According to Microsoft’s Analysis reported that “HTML smuggling” allows an attacker to “smuggle” an encoded malicious script into a specially designed HTML attachment or web page, as the name implies. When a target user views the HTML in their browser, the browser decodes the malicious script, which then assembles the payload on the host device,Rather than sending a harmful programme over a network, the attacker creates malware locally behind a firewall.”
Microsoft 365 Defender Threat Intelligence Team revealed that it discovered infiltrations propagating the Mekotio banking Trojan, backdoors such as AsyncRAT and NjRAT, and the infamous TrickBot malware. Menlo Security formally described the multi-staged assaults, termed ISOMorph, in July 2021.
Threat actors are highly depending on HTML smuggling in phishing efforts to get initial access and deliver a wide range of threats such as banking malware, remote administration trojans (RATs) and ransomware payloads.
Microsoft Defender for Office 365 detects and blocks HTML-smuggling links and attachments using dynamic protection technologies like machine learning and sandboxing.
Microsoft 365 Defender receives email danger signals from Defender for Office 365, which delivers advanced security on each domain—email and data, endpoints, identities, and cloud apps—and correlates threat data from these domains to reveal evasive, powerful threats.
The following rules have been successful in detecting malware-smuggling HTML attachments:
- A password is required to open an attachment.
- A malicious script code has been found in an HTML file.
Earlier this May, Nobelium, the threat group behind the SolarWinds supply chain hack was discovered using this exact tactic to deliver a Cobalt Strike Beacon as part of a sophisticated email-based attack aimed at government agencies, think tanks, consultants, and non-governmental organisations in 24 countries, including the United States.