HTML smuggling is a new attack vector rising in popularity among cyber criminals and nation-state-sponsored threat actors. The technique leverages HTML 5 and JavaScript to help the attacker “smuggle” encoded malicious script embedded in a uniquely crafted HTML attachment or web page. When the victim opens the HTML attachment or clicks on a link they are redirected to an HTML web page which decodes the script and assembles the malicious payload on the user’s system—in essence a “flatpack” composed of a series of components that are assembled post delivery. Thus, no malicious content actually passes through the network, instead its components are delivered via the website and actually assembled on the victim’s device. Additional obfuscation within the HTML can further hide the true purpose of the malicious script.
This technique is typically used in malicious email campaigns designed to deliver malware or remote access Trojans (RATs) to unsuspecting users. Traditional server-side perimeter security technologies cannot detect HTML smuggling threats due to the “flatpack” format. The common mitigation strategy for HTML smuggling is disabling JavaScript, which unfortunately will also disable a company’s web pages and web applications, severely limiting their ability to communicate and do business with their customers. Alternative mitigation strategies include the use of scanning and threat monitoring tools specifically designed to detect HTML smuggling attacks.