According to the firm, the highly evasive attack method is being increasingly used in targeted email campaigns to distribute a variety of malware. As the name suggests, HTML smuggling lets an attacker ‘smuggle’ an encoded malicious script within a specially crafted HTML attachment or web browser.
Key points
Microsoft stated that one of the notable attack campaigns leveraging the technique was observed in May when the notorious Nobelium APT group launched a massive spear-phishing campaign to propagate the Cobalt Strike Beacon. The targeted organizations involved government agencies, consultants, and private firms across 24 countries.
Since then, there has been a rise in the use of the attack method.
In July and August, adversaries employed HTML smuggling attacks to deploy AsyncRAT/NJRAT, while in September the method was used to deploy TrickBot, likely by DEV-0193, an emerging financially motivated cybercrime gang.
What does this indicate?
HTML smuggling presents challenges to traditional security solutions. Researchers note that the surge in the use of this technique in email campaigns is an example of how attackers are continuously refining their evasive tactics.
The evolution and adoption of such evasion tactics also throw light on the current state of the underground economy, where TTPs get commoditized when deemed effective.
Strengthen security to stay safe
Preventing such attacks is possible by disabling JavaScript in the browser. However, this would severely affect the browsing experience as it breaks many modern websites. Therefore, users should stay wary of phishing emails in the first place to avoid clicking on malicious links. Additionally, plugging unpatched security holes also helps organizations prevent attacks.