- HTML smuggling is a technique attackers use to hide an encoded malicious script within an HTML email attachment or webpage.
- Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious payload directly on the victim’s device.
- Talos has witnessed Qakbot attackers using a relatively new technique that leverages Scalable Vector Graphics images embedded in HTML email attachments.
Smuggling HTML using SVG
Below is a malicious Qakbot email. Qakbot is known to hijack a victim’s email and send itself out as a reply to an existing email thread. That behavior is on display here. One interesting facet of many email thread hijackers is that the email threads they hijack are often very old. This particular thread is from 2020.
The HTML attachment also displays a password that the victim must use to open the encrypted zip archive that was constructed locally on the victim’s machine.
If the user manages to enter the password provided by the attacker and open the zip archive, they can extract an .iso file. The .iso file is intended to infect the victim with Qakbot, according to Cisco Secure Malware Analytics.
Since HTML smuggling can bypass traditional network defenses, it is critical to deploy some sort of security protection to the endpoints in your environment. Having robust endpoint protection can prevent execution of potentially obfuscated scripts, and prevent scripts from launching downloaded executable content. Endpoint security can also enforce rules about which executables are trusted to run in your environment.
Another good defense against HTML smuggling is educating your users about HTML smuggling attacks. For years, email security professionals have been repeating the mantra that users should not open suspicious email attachments or click links in suspicious messages. This is even more true today, given that HTML smuggling attacks can bypass some security devices and are increasing in frequency.
As network defenders improve their abilities to scan for malicious content, we can expect to see attackers looking to counter and evade such content filtering. HTML smuggling’s ability to bypass content scanning filters means that this technique will probably be adopted by more threat actors and used with increasing frequency.