Menlo Security kündigt strategische Partnerschaft mit Google an
Icon Rounded Closed - BRIX Templates

Digital smugglers: How attackers use HTML smuggling techniques to beat traditional security defenses

Neko Papez
July 4, 2023

It’s hard to imagine a time when the web browser wasn’t the critical enterprise productivity app. Many enterprise workers born in the 1990s likely don’t recall when the web browser wasn’t the primary window to access nearly every office application.

Today, the web browser is the de facto enterprise app staff uses to conduct business. And the web browser has revolutionized how we communicate, work, and entertain ourselves.

The success of the web browser—the fact that it’s used to access nearly every enterprise application imaginable—is also why cybercriminals today relentlessly target it as their point of entry to gain access to enterprise applications and data. And they are using increasingly evasive attack techniques to succeed.

The strategy has proven to work, mainly because traditional security tools don’t adequately protect the browser or defend against the increasing number of highly evasive web threats.

One such highly evasive threat is HTML smuggling attacks, which employ widely used features of HTML5 to bypass traditional security defenses. Understanding the nature of HTML smuggling attacks and the best ways to stop them is essential for security teams to successfully defend their systems and data from today’s threat actors.

What are HTML smuggling attacks?

HTML smuggling attacks use HTML5 attributes to deliver malware and credential-stealing phishing attacks. Attackers “smuggle” encoded malicious scripts within the specially crafted HTML attachments or web pages typically in one of two ways: they deliver the payload using a download event via a data uniform resource indicator (URI) onto the target victim’s device, or they create what’s known as a JavaScript blob that triggers a successful download event onto the targeted victim’s device once behind the firewall.

To ensure success, attackers also turn to proven social engineering techniques and impersonate well-known and trusted online brands, such as Adobe Acrobat, Dropbox, and Google Drive. Once the targeted victim clicks on a link, typically delivered via email or social media messaging, the process of HTML smuggling begins as discrete and individually non-malicious appearing pieces of the final file are downloaded. After all separate payload elements are downloaded, the malicious payload is assembled on the endpoint.

This “multi-stage delivery" technique effectively bypasses various firewalls and network security solutions, including sandboxes and anti-virus in legacy proxies. Additionally, file types assumed to be blocked by Secure Web Gateways still make it to endpoints through HTML smuggling.

How HTML smuggling bypasses traditional security defenses

How do HTML smuggling techniques so easily bypass traditional security defenses? These tools typically only check for suspicious attachments or anomalous traffic based on signatures and patterns. Consider how HTML smuggling evades sandboxing.

HTML smuggling deftly bypasses traditional security protocols, including sandboxing, by implementing an innovative mode of delivering malicious code. Instead of directly downloading a malicious file, which could be intercepted and blocked by security measures, HTML smuggling embeds minute fragments of malicious code within apparently benign JavaScript blobs or sub-components.

These tiny blobs, not being in a format that can be decoded by the sandbox, remain unanalyzed. Individually, they exhibit no harmful actions, thus not triggering any alerts within the sandbox. Yet, these seemingly harmless blobs have the capability to autonomously reconstruct themselves into a damaging executable at the local browser level, without any user intervention.

This ingenious approach effectively allows them to slip through the grasp of traditional file content inspection engines and evade the sandboxing measures, demonstrating a significant blind spot in conventional cybersecurity defenses.

In addition, attackers use obfuscation techniques to hide the malicious code from detection. Attackers use Base64 encoding and then decode it on the endpoint. This also makes it difficult for security tools to detect malicious activity. HTML smuggling attacks also evade web proxy defenses by using these techniques as binary data and are embedded into JavaScript code that can be decoded into a file object when the user’s web browser opens.

Overall, HTML smuggling attacks are designed to be highly evasive and can bypass standard perimeter security controls, making them a significant threat to organizations. The increase in HTML smuggling attacks is likely due to attacker success because the browser has become one of the weakest links for organizations. Let’s look at examples of real-world HTML smuggling attacks.

Real-world examples of HTML smuggling attacks

The Russian cybercriminal collective known as Nobelium – the group behind the infamous SolarWinds attacks – is infamous for using HTML smuggling to deliver malware. This nation state threat actor group has also used HTML smuggling as part of its recent barrage of espionage attacks on government entities attempting to gain a foothold into these organizations.

In some of its attacks, Nobelium sent spear-phishing emails to targeted individuals, encouraging them to click on a link that redirected to a website hosting a malicious JavaScript file. The JavaScript file initiated an HTML smuggling attack in which the payload was hidden within a seemingly benign image file. The browser loaded and decoded the image file using HTML and JavaScript, which in turn executed the malicious code, enabling the attackers to gain access to the victim's system.

This technique was effective because it bypassed many traditional security measures that rely on inspecting network traffic or blocking known malicious domains. HTML smuggling allowed the attackers to hide their malicious activity within seemingly harmless web traffic, making it difficult for security tools to detect and block the attack.

Another HTML smuggling campaign, dubbed ISOMorph, used the popular Discord messaging app to host malicious payloads. This attack leveraged the previously mentioned Javascript blob to construct a malicious file on the target’s endpoint within the web browser.

In a report by CSO Online, Trustwave SpiderLabs revealed its uncovering of a phishing email HTML attachment that dropped the Cobalt Strike malware via Adobe PDF viewer-themed impersonation.

“When the HTML is loaded, it drops an ISO file containing an LNK [Windows Shortcut] file that, when clicked, launches the payload execution sequence,” CSOonline quoted SpiderLabs. “The LNK file starts PowerShell to execute the PowerShell script masqueraded in a ‘.log’ extension rather than ‘.ps1’. Modifying the extension attempts to evade defenses and tricks the user into thinking that it is a typical log file,” CSO wrote.

These techniques are so effective that the MITRE ATT&CK framework addresses HTML smuggling as a technique attackers use to gain initial access. Specifically, HTML smuggling falls under the "Exfiltration Over Alternative Protocol" (T1048), which refers to using non-standard protocols or channels to exfiltrate data from a compromised system.

The insidious nature of HTML smuggling attacks

Due to how HTML smuggling can bypass traditional security defenses such as sandboxes, email security engines, and web gateways, among others, we categorize HTML smuggling attacks as Highly Evasive Adaptive Threats (HEAT), or HEAT attacks. These threats grew in popularity with the rise in cloud and software-as-a-service (SaaS) applications. Cloud services, typically accessed by the web browser, make the browser an ideal target because traditional security tools were designed to defend installed applications and local network traffic, not data and connections flowing through the browser.

Because HTML smuggling attacks are so swiftly executed and allow attackers to exploit current enterprise web browser security weaknesses, these attacks remain highly dangerous for enterprise data and systems. Enterprises that successfully defend themselves against such attacks will be those enterprises that effectively bolster the security of their users’ web browsers.

Prevent HTML smuggling attacks

What will effective web browser security look like for those companies? It’ll certainly focus on improving visibility into browser activity and deploying technologies that can detect and respond to HEAT attacks, such as HTML smuggling, in real time.

Another critical defense that is proven effective against HEAT attacks is isolation technologies that insulate web sessions within a remote browser that enable the execution of page requests outside of the endpoint so that only safe and sanitized versions of web sessions are returned to the end user.

For organizations, there’s no time to delay. Threat actors constantly update their tactics and use evasive threats to target the browser. To successfully defend themselves, security teams must also adjust their defenses to have greater visibility and control within the web browser. And they must deploy security controls that will adapt to changes employed by attackers and dynamically defend their systems and data.

linkedin logotwitter/x logofacebook logoSocial share icon via eMail