>\"\"<\/p>\n

Figure <\/span>6<\/span>. SHTML with JavaScript code<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

Below is the code snippet that shows how the blurred background image is loaded. The blurred images are taken from legitimate websites such as:<\/span>\u00a0<\/span><\/p>\n

https:\/\/isc.sans.edu\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

https:\/\/i.gyazo.com<\/span><\/b>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>7<\/span>. <\/span>Code to load b<\/span>lurred <\/span>image<\/span>\u00a0<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

Abusing submission form service:<\/span><\/b>\u00a0<\/span><\/h2>\n

Phishing attacks abuse static form service providers to steal sensitive user information, such as Formspree and Formspark<\/span><\/p>\n

Formspree.io<\/span><\/b> is a back-end service that allows developers to easily add forms on their website without writing server-side code, it also handles form processing and storage. It takes HTML form submissions and sends the results to an email address.<\/span>\u00a0<\/span><\/p>\n

The attackers use the formpsree.io URL as an action URL which defines where the form data will be sent. Below Figure 8. shows the code snippet for action URL that works in conjunction with POST method.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

 <\/p>\n

Figure <\/span>8<\/span>. Formspree.io<\/span> as<\/span> action URL with POST method<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

When the user enters the credentials and hits the \u201csubmit\u201d button, the data is sent to Formspree.io. Subsequently, Formspree.io forwards the information to the specified email address. Below Figure 9. shows the flow of user submission data from webpage to attacker email address.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>9. Flow of user submission data<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

Known malicious forms<\/span> may<\/span> be blocked<\/span>, preventing<\/span> the form submission data <\/span>from <\/span>being sent to the <\/span>attacker. Below<\/span> Figure<\/span> 10<\/span>. shows the Form blocked due to suspected fraudulent activity.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure 10<\/span>. Form <\/span>B<\/span>locked<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

To prevent the user from recognizing that they\u2019ve just been phished, the attacker redirects the user\u2019s browser to an unrelated error page that is associated to a legitimate website.<\/span>\u00a0<\/span><\/p>\n

Below Figure 11.\u00a0 shows the redirected webpage.<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span>11<\/span>. Redirected <\/span>webpage<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

 <\/p>\n

To conclude, phishing is a form of social engineering in which attackers trick people into disclosing confidential information or installing malware. It is a widespread and pervasive problem. This blurry image phishing scam uses simple basic HTML and JavaScript code, but it can still be effective. A blurry image is enough to trick many users into believing the email as legitimate. To stay protected, users<\/span> should keep their system up-to-date and refrain from clicking links and opening SHTML attachments that comes through email from untrusted sources.<\/span>\u00a0<\/span><\/p>\n

IOCs<\/span><\/b>\u00a0<\/span><\/h2>\n

McAfee customers are protected against this phishing campaign.<\/span>\u00a0<\/span><\/p>\n\n\n\n\n
\u00a0<\/span><\/td>\n<\/tr>\n
\n\n\n\n\n\n
Type\u202f<\/span>\u00a0<\/span><\/td>\nValue\u202f<\/span>\u00a0<\/span><\/td>\nProduct\u202f<\/span>\u00a0<\/span><\/td>\nDetected\u202f<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
URL\u202f<\/span>\u00a0<\/span><\/td>\nformspree[.]io\/f\/xjvderkn<\/span>\u00a0<\/span><\/td>\nMcAfee WebAdvisor\u202f<\/span>\u00a0<\/span><\/td>\nBlocked\u202f<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
URL\u202f<\/span>\u00a0<\/span><\/td>\ncianindustries[].com\/error\/excel.php<\/span>\u00a0<\/span><\/td>\nMcAfee WebAdvisor\u202f<\/span>\u00a0<\/span><\/td>\nBlocked\u202f<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/span><\/p>\n\n\n\n\n\n
URL\u202f<\/span>\u00a0<\/span><\/td>\ntwenty88[.]com\/mincs\/mea.ph<\/span>\u00a0<\/span><\/td>\nMcAfee WebAdvisor\u202f<\/span>\u00a0<\/span><\/td>\nBlocked\u202f<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
URL\u202f<\/span>\u00a0<\/span><\/td>\nsweet.classicbo[.]com\/mailb_fixpd.ph<\/span>\u00a0<\/span><\/td>\nMcAfee WebAdvisor\u202f<\/span>\u00a0<\/span><\/td>\nBlocked\u202f<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/span><\/td>\n<\/tr>\n

\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/span><\/p>\n\n\n\n\n\n\n
Type<\/span>\u00a0<\/span><\/td>\nValue<\/span>\u00a0<\/span><\/td>\nProduct<\/span>\u00a0<\/span><\/td>\nDetected<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
shtml(Adobe)<\/span>\u00a0<\/span><\/td>\n0a072e7443732c7bdb9d1f3fdb9ee27c<\/span>\u00a0<\/span><\/td>\nTotal Protection and LiveSafe<\/span>\u00a0<\/span><\/td>\nHTML\/Phishing.qz<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
shtml(Excel)<\/span>\u00a0<\/span><\/td>\n3b215a37c728f65c167941e788935677<\/span>\u00a0<\/span><\/td>\nTotal Protection and LiveSafe<\/span>\u00a0<\/span><\/td>\nHTML\/Phishing.rb<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
shtml(DHL)<\/span>\u00a0<\/span><\/td>\n257c1f7a04c93a44514977ec5027446c<\/span>\u00a0<\/span><\/td>\nTotal Protection and LiveSafe<\/span>\u00a0<\/span><\/td>\nHTML\/Phishing.qz<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/span><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Authored By Anuradha McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has…<\/p>\n","protected":false},"author":695,"featured_media":169189,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-168432","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nNew Wave of SHTML Phishing Attacks | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored By Anuradha McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Wave of SHTML Phishing Attacks | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored By Anuradha McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-08T11:10:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T11:02:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"New Wave of SHTML Phishing Attacks\",\"datePublished\":\"2023-05-08T11:10:18+00:00\",\"dateModified\":\"2025-06-04T11:02:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/\"},\"wordCount\":689,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/\",\"name\":\"New Wave of SHTML Phishing Attacks | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png\",\"datePublished\":\"2023-05-08T11:10:18+00:00\",\"dateModified\":\"2025-06-04T11:02:54+00:00\",\"description\":\"Authored By Anuradha McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"New Wave of SHTML Phishing Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Wave of SHTML Phishing Attacks | McAfee Blog","description":"Authored By Anuradha McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"New Wave of SHTML Phishing Attacks | McAfee Blog","og_description":"Authored By Anuradha McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2023-05-08T11:10:18+00:00","article_modified_time":"2025-06-04T11:02:54+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"New Wave of SHTML Phishing Attacks","datePublished":"2023-05-08T11:10:18+00:00","dateModified":"2025-06-04T11:02:54+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/"},"wordCount":689,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/","name":"New Wave of SHTML Phishing Attacks | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png","datePublished":"2023-05-08T11:10:18+00:00","dateModified":"2025-06-04T11:02:54+00:00","description":"Authored By Anuradha McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/05\/300x200_Blog_SHTML-Phishing-Attacks.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/shtml-phishing-attack-with-blurred-image\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"New Wave of SHTML Phishing Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/168432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=168432"}],"version-history":[{"count":11,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/168432\/revisions"}],"predecessor-version":[{"id":215104,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/168432\/revisions\/215104"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/169189"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=168432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=168432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=168432"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=168432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}