HTML Smuggling

What is HTML smuggling?

Despite continued investments in security technologies, phishing and malware attacks continue to be successfully mounted against enterprises. One technique in particular that has grown in popularity due to the increased usage of browsers is HTML smuggling. This is a highly-evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features to deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted cybersecurity attacks. Notably, this technique was observed being used by the notorious NOBELIUM group through targeted spear phishing campaigns.

How does HTML smuggling work?

HTML smuggling is a form of drive-by-download (the unintentional download of malicious code) in which an attacker “smuggles” encoded malicious scripts within specially crafted HTML attachments or webpages. These attackers take advantage of the versatility of HTML and combine it with social engineering to trick users into opening malicious payloads. Because these attacks impersonate trusted, well-known brands, including Dropbox, Adobe Acrobat, and Google Drive, users are less likely to question opening the HTML in their web browser.

This technique relies on the threat actor embedding file binaries in the HTML source of the webpage. As the page renders, the browser reconstructs the malicious file and transfers the newly assembled malware executable to the host OS and effectively bypasses network firewalls and security solutions, including sandboxes and anti-virus in legacy proxies. Moreover, file types assumed to be blocked by Secure Web Gateway policies can still make it to endpoints through HTML.

What makes enterprises susceptible?

Traditional security solutions such as web proxies, email gateways, and sandboxes typically only check for suspicious attachments or anomalous traffic based on existing signatures and pattern matching of known threats. HTML smuggling converts an executable file into an encoded text and embeds that text into the HTML source of the page, making it undetectable and, in many cases, unreadable for inspection engines. The file looks harmless and will pass through inspection with ease. The sources look legitimate and behave like valid HTML and Javascript requests, effectively camouflaging themselves, but can be reassembled on the user endpoint into a fully executable malware.

How do I stop HTML smuggling?

HTML smuggling can be stopped but to do so requires visibility and control inside the browser. Solutions like cloud-based Browser Security can help as they move the execution of these web requests away from the endpoint into a virtual container up in the cloud, effectively separating the end user from any malicious content. With no endpoint agent required and no discernable impact on user performance, isolation provides safe and secure browsing for the user, all while making experience friction free for the end user.