Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Warns of Surge in HTML Smuggling Phishing Attacks

Microsoft Warns of Surge in HTML Smuggling Phishing Attacks

Microsoft has seen a surge in malware campaigns using HTML smuggling to distribute banking malware and remote access trojans (RAT).

While HTML smuggling is not a new technique, Microsoft is seeing it increasingly used by threat actors to evade detection, including the Nobelium hacking group behind the SolarWinds attacks.

How HTML smuggling works

HTML smuggling is a technique used in phishing campaigns that use HTML5 and JavaScript to hide malicious payloads in encoded strings in an HTML attachment or webpage. These strings are then decoded by a browser when a user opens the attachment or clicks a link.

For example, a phishing HTML attachment could include a harmless link to a known website, thus not being seen as malicious. However, when a user clicks on the link, JavaScript will decode an included encrypted or encoded string and convert it into a malicious attachment that is downloaded instead, as shown in the code below.

Also Read: Practitioner Certificate In Personal Data Protection: Everything You Need To Know

A basic example of HTML smuggling
A basic example of HTML smuggling
Source: Microsoft

Since the malicious payload is encoded initially, it looks harmless to security software and is not detected as malicious. Furthermore, as JavaScript assembles the payload on the target system, it bypasses any firewalls and security defenses that would usually catch the malicious file at the perimeter.

HTML smuggling malware drop process
HTML smuggling malware drop process
Source: Microsoft

Deployment cases

Microsoft researchers have seen this technique used in Mekotio campaigns that deliver banking trojans and also in highly-targeted NOBELIUM attacks.

HTML smuggling campaigns are also used to drop the AsyncRAT or NJRAT remote access trojans, or the TrickBot trojan used to breach networks and deploy ransomware.

Also Read: The DNC Singapore: Looking At 2 Sides Better

The attacks usually start with a phishing email containing an HTML link in the body of the message or a malicious HTML file as an attachment.

If either is clicked, a ZIP file is dropped using HTML smuggling. This archive contains a JavaScript file downloader that fetches additional files from a command and control server (C2) to install on the victim’s device.

In some cases, the created archives are password-protected for additional detection evasion against endpoint security controls. However, the password to open it is provided in the original HTML attachment, so the victim must enter it manually.

Password provided in the email or HTML attachment
Password provided in the email or HTML attachment
Source: Microsoft

Once the script is launched, a base64-encoded PowerShell command is executed that downloads and installs the TrickBot trojan or other malware.

A 2020 report from Menlo Security also mentions the Duri malware group as one of the actors who actively uses HTML smuggling for payload distribution, but the technique was first seen in the wild since at least 2018.

Microsoft first warned about a sudden uptick in this activity in July 2021, urging admins to raise their defenses against it.

How to defend against HTML smuggling

Microsoft suggests admins use behavior rules to check for commonly characteristics of HTML smuggling, including:

  • An attached ZIP file contains JavaScript
  • An attachment is password-protected
  • An HTML file contains a suspicious script code
  • An HTML file decodes a Base64 code or obfuscates a JavaScript

For endpoints, admins should block or audit activity associated with HTML smuggling, including:

  • Block JavaScript or VBScript from launching downloaded executable content
  • Block execution of potentially obfuscated scripts
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

In addition to the above, users may prevent automatic JavaScript code execution by associating .js and .jse files with a text editor like Notepad.

Ultimately, the best defense is to train users not to open files downloaded via links in emails and attachments. All files downloaded from an email should be treated with caution and checked carefully before being opened.

Furthermore, if an attachment or email link downloads an attachment ending with a .js extension (JavaScript), it should never be opened and automatically be deleted.

Unfortunately, Windows disables the showing of file extensions by default, leading to extensions not being seen in many cases. This is why it is always suggested that users enable the viewing of file extensions to prevent the opening of malicious files.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us