emPower
signs of HTML smuggling

How Phishing Emails Can Bypass Your Email Security Using HTML Smuggling

Kaspersky Labs has raised red flag against a new form of phishing emails. These email use HTML file attachments to phish their targets. Although such emails started spiking in 2019, this technique has become a common form of phishing in 2022. Between January and April, Kaspersky has detected more than 2 million phishing emails of this type.

Generally, phishing uses fake webpages and email attachments to trick their victims. To counter such attacks, security software scan incoming emails, and block those with suspicious content. But, with this new technique, such emails can evade detection by security software.

How Phishing Emails Can Bypass Your Email Security Using HTML Smuggling

This is how it works. The emails contain an HTML attachment or a zipped file. When the user opens the attachment, it runs a malicious script. Threat actors are using these attachments to redirect users to malicious websites and display spoofed login forms. These attachment are being used for installing malware over corporate networks.

Unfortunately, as HTML is not malicious, mail security tools fail to mark the messages as phishing attempts. Thus, increasing the number of phishing emails that reach victims’ inboxes.

In addition, security researchers have founds signs of HTML smuggling as well.

What is HTML Smuggling

HTML smuggling is the use of HTML5 and JavaScript to hide malicious payloads in HTML attachments and web pages. Using this technique, such emails can be made to look harmless. Some emails were also found be using deprecated functions.

With HTML smuggling, attackers can fool email security tools. Unfortunately, these tactics work against anti-spamming engines as well. In addition, attackers can bypass firewalls and security systems, and install malicious payload. Under normal circumstances, such payload gets quarantined by your security software.

So be cautious, when dealing with emails that have HTML or zipped attachments. Even by trying to open the attachment, you might end up triggering the malware. Once triggered, the malware would first compromise your security software. Then, it would pave the way for more vicious attacks.

For instance, with HTML smuggling, threat actors can install a remote access trojan (RAT) on your device. Once installed, it would permit the attacker to access your device. This access can be used to hack your office network. Once in your office network, the hackers can steal data, manipulate records, and install more malware. This is how ransomware attacks propagate.

Two advisories should highlight the seriousness of this issue to you. First one is from Microsoft. In Novemeber, last year, their researches pointed out the use of HTML smuggling by the Nobelium group. Later on, Mekotio banking Trojan campaigns were also found to be using this technique.

The second one was released just last week. In this brief,HP Wolf Security noted a 27 fold increase in Emotet spam campaigns compared to the previous quarter. This means that the dreaded malware is spreading fast once again. As per some researchers, the Emotet group too uses HTML smuggling to infect victim devices.

In Conclusion

To sum it up, it’s quite urgent for security team to address this treat. You should consider putting in place new email behavior rules. This should include checking attached zip files for JavaScript, or checking files that try to obscure JavaScript, or checking files for suspicious code.

You should also consider blocking the execution of obscure scripts and prevent JavaScript or VB Script from launching executables. In fact, you should keep an eye on all executables that fail to meet your security policy.

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.