Analysis Summary

A sophisticated phishing technique has been observed exploiting Microsoft Outlook's legacy HTML rendering engine using conditional HTML statements such as " <!-- [if mso]> " and "<!-- [if !mso]>". Originally intended for formatting compatibility across email clients, these statements are now weaponized to display different content based on the recipient’s email client. The attack relies on hiding malicious links from enterprise security systems, which often scan emails using Outlook-based engines, by showing only benign content to those systems while directing end users to phishing sites if they open the email in non-Outlook clients.

According to the Researcher, the phishing emails are structured with two separate code paths: one targeting Outlook users with safe-looking, legitimate links, typically referencing banks or trusted services, and another that redirects users on other platforms like Gmail, Apple Mail, or Thunderbird to credential-harvesting pages. This dual rendering not only helps bypass security filters but also maximizes effectiveness against end users. Security teams relying solely on Outlook-compatible scanners often miss the malicious path entirely, providing a false sense of security while the threat remains active in the email.

The attack leverages Microsoft Outlook’s use of Internet Explorer’s rendering engine, which continues to support these conditional comments for backward compatibility, despite Microsoft modernizing its rendering framework. The conditional HTML effectively bifurcates the email’s behavior based on the client, enabling attackers to maintain plausible deniability and evade detection during automated scanning. This technique has been used primarily against financial institutions, with phishing emails impersonating major banks to trick recipients into revealing sensitive credentials.

To defend against such sophisticated threats, organizations must adopt multi-engine scanning that simulates multiple client renderings. URL reputation checking should be enforced for all embedded links, regardless of visibility under conditional statements. Security awareness training should stress verifying senders through separate channels, and DNS-level filtering of known malicious domains should be implemented. Sandboxing tools that simulate various email clients can also help detect these adaptive threats. Though first reported in 2019, the technique’s reappearance in recent campaigns shows that threat actors are continuously evolving and exploiting weaknesses in enterprise email security infrastructures.

Impact

• Sensitive Credential Theft
• Security Bypass
• Gain Access

Affected Vendors

Remediation

• Use email security solutions that render and analyze emails across multiple clients (e.g., Outlook, Gmail, Apple Mail) to detect variations caused by conditional HTML.
• Configure email gateways to scan both <!--[if mso]> and <!--[if !mso]> code paths to uncover hidden malicious content.
• Scan all embedded links for reputation scoring, and use sandbox environments that simulate multiple email clients to analyze behavior before delivering messages.
• Block access to known malicious domains at the network level to prevent users from reaching phishing infrastructure, even if they click a link.
• Track which email clients are used internally and externally to identify exposure points and tailor detection mechanisms accordingly.
• Where possible, disable or restrict support for outdated HTML rendering features in Outlook to reduce the effectiveness of conditional comment-based exploits.