[T1027.006 ] Obfuscated Files or Information: HTML Smuggling β HTML Smuggling hides malicious payloads inside seemingly benign HTML/JavaScript so files are reconstructed client-side and bypass content filters. Monitor for unusual use of Blobs, Data URLs, and download attributes to reduce risk. #HTMLSmuggling #DefenseEvasion
Keypoints
- HTML Smuggling embeds binary payloads in HTML using JavaScript Blobs or Data URLs to reconstruct files on the client side.
- Attackers exploit benign MIME types like text/html to evade content filters and antivirus scanning at network or gateway layers.
- Common JavaScript indicators include Blob usage, msSaveBlob/msSaveOrOpenBlob calls, and HTML5 download attributes.
- Detection requires correlating download events with process and file-creation logs because HTML features are widely used legitimately.
- Defensive measures include monitoring browser and proxy logs, analyzing downloaded files post-download, and using behavior-based endpoint detection.
Description:
- Like a Trojan horse built from a letter, HTML Smuggling carries malicious files inside normal-looking web pages and assembles them on the userβs machine when opened.
- Adversaries hide payloads in HTML/JavaScript (e.g., Data URLs, JavaScript Blobs, HTML5 download) so the browser reconstructs and saves malicious files locally, enabling delivery of malware while evading content filters and static scanners.
Detection:
- Log and alert on JavaScript patterns such as Blob, msSaveBlob, msSaveOrOpenBlob, and download attributes in web/proxy logs and WAFs.
- Monitor browser process activity and file creation events immediately after downloads from HTML/JS sources for suspicious file types and execution.
- Capture and inspect Data URLs and inline MIME content in HTTP responses with deep content inspection tools or sandboxing proxies.
- Use endpoint EDR to track chains: browser -> blob creation -> file write -> execution, and alert on uncommon sequences or privilege escalations.
- Correlate network logs, proxy content, and endpoint file creation to reduce false positives from legitimate use of Blobs and download attributes.
- Apply behavioral sandboxing for files reconstructed client-side to detect payload deobfuscation, command execution, or malicious persistence attempts.
- Establish baselines for normal web application blob/download patterns to tune detection rules and reduce alerts from legitimate web apps and services.
Tactics:
Defense Evasion
Platforms:
Linux, Windows, macOS
Data Sources:
File: File Creation
Relationship Citations:
(Citation: MSTIC Nobelium Toolset May 2021),(Citation: ESET T3 Threat Report 2021),(Citation: Trend Micro Black Basta October 2022),(Citation: Deep Instinct Black Basta August 2022),