Microsoft reported HTML smuggling, which spread via email, had been extensively targeting banking organizations.
Microsoft observed the attacks targeting banks using email campaigns for planting banking malware, remote access Trojans (RATs), and other payloads. A blog article from Microsoft mentions smuggling attacks in May when the method of attack was used by nation-state attackers APT29, aka Nobelium, during a spear-phishing campaign.
“More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats,” Microsoft detailed.
HTML smuggling attacks allow a threat actor to smuggle an encrypted script with a particularly designed HTML attachment or web page. If the target person opens the HTML the encrypted script is decrypted and the payload is delivered to their device.
Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall,” the blog explains
HTML smuggling attacks bypass standard perimeter security controls, such as web proxies and email gateways, that often only check for suspicious attachments – EXE, ZIP, or DOCX files, for example – or traffic based on signatures and patterns.