Barracuda Finds That 23% of HTML Email Attachments Are Malicious
New Barracuda Report Highlights State of Email Threat Landscape in 2025
As many as 20% of organizations experienced at least one attempted or successful account takeover (ATO) incident per month, with attackers typically trying to gain access through phishing, credential stuffing or by exploiting weak or reused passwords. Once inside an account, attackers can steal sensitive data, move laterally inside the organization, and send phishing emails that appear to be from a trusted source.
The findings show that:
- 23% of HTML attachments are malicious, making them the most weaponized text file type. More than three-quarters of the malicious files detected overall were HTML files. When used legitimately, HTML attachments in emails enable organizations to share content, such as newsletters or invitations, that display properly when opened in an email client or web browser.
- 68% of malicious PDF attachments and 83% of malicious Microsoft documents contain QR codes designed to take users to phishing websites.
- Bitcoin sextortion scams account for 12% of malicious PDF attachments.
- 47% of email domains do not have Domain-based Message Authentication, Reporting and Conformance (DMARC) configured to protect against unauthorized use, including spoofing and impersonation attacks.
- 24% of email messages overall are now malicious or unwanted spam.
"Email remains the most common attack vector for cyberthreats because it provides an easy entry point into corporate networks," said Olesia Klevchuk, product marketing director, Email Protection at Barracuda. "Malicious email attachments, QR codes and URLs are used by attackers to distribute malware, launch phishing campaigns and exploit vulnerabilities. Many organizations increase their risk level by failing to implement DMARC, making it possible for attackers to impersonate their brand and implement fraudulent attacks. Organizations need to mitigate the risks by implementing best practice industry standards and adopting a multi-layered approach to email security, leveraging AI-driven threat detection to spot attacks hidden in attachments and malicious websites."
To learn more about the email threat landscape in 2025 and best practice security recommendations, please see the full 2025 Email Threats Report.
This report contains proprietary Barracuda research gathered during
About Barracuda
Barracuda is a leading cybersecurity company providing complete protection against complex threats. Our platform protects email, data, applications, and networks with innovative solutions, and a managed XDR service, to strengthen cyber resilience. Hundreds of thousands of IT professionals and managed service providers worldwide trust us to protect and support them with solutions that are easy to buy, deploy, and use. For more information, visit barracuda.com.
Barracuda Networks, Barracuda and the Barracuda Networks logo are registered trademarks or trademarks of Barracuda Networks, Inc. in the
Contact:
Anne Campbell
Barracuda Networks, Inc.
978-328-1642
[email protected]
View original content to download multimedia:https://www.prnewswire.com/news-releases/barracuda-finds-that-23-of-html-email-attachments-are-malicious-302438371.html
SOURCE Barracuda Networks, Inc.
Serious News for Serious Traders! Try StreetInsider.com Premium Free!
You May Also Be Interested In
- Statement from Jenn Mack Candidate for Governor of Texas
- Surge Battery Metals Announces Investor Relations Agreement
- Early Warning Report in Respect of John Passalacqua
Create E-mail Alert Related Categories
PRNewswire, Press ReleasesRelated Entities
BitcoinSign up for StreetInsider Free!
Receive full access to all new and archived articles, unlimited portfolio tracking, e-mail alerts, custom newswires and RSS feeds - and more!



Tweet
Share