‘HTML Smuggling’ technique identified in increasing Russian-backed NOBELIUM spear-phishing attacks

Kareem Anderson


Back in May, Microsoft identified Russian-back cyber attackers NOBELIUM as responsible for SolarWinds-like hacks over the past few months and began working with companies, governments and law enforcement to curb the negative outcomes from such cyber-attacks.

Earlier today, Microsoft went a step further and highlighted one of the more sophisticated malware delivery methods used by NOBELIUM to cause havoc and gain access to systems dubbed ‘HTML Smuggling’, and warns customers to be on the lookout as its use has increased in recent times.

According to Microsoft,

HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. Notably, this technique was observed in a spear-phishing campaign from the threat actor NOBELIUM in May. More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats.

As the name suggests, HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page. When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall.

More specifically, the attack manifest itself in two ways: as a link to the HTML smuggling page included with the original email message or as the redirected landing page itself which then prompts an automatic download sequence. In identifying the HTML Smuggling hack, Microsoft has come up with some real-world examples banks and users need to be on the defensive about such as leveraging Outlook for the following process:

At the end of the day Microsoft is suggesting its own wares to help protect against HTML smuggling threats. Defender 365 is said to use a multi-layered approach towards defending against cyber threats and mitigating circumstances by preventing execution higher up on the attack chain. A bevy of Microsoft tools such as M365 Defender, Microsoft Defender for Office 365, Safe Links, Safe Attachments, Endpoint (EDR) Advance Hunting, and Smart Screen all work in conjunction to reduce the number of successful phishing attacks as well a mitigate the outcomes from more sophisticated attacks.

Beyond Microsoft’s own security solutions, it’s highly recommended users and customers familiarize themselves various malware infections, practice good credential hygrine and, limit the number of local or domain admin privileges as the bare minimum.