Barracuda: 23% of HTML Email Attachments Are Malicious

Barracuda Networks, Inc., a leading cybersecurity company providing complete protection against complex threats for all sized businesses, has released the 2025 Email Threats Report, which details the current state of email-based risks facing organisations worldwide. Based on Barracuda’s threat detection data, the findings highlight how attackers continue to shift malicious links and content to attachments in the hope of evading detection by security tools.

According to the report, as many as 20 per cent of organisations experienced at least one attempted or successful account takeover (ATO) incident per month, with attackers typically trying to gain access through phishing, credential stuffing or by exploiting weak or reused passwords. Once inside an account, attackers can steal sensitive data, move laterally inside the organisation, and send phishing emails that appear to be from a trusted source.

What Barracuda Found

The findings show that:

• 23% of HTML attachments are malicious, making them the most weaponised text file type. More than three-quarters of the malicious files detected overall were HTML files. When used legitimately, HTML attachments in emails enable organisations to share content, such as newsletters or invitations, that display properly when opened in an email client or web browser.
• 68% of malicious PDF attachments and 83% of malicious Microsoft documents contain QR codes designed to take users to phishing websites.
• Bitcoin sextortion scams account for 12% of malicious PDF attachments.
• 47% of email domains do not have Domain-based Message Authentication, Reporting and Conformance (DMARC) configured to protect against unauthorised use, including spoofing and impersonation attacks.
• 24% of email messages overall are now unwanted or malicious spam.

“Email remains the most common attack vector for cyberthreats because it provides an easy entry point into corporate networks,” said Olesia Klevchuk, a Director in Email Protection at Barracuda. “Malicious email attachments, QR codes and URLs are used by attackers to distribute malware, launch phishing campaigns and exploit vulnerabilities. Many organisations increase their risk level by failing to implement DMARC, making it possible for attackers to impersonate their brand and implement fraudulent attacks. Organisations need to mitigate the risks by implementing best practice industry standards and adopting a multi-layered approach to email security, leveraging AI-driven threat detection to spot attacks hidden in attachments and malicious websites.”