Is it suspicious to open an email attachment HTML file?
If I receive an email that has an attachment called something like safe-link.html would it ever be safe to open this file?
Clearly, HTML files may have malicious scripts embedded that could run when opened with a browser. However, I'm wondering if any breaches could occur upon downloading the file and then opening it in Notepad / other basic text editor rather than a web browser?
Background
I'm only asking because the company I work for likes to send out 'test' phishing emails from time to time, and the latest had an HTML attachment. I suspected the email immediately (so I didn't click to open the attachment in a browser), but I was intrigued to see if it actually was another test!
So I suggested to colleagues that the file be opened with Notepad. We’re all savvy enough to read HTML, so would immediately spot the usual "If this wasn't just a test, your computer would be compromised!”, but they were extremely concerned that I had thought to interact with the file at all.
I'm reasonably confident that any malicious script in an html file would have to be opened in a web browser for it to have any effect.
Are my colleagues being too cautious, or was I being overzealous?
I'm an advocate of "better safe than sorry", so I don't think they were wrong not to open it; I just also don't believe it was completely unsafe to open with something like Notepad. I am very intrigued to find out!
"Gotchas" I'm aware of:
I believe editing it in a more complex website development tool (that actually renders the page in a preview) could be dangerous.
Also, I'm aware that simply double clicking the file (even if the default "open with" is set to be a text editor) could be dangerous. This is because something like readme.txt could actually be readme.txt.exe with file extensions hidden in something like Windows File Explorer.
Okay, so, technically, you're never 100% safe. Yes, there could be attempted attacks on your text editor/ASCII viewer. Yes, someone could have somehow magically snuck a DLL into your temporary directory in order to mess with MS Notepad delay loading. But in practice, when you receive an email attachment HTML file in a phishing email, it's going to contain some malicious JavaScript or more likely redirect you to a website online that tries to persuade you to hand over your credit card details / logins. So, in practice, examining such a file in Notepad++ is a perfectly reasonable way to see what's been sent to you. The reaction of your colleagues seems unfair, unless you are working in a nuclear silo … and if your job is really that mission/safety critical, why are there emails at all? Why would there be internet access? And, if there isn't, why would you need phishing audits/tests/honeypots? Someone somewhere is being overly paranoid.
We can try to reduce our risk to zero but the only way to achieve that is to not use a computer. All that being said, though, you will always have to deal with silly people so perhaps keep this activity to yourself next time.