Microsoft warns of surge in HTML smuggling attacks delivering banking malware

Microsoft has warned that HTML smuggling, a relatively contemporary phishing technique, is on the rise. This technique is being used to deploy banking malware and remote access trojans in targeted attacks. 

The “highly evasive” technique allows hackers to smuggle malicious scripts made to look legitimate, which then deploys a payload on the affected computer. 

According to Microsoft 365 Defender Threat Intelligence Team, HTML smuggling “leverages legitimate HTML5 and JavaScript features” to smuggle malicious code. The code is smuggled “within a specially crafted HTML attachment or web page.”  

HTML smuggling allows a hacker to smuggle in the code to assemble a payload within the target’s browser. “When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device”, Microsoft clarifies. 

This new technique could be a cause for concern, as traditional social engineering techniques still require some clever convincing to pull off. Convincing a victim to download malware can be tricky, with security and antivirus pulling their weight. Assembling the payload after smuggling in code essentially removes one step to the process. 

HTML Smuggling Attacks 

HTML smuggling is not an entirely new technique, but it has been on the rise recently. Microsoft noted a few high profile cases that made use of HTML smuggling as part of a cyberattack. With more high profile cases showcasing the technique, it will likely see more frequent use. 

In May, Russian threat actor Nobelium made use of HTML smuggling as part of a large scale spear-phishing campaign against SolarWinds. Microsoft Threat Intelligence Center (MSTIC) observed HTML attachments included in the spear-phishing emails targeted at SolarWinds. “MSTIC noted that the spear-phishing email used in that campaign contained an HTML file attachment, which, when opened by the targeted user, uses HTML smuggling to download the main payload on the device.” 

Microsoft also stated that in September, an email campaign emerged that used HTML smuggling to deploy banking malware known as Trickbot. Trickbot is malware that is designed to steal banking information from customers and businesses. 

Microsoft clarifies that the email campaign included a “specially crafted HTML page as an attachment to an email message purporting to be a business report.”