Cybercriminals Use Clever HTML Technique to Bait Outlook Users into Dangerous Clicks

A lesser-known but highly effective cyberattack method has resurfaced, targeting unsuspecting users through a sophisticated manipulation of HTML in phishing emails.

Security analysts have revealed how cybercriminals are exploiting conditional HTML comments originally intended for backward compatibility and rendering differences to show benign links in Microsoft Outlook, while substituting them with malicious URLs in other email clients and browsers.

Anatomy of the Attack: Conditional Comments

At the heart of this phishing campaign lies an old but potent web technique: HTML conditional comments.

These comments, designed for handling Microsoft Office (MSO) specific quirks, allow developers and now, attackers to craft content that is selectively visible based on the client’s email reader.

The attacker constructs their phishing email using the following structure:

xml<!--[if mso]>
    <a href="https://trustedbank.example.com">Reset Password</a>
<![endif]-->
<!--[if !mso]><!-->
    <a href="https://malicious-site.example/phish">Reset Password</a>
<!--<![endif]-->

• In Outlook: Only the benign link (to a legitimate-looking, non-malicious address) is rendered and visible.
• In Other Clients (Gmail, Apple Mail, browsers): The malicious link is displayed, sending unsuspecting users to a credential-stealing webpage.

This technique allows attackers to bypass many corporate defenses, such as security scanners and web proxies, which often review emails in the context of Outlook rendering.

It also reduces the likelihood that a security analyst, previewing the email in Outlook, will detect the real threat.

Why It Works: Targeting Trust and Blind Spots

The clever use of conditional HTML gives threat actors a multi-pronged advantage:

• Evading Automated Scans: Many security tools check emails as rendered in Outlook, often missing what non-Outlook users would see.
• Selective Targeting: By showing only harmless content in corporate environments where users are less likely to fall for banking scams, and where email scrutiny is highest the attackers increase their odds elsewhere.
• Exploiting User Behavior: Users accessing email via web clients or on mobile devices are more likely to see and click the malicious link.

Corporate Impact and Incident Response

For corporations, this threat highlights significant blind spots in traditional email security:

• Red Teamers and Incident Responders: Must review raw email HTML, not just rendered content, to identify hidden threats.
• Security Awareness Training: Needs to educate staff about how phishing campaigns can look very different depending on where and how an email is viewed.
• Technical Defenses: Email gateways and security solutions should be updated to parse conditional HTML comments and scan all possible content branches.

While HTML conditional comments have been documented as a potential attack vector since 2019, their use in widespread phishing campaigns remains rare making them all the more potent.

As attackers continually refine their tactics, defenders must adapt by understanding not just what end users see, but what email code actually contains.

For now, the best defense is vigilance: always inspect suspicious emails both in the client and at the code level, and foster a culture where reporting strange messages is the norm.

As always, a healthy dose of technical skepticism remains a vital tool in the ever-evolving landscape of email security.