HTML Smuggling Attacks: What They Are and How to Protect Your Network
HTML smuggling is a technique that allows attackers to compromise organizations by using malicious HTML and Javascript code to evade detection by different cybersecurity solutions on your defense stack like EDR and other Email security solutions.
In this article, you'll find all the required tools and instructions to configure your existing defenses effectively against this threat. This way, you'll be prepared for adversary action using this technique to conduct massive deployments of malware, remote access trojans (RATs), and other types of payload which may cause serious damage and disruption to your operation.
Why Does HTML Smuggling Allow Evading Email Security Controls?
While this technique has been previously documented by MITRE ATT&CK, it continues evolving as it is actively used by ransomware groups such as BlackCat to deploy different types of precursor malware like QakBot, Trickbot, the trojan Mekotio, and backdoors like AsyncRAT and njRAT. This way, they can prepare the field to successfully carry out ransomware attacks on unsuspecting organizations.
Cybercrimnals will send phishing emails containing these malicious code snippets which will allow them to infect Linux, Windows and macOS devices. Unwary employees will download an apparently legitimate HTML file, which typically will not be flagged by any EDR or Email security solutions as dangerous.
Then, unaware of the looming threat, the user will open the HTML file, and the malicious code will run on their Internet browser, which in turn will render the code and install the malicious payload on the unwitting user's device. From then on, adversaries will have access to the organization, which will likely lead to a ransomware attack and all the physical and reputational damage this implies.
Watch
this video
by the renowned cybersecurity expert Chase Cunnigham to learn about this technique in more detail.
How can I protect my organization from this attack?
This type of attack can have terrible consequences for any type of organization, so taking this into consideration, we have prepared a step-by-step guide to configure the most common corporate email providers to protect your users from cybercriminals attempting to use this technique against them.
Blocking HTML attachments on Google Workspace (G-suite)
Be aware that the steps and interface described in this guide may vary according to your own settings and specific Google Workspace version.
1. Log in to the management console
2. Click on Apps > Google Workspace > Gmail > Attachment Compliance
3. In the Attachments Compliance section, select Add Another Rule, then configure the the following options:
-
Email messages to affect
-
Inbound
-
Add expressions that describe the content you want to search for in each message
-
Custom file types: htm, html.
-
If the above expressions match, choose between the two options below to handle the email according to your needs:
- Quarantine message
- Reject message.
4. Finally, make sure to Save the configuration.
These settings will block all HTML attachments, both sent and received. If your organization requires exceptions for specific HTML files, you can create said exceptions by clicking on the Add Custom Rule option, there you can set the specific conditions for it.
Blocking HTML attachments on Office365
Be aware that the steps and interface described in this guide may vary according to your own settings and specific Office 365 version.
1. Log in to the management console.
2. Click on Admin Centers > Exchange > Mail Flow > Rules > Add Rule
3. Select the plus "+" button to create a new rule
4. Assign an identifiable name to the rule you wish to create. For example "Block HTML attachments"
5. Now, in the Apply this rule if section, select The message properties match any of these conditions
6. In the Select property parameter, pick File extension includes these words.
7. Then, in the Enter a value field, enter *.html
8. In the Do the following field, select one of the the options below to handle the incident according to your needs:
- Redirect the message to hosted quarantine
- Reject the message with the explanation
9. If you opted for rejecting the message, enter the explanation that will be used when doing so.
10. Save your settings.
These settings will block all HTML attachments, both sent and received. If your organization requires exceptions for specific HTML files, you can create a custom rule with specific conditions according to your situation.
Sources:
"HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks"
Microsoft 365 Defender Threat Intelligence Team, [Online]. Available: https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/
Related Articles
Malware Incident Response Playbook
Lumu Malware Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four ...Network Scan Incident Response Playbook
The Lumu Network Scan Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle ...General Incident Response Playbook
Lumu’s Incident Response Playbooks are based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST) and provide essential recommendations for responding to information security incidents. ...Mining Incident Response Playbook
Lumu Mining Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four ...Spam Incident Response Playbook
Lumu SPAM Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four main ...