Microsoft Says HTML Smuggling Attacks On The Rise

Back in May, Microsoft identified Russian-backed cyber attackers NOBELIUM as the source of SolarWinds-like hacks in recent months and began collaborating with businesses, governments, and law enforcement to mitigate the negative consequences of such cyber-attacks.

Microsoft went a step further earlier today, highlighting ‘HTML Smuggling,’ one of NOBELIUM’s more sophisticated malware delivery methods for launching an attack and gaining access to systems. Microsoft warns customers to be on the lookout as NOBELIUM’s use has increased in recent times.

According to Microsoft, HTML smuggling uses HTML5/JavaScript to download files onto a victim’s computer, which is an encoded malicious script that assembles the final payload directly on the victim’s computer. Phishing emails are used to deliver specially crafted HTML attachments or direct the intended victim to a malicious web page containing the script.

According to Microsoft, the Chinese threat actor NOBELIUM used the technique in a series of attacks in May. The same method is now being used to deliver AsyncRAT/NJRAT, Trickbot, and the banking Trojan Mekotio. 

The technique allows adversaries to bypass standard perimeter security controls that check network traffic for suspicious attachments or patterns because the malicious payload is built behind the firewall.

Disabling JavaScript may prevent such attacks, but this may not be feasible in enterprise environments, where business-related pages and other legitimate resources rely on JavaScript. As a result, a multi-layered defensive strategy is advised.