Cisco Talos has spotted several malicious email campaigns over the past few months that disguise JavaScript code within HTML email attachments, a technique commonly known as “HTML Smuggling.” Cisco Talos has noticed that some industry verticals were targeted more than others by email threats using the HTML smuggling technique during the observed time window. For example, companies in the human resources, insurance and healthcare domains were targeted the most, while legal, supply chain and e-commerce companies were among those targeted the least. A wide range of evasion techniques has been identified from the senders of these emails, finding ways to get around email gateways and even more advanced detections. These techniques range from various encoding mechanisms to encryption and obfuscation. These adversaries use simple methods to increase their chances of success, like playing around with email attachments, as well as more advanced techniques by combining different evasion methods or employing a single evasion method multiple times. Talos is releasing a new list of
CyberChef recipes that enable faster and easier reversal of encoded JavaScript code contained in the observed HTML attachments. This may assist in creating automation to process and identify such emails for more effective long-term security measures.
Introduction to HTML smuggling
HTML smuggling is a technique used by attackers to embed encoded or encrypted JavaScript code within HTML attachments or web pages. This technique has been used extensively in spear phishing email campaigns over the past few months. HTML smuggling is quite effective in bypassing perimeter security controls such as email gateways and web proxies for two main reasons: It abuses the legitimate features of HTML5 and JavaScrip ..
Support the originator by clicking the read the rest link below.
