Defending against HTML smuggling
Methods’ Group security and risk consultants from CoreAzure and Methods BDT have been engaged with a major global UK public sector organisation to provide security operation center (SOC) services, and have recently been defending against a sophisticated HTML smuggling campaign. The SOC team investigated this as part of a wider phishing campaign in which targeted users were sent malicious files imitating a legitimate business process in an effort to gain access to the organisation’s environment.
A total of 77 HTML smuggling emails were detected, of which 17 users reported these as suspicious. Of the 77 malicious emails detected, the SOC team only received 15 high severity from Azure Sentinel.
Further research found the method used by the threat actor(s) was HTML smuggling. The HTML smuggling method is highly evasive as it can bypass standard perimeter security controls such as web proxies and email gateways, which only check for suspicious attachments like EXE, ZIP, or DOCX.
Below is a graph showing the trend of emails delivered which were recognised as phishing emails.
Figure 1 depicts ‘recipients’ on left hand axis against the ‘chart time zone (UTC)’
The main purpose of this style of attack is to install malware code, Trojans, spyware etc. to gain access to an organisation’s environment.
Figure 2. HTML Smuggling Overview – Microsoft
HTML smuggling presents challenges to traditional security solutions. Effectively defending against this stealthy technique requires defence in depth. It is always better to thwart an attack early in the attack chain—at the email gateway and web filtering level. If the threat manages to fall through the cracks of perimeter security and is delivered to a host machine, then endpoint protection controls should be able to prevent execution.
Microsoft 365 Defender Threat Intelligence Team recommend that Endpoint security teams should be looking for:
- running potentially obfuscated scripts
- executable files from running “unless they meet a prevalence, age, or trusted list criterion”.
The SOC team suggested the following remediation steps to the organisation impacted (provided by Microsoft) to mitigate the risk of HTML smuggling:
Ensure Safe Links and Safe Attachments are implemented to provide real-time protection against HTML smuggling and other email threats. Specifically check for the following to detect malware-smuggling HTML attachments:
– An attachment is password-protected
– An HTML file contains a suspicious script code
Ensure attack surface reduction rules block or audit activity associated with HTML smuggling.
The following rules can help:
– Block execution of potentially obfuscated scripts
– Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Check Office 365 email filtering settings to ensure they block spoofed emails, spam, and emails with malware. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Office 365 to recheck links on click and neutralize malicious messages that have already been delivered in response to newly acquired threat intelligence.
Check the perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command and control (C2) activity.
Turn on network protection to block connections to malicious domains and IP addresses.
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Educate users about preventing malware infections. Encourage users to practice good credential hygiene—limit the use of accounts with local or domain admin privileges and turn on Microsoft Defender Firewall to prevent malware infection and stifle propagation.
If you would like to talk to our security experts or find out more how Methods could help you, please contact firstname.lastname@example.org.