According to Microsoft’s Analysis reported that “HTML smuggling” allows an attacker to “smuggle” an encoded malicious script into a specially designed HTML attachment or web page, as the name implies. When a target user views the HTML in their browser, the browser decodes the malicious script, which then assembles the payload on the host device,Rather than sending a harmful programme over a network, the attacker creates malware locally behind a firewall.”

 Microsoft 365 Defender Threat Intelligence Team revealed that it discovered infiltrations propagating the Mekotio banking Trojan, backdoors such as AsyncRAT and NjRAT, and the infamous TrickBot malware. Menlo Security formally described the multi-staged assaults, termed ISOMorph, in July 2021.

Threat actors are highly depending   on HTML smuggling in phishing efforts to get initial access and deliver a wide range of threats such as banking malware, remote administration trojans (RATs) and ransomware payloads.

HTML smuggling threats rely on legal uses of HTML and JavaScript in everyday corporate processes to remain hidden and relevant, as well as to test organisations’ traditional mitigation procedures. Disabling JavaScript, for example, could reduce HTML smuggling caused by JavaScript Blobs. JavaScript, on the other hand, is utilised to render legitimate commercial and other web pages.

There are a variety of ways to implement HTML smuggling through obfuscation, as well as a variety of ways to code JavaScript, making the technique particularly elusive against content analysis. As a result, businesses require a true “defence in depth” approach as well as multi-layered protection.

Microsoft Defender for Office 365 detects and blocks HTML-smuggling links and attachments using  dynamic protection technologies like machine learning and sandboxing.

Microsoft 365 Defender receives email danger signals from Defender for Office 365, which delivers advanced security on each domain—email and data, endpoints, identities, and cloud apps—and correlates threat data from these domains to reveal evasive, powerful threats.

The following  rules have been successful in detecting malware-smuggling HTML attachments:

  • A ZIP file containing JavaScript is attached.
  • A password is required to open an attachment.
  • A malicious script code has been found in an HTML file.
  • A Base64 code is decoded in an HTML page, and JavaScript is obfuscated in a JavaScript file.

Earlier this May, Nobelium, the threat group behind the SolarWinds supply chain hack was discovered using this exact tactic to deliver a Cobalt Strike Beacon as part of a sophisticated email-based attack aimed at government agencies, think tanks, consultants, and non-governmental organisations in 24 countries, including the United States.

Beyond espionage operations, HTML smuggling has been used in banking malware attacks involving the Mekotio trojan, with attackers sending spam emails containing a malicious link that, when clicked, downloads a ZIP file that contains a JavaScript file downloader to retrieve binaries capable of credential theft and keylogging.

The researchers concluded that, there are a variety of ways to implement HTML smuggling through obfuscation, as well as a variety of ways to code JavaScript, making the technique highly elusive. As a result, organisations require a true “defence in depth” approach and a multi-layered security solution that examines email delivery, network activity, endpoint behaviour, and follow-on attacker behaviours.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s