Description
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.
For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)
Platforms
Mitigations (1)
Application Isolation and SandboxingM1048
Use Browser Extensions or Built-in Security Tools that:
- Monitor JavaScript API calls such as Blob, URL.createObjectURL, and msSaveOrOpenBlob
- Intercept and analyze HTML5 download attributes for suspicious payload generation
- Alert or block behaviors that match known HTML smuggling patterns (e.g., blob-to-disk payload construction)
Apply Content Security Policy (CSP) headers to:
- Re
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware e... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) has been delivered in ZIP files via HTML smuggling.(Citation: Trend Micro Black Basta October 2022)(... |
| S0634 | EnvyScout | Malware | [EnvyScout](https://attack.mitre.org/software/S0634) contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk... |
References
- Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.
- Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
- Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.
- Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1027.006 (HTML Smuggling)?
T1027.006 is a MITRE ATT&CK technique named 'HTML Smuggling'. It belongs to the Stealth tactic(s). Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs...
How can T1027.006 be detected?
Detection of T1027.006 (HTML Smuggling) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.006?
There are 1 documented mitigations for T1027.006. Key mitigations include: Application Isolation and Sandboxing.
Which threat groups use T1027.006?
Known threat groups using T1027.006 include: APT29.