>As it turns out, 81% of the emails containing HTML files with JavaScript are malicious, while only 19% are legitimate.... it’s clear that straight-out blocking HTML attachments with JavaScript is not an option for most organizations, as it would impact important business communication.<p>Oh of course, how dare we suggest companies stop doing sketchy things in their ~spam~ ~marketing~ <i>notification</i> emails that are explicitly trying to get you to click on links full of gobbledygook, training normal users that an ugly and unclear link is an expected form of communication! Nah, we could never tell businesses that sending a link that asks me to click a sketchy looking button to log into my bank account is something that should be discouraged because it makes users used to clicking on phishing emails.<p>Instead, we will just pretend to do stuff while half the company fails the bi-yearly phishing screening, including most of our VPs
My email disallows images and javascript/html. I have yet to suffer for this. If anything it’s like the Adblock of email. And I’m not one of those “block all javascript on the Web” people.
> it’s clear that straight-out blocking HTML attachments with JavaScript is not an option for most organizations, as it would impact important business communication.<p>I suppose it depends on what your job is. My habit of decades for personal email is to not allow HTML at all. I do the same in the office. Sometimes, this means I'm reading the HTML source directly to get the information, which is inconvenient, but it's worth it to me.<p>Fortunately, most important emails I get contain no HTML at all, or use only trivial HTML that doesn't hinder reading the source.<p>I do wish people wouldn't use HTML in emails at all (it rarely adds anything useful to the email), but that's not the world I live in.