Threat Intelligence

    The Not-So-New Threat of HTML Smuggling

    Bad actors are hiding malicious payloads in HTML — is your team equipped to handle this threat?

    by Kiri Addison

    Key Points

    • HTML smuggling is on the rise with threat groups shifting to use the attack method to increase compromise rates.
    • Delivered via email attachment or even just a link in the body of an email, HTML smuggling can fool workers who are so focused on not downloading malicious material that they miss the threats delivered via links.
    • Organizations need to include HTML smuggling in their security awareness training now to avoid what may be just the beginning of emerging threat campaigns.

    By now, most workers have sat through at least some form of human-risk-centric security awareness and training. Organizations of all sizes are doing their best to ensure their team members are aware they may be receiving phishing emails with malicious attachments.

    And while workers may sometimes get distracted while juggling too many tasks at once or trying to meet a pressing deadline, the hope of those security awareness training sessions is that they will all take a pause and a second look before opening attachments they receive via email though the course of their workday.

    Is Security Awareness Training on Attachments Enough?

    Team members who receive consistent security awareness training are five times more likely to spot and avoid clicking on something malicious than employees without any training. 

    But are those same workers taking a pause and a second look before clicking a link that might be in the body copy of that same email? Today’s working environment has taught workers that a file can contain a malicious payload, but how many workers know that a malicious file can also make its way onto their device through the simple click of a link?

    It’s called HTML smuggling, and according to many online sources, its use is increasing, especially in targeted attacks where threat actors choose a victim and then set out to flood its workers with emails that appear to be urgent, asking them to download files containing important business reports or click on links leading to time-sensitive information.

    How Does HTML Smuggling Work?

    HTML smuggling leverages JavaScript and HTML5 features to deploy malware such as viruses and ransomware, banking trojans such as Mekotio and Trickbot, remote access trojans like AsyncRAT/NJRAT, and other malicious payloads. One attack method can include providing an HTML file attachment in which an attacker has smuggled an encoded malicious script. When an unsuspecting user opens the HTML file in their browser, it decodes the malicious script which then assembles the malicious payload on the user’s device. This enables the attacker to build the malware locally, behind the firewall, instead of having the malicious executable pass through a network. 

    HTML Smuggling in Links

    A much more devious method is to use HTML5’s download attribute for anchor tags to trigger the download of a malicious file that has been referenced in the href tag. A worker clicks on a link, and in that link are the instructions for their device to seek out and then download a malicious file that will infect their device with malware.

    Now, factor in that the link in an email can be renamed anything and made to look like it is a link to a trusted website, even one that team members use every day. Imagine that link that seems very trustworthy arrives in an email that is made to look like it comes from a worker’s own organization or a vendor whose services they use regularly, and it can easily become apparent why some workers will immediately trust the link provided.

    Another Benefit of HTML Smuggling for Attackers

    Another benefit for attackers is that by using HTML smuggling, either via an attached HTML file or by placing their malicious code inside a link, they can completely bypass an organization’s restrictions on sending or receiving an executable file and other malicious file types by email.

    HTML Smuggling: Not New, But Still a Growing Threat

    While HTML smuggling isn’t new — it was first seen in 2018 — in 2020, Duri malware, which was previously delivered via Dropbox links, was adapted to use HTML smuggling to improve compromise rates. And more recently, ransomware gangs like Nobelium are using HTML smuggling, indicating that this may be the beginning of a higher concentration of the use of HTML smuggling in emerging threat campaigns.

    This is why it is so important for organizations to remember to include HTML smuggling in their security awareness training and seek out cybersecurity products that can combat this growing threat.

    The Bottom Line

    It is very likely at this point that many workers are much more aware of the potential dangers of downloading and opening an email attachment than they were just a few years ago, but it is also critical that organizations’ team members be just as aware of the dangers of clicking a link in an email as well. 

    Mimecast can assist organizations concerned about HTML smuggling through human-risk-centric security and awareness training and advanced email security with targeted threat, attachment, and URL protection.

     

     

    **This blog was originally published on March 17, 2022.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top