The Not-So-New Threat of HTML Smuggling

By now, most workers have sat through at least some form of security awareness training. Organizations of all sizes are doing their best to ensure their team members are aware they may be receiving phishing emails with malicious attachments.

And while workers may sometimes get distracted while juggling too many tasks at once or trying to meet a pressing deadline, the hope of those security awareness training sessions is that they will all take a pause and a second look before opening attachments they receive via email though the course of their workday.

Is Security Awareness Training on Attachments Enough?

Team members who receive consistent security awareness training are five times more likely to spot and avoid clicking on something malicious than employees without any training. 

But are those same workers taking a pause and a second look before clicking a link that might be in the body copy of that same email? Today’s working environment has taught workers that a file can contain a malicious payload, but how many workers know that a malicious file can also make its way onto their device through the simple click of a link?

It’s called HTML smuggling, and according to many online sources, its use is increasing, especially in targeted attacks where threat actors choose a victim and then set out to flood its workers with emails that appear to be urgent, asking them to download files containing important business reports or click on links leading to time-sensitive information.

How Does HTML Smuggling Work?

HTML smuggling leverages JavaScript and HTML5 features to deploy malware such as viruses and ransomware, banking trojans such as Mekotio and Trickbot, remote access trojans like AsyncRAT/NJRAT, and other malicious payloads. One attack method can include providing an HTML file attachment in which an attacker has smuggled an encoded malicious script. When an unsuspecting user opens the HTML file in their browser, it decodes the malicious script which then assembles the malicious payload on the user’s device. This enables the attacker to build the malware locally, behind the firewall, instead of having the malicious executable pass through a network. 

HTML Smuggling in Links

A much more devious method is to use HTML5’s download attribute for anchor tags to trigger the download of a malicious file that has been referenced in the href tag. A worker clicks on a link, and in that link are the instructions for their device to seek out and then download a malicious file that will infect their device with malware.

Now, factor in that the link in an email can be renamed anything and made to look like it is a link to a trusted website, even one that team members use every day. Imagine that link that seems very trustworthy arrives in an email that is made to look like it comes from a worker’s own organization or a vendor whose services they use regularly, and it can easily become apparent why some workers will immediately trust the link provided.

Another Benefit of HTML Smuggling for Attackers

Another benefit for attackers is that by using HTML smuggling, either via an attached HTML file or by placing their malicious code inside a link, they can completely bypass an organization’s restrictions on sending or receiving an executable file and other malicious file types by email.

HTML Smuggling: Not New, But Still a Growing Threat

While HTML smuggling isn’t new – it was first seen in 2018 – in 2020, Duri malware, which was previously delivered via Dropbox links, was adapted to use HTML smuggling to improve compromise rates. And more recently, ransomware gangs like Nobelium are using HTML smuggling, indicating that this may be the beginning of a higher concentration of the use of HTML smuggling in emerging threat campaigns.

This is why it is so important for organizations to remember to include HTML smuggling in their security awareness training and seek out cybersecurity products that can combat this growing threat.

It is very likely at this point that many workers are much more aware of the potential dangers of downloading and opening an email attachment than they were just a few years ago, but it is also critical that organizations’ team members be just as aware of the dangers of clicking a link in an email as well. 

Mimecast can assist organizations concerned about HTML smuggling through Security Awareness Training and Email Security with Targeted Threat Protection Attachment Protection and URL Protection.