Microsoft Security Team Identified HTML Smuggling Operation, Here's How It Works

Microsoft's cybersecurity team has identified HTML smugglers via email. (photo: unsplash)

JAKARTA - In recent weeks, a spam email operation appeared, has been identified by the Microsoft security team. This operation uses a technique called "HTML smuggling". This technique is done to circumvent email security measures and deliver malware to the user's device.

HTML smuggling is a method used to circumvent security systems by generating malicious HTML behind a firewall, in the browser at the targeted endpoint.

Sandboxes, proxies, and sandboxes that take advantage of HTML5 and JavaScript characteristics bypass conventional network security methods such as email scanners. This method generates destructive HTML code on the target device in the browser that is already inside the network security perimeter.

Typically network security solutions work by analyzing the 'wires' or information flows from the network to look for signatures and identified malware trends in the byte stream. The destructive payload is built on the target device in the browser through the use of HTML smuggling so that no items are passed to the network security system for detection.

The basic concept behind HTML email-based forgery is to include links to email documents, which don't look dangerous when scanned, or to file types that email security programs consider dangerous, such as EXE, DOC, MSI, and others.

In addition, it uses certain HTML elements, such as "href" and "download", as well as JavaScript code, when accessing URLs for malicious files assembled within the browser.

This approach is not new and has been known since the mid-2010s. Malware programmers have been using it since at least 2019 and have been detected throughout 2020.

Microsoft stated in a series of tweets last Friday that it was tracking a weeks-long email spam campaign by abusing HTML smuggling to put destructive ZIP files on machines.

Files in ZIP files, unfortunately, infect users with the Casbaneiro (Metamorpho) banking trojan. Casbaneiro is indeed a traditional Latin American bank Trojan focused on banks in Brazil and Mexico and cryptocurrency services.

They take advantage of social engineering methods, which display fake pop-up windows. These pop-ups try to entice potential victims to provide important information. Further this information is stolen if successful.

Although Microsoft has announced that Microsoft Defender for Office 365 may recognize HTML contracted files, the OS makers issued a warning Friday July 29 for customers who are not their clients or those who are not tech savvy or don't have an email security tool that scans incoming email.