Microsoft reported HTML smuggling, which spread via email, had been extensively targeting banking organizations.

Microsoft described the attack that surfaced in the early half of this month as “a highly evasive malware delivery technique”. The attack uses genuine HTML5 and Javascript features to obfuscate its true actions.

Microsoft observed the attacks targeting banks using email campaigns for planting banking malware, remote access Trojans (RATs), and other payloads. A blog article from Microsoft mentions smuggling attacks in May when the method of attack was used by nation-state attackers APT29, aka Nobelium, during a spear-phishing campaign.

Also read,

“More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats,” Microsoft detailed.

HTML smuggling attacks allow a threat actor to smuggle an encrypted script with a particularly designed HTML attachment or web page. If the target person opens the HTML the encrypted script is decrypted and the payload is delivered to their device.

Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall,” the blog explains

HTML smuggling attacks bypass standard perimeter security controls, such as web proxies and email gateways, that often only check for suspicious attachments – EXE, ZIP, or DOCX files, for example – or traffic based on signatures and patterns.

The malicious files are also created after the HTML file is loaded on the endpoint through the browser, meaning that security tools may only see what they deem to be legitimate HTML content and JavaScript traffic before it’s too late.