Microsoft warns of rising HTML smuggling phishing attacks


Microsoft has seen a surge in malware campaigns that use HTML smuggling to distribute banking malware and remote access Trojans (RATs).

While HTML smuggling is not a new technique, Microsoft sees it increasingly being used by threat actors to evade detection, including the Nobelium hacker group behind SolarWinds attacks.

How HTML smuggling works

HTML smuggling is a technique used in phishing campaigns that use HTML5 and JavaScript to hide malicious payloads in strings encoded in an HTML attachment or web page. These strings are then decoded by a browser when a user opens the attachment or clicks a link.

For example, a phishing HTML attachment might include a harmless link to a well-known website, so it wouldn’t be considered malicious. However, when a user clicks the link, JavaScript will decrypt an included encrypted or scrambled string and convert it into a malicious attachment that is downloaded instead, as shown in the following code.

A basic example of HTML smuggling
A basic example of HTML smuggling
Source: Microsoft

Since the malicious payload is initially encrypted, it appears harmless to security software and is not detected as malicious. Also, since JavaScript assembles the payload on the target system, it bypasses any firewalls and security defenses that usually catch the malicious file in the perimeter.

Process of eliminating HTML smuggling malware
Process of eliminating HTML smuggling malware
Source: Microsoft

Cases of distribution

Microsoft researchers have seen this technique used in Mekotio campaigns delivering banking trojans and also in highly targeted NOBELIUM attacks.

HTML smuggling campaigns are also used to eliminate AsyncRAT or NJRAT remote access trojans or the TrickBot trojan used to breach networks and distribute ransomware.

Attacks usually start with a phishing email containing an HTML link in the body of the message or a malicious HTML file as an attachment.

If you click either, a ZIP file is released using HTML contraband. This archive contains a JavaScript file downloader that retrieves additional files from a command and control (C2) server to be installed on the victim’s device.

In some cases, the archives created are password protected for further circumvention of detection against endpoint security checks. However, the password to open it is provided in the original HTML attachment, so the victim has to enter it manually.

Password provided in the email or HTML attachment
Password provided in the email or HTML attachment
Source: Microsoft

Once the script is started, a base64-encoded PowerShell command is executed that downloads and installs the TrickBot trojan or other malware.

A 2020 report from Menlo security It also mentions the Duri malware group as one of the actors actively using HTML smuggling for payload distribution, but the technique has been first seen in the wild since at least 2018.

Microsoft first warned of a sudden surge in this activity in July 2021, urging administrators to raise their defenses against it.

How to defend against HTML smuggling

Microsoft suggests administrators use rules of conduct to verify common characteristics of HTML smuggling, including:

  • An attached ZIP file contains JavaScript
  • An attachment is password protected
  • An HTML file contains suspicious script code
  • An HTML file decodes a Base64 code or obfuscates a JavaScript

For endpoints, administrators should block or control activity associated with HTML smuggling, including:

  • Block JavaScript or VBScript from launching downloaded executable content
  • Blocks execution of potentially obfuscated scripts
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria

In addition to the above, users can prevent JavaScript from running automatically by associating the .js and .jse files with a text editor such as Notepad.

Ultimately, the best defense is to train users not to open downloaded files via links in emails and attachments. All files downloaded from an email should be treated with caution and carefully checked before opening.

Also, if an attachment or email link downloads an attachment ending with a .js (JavaScript) extension, it should never be opened and automatically deleted.

Unfortunately, Windows disables the display of file extensions by default, leading in many cases to not seeing the extensions. Here’s why it is always suggested that users allow file extensions to be displayed to prevent malicious files from being opened.


Please enter your comment!
Please enter your name here