Malicious HTML in E-Mail Increases
One in particular, a standard advertisement for fake antivirus software, installs a back door -- even if the browser is closed so by the time the HTML file has been clicked it is already too late. (See also "How to Spot an E-Mail Scam.")
Spam built around HTML is nothing new, but does seem to have become a hot technique in the last year or so with some spammers. A popular variant is the bogus "Delivery Status Notification Failure," a sneaky way to get the attention of a user without arousing suspicion.
"So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless," concludes Barracuda Labs' researcher, Dave Michmerhuizen.
Since attachment attacks became a favorite tactic, spammers have tried almost every common format in existence, sometimes moving to obscure ones in an attempt to get around spam filters.