When you read an HTML e-mail, youre effectively reading a web page. HTML is intrinsically insecure. Its possible to embed script within it that will execute automatically [including exploit instructions]. This may harm your machine directly or leave it open to attack. One more reason to use plain text e-mails, rather than HTML, and to disable scripting on your machine. Use plain text to send and receive emails in HTML format. The ‘classic’ phishing scam is made to look like it has come from their bank. It seems that phishers are trying to cut out the middleman”]
Source: https://securelist.com/html-e-mail-why-its-not-a-good-idea/29881/