To coincide with our new, globally available GreyMatter Phishing Analyzer (GMPA) product—which will enable a much more efficient method of automating analysis of potential malicious emails—we’re starting a new series in which the ReliaQuest Photon Threat Research team will highlight several of the most common methods threat actors are using to bypass traditional email security controls to compromise targets.
HTML Smuggling: How It Works
HTML smuggling is a commonly used technique associated with a wide variety of threat groups, including cybercriminals and nation-state actors. This is not a novel technique; however, it has become more commonplace following Microsoft’s decision to block macros in Office documents by default. Many would suggest this decision was overdue; however, threat actors, rather unsurprisingly, quickly adapted.
A good example of this can be seen in the screenshot below (Figure 2), which was recently delivered to a ReliaQuest client mailbox. This HTML file requests that the user interact with its content, using a theme of “Remittance” as the bait.
This then redirected the user to a convincing spoofed Microsoft website (see Figure 3 below), which in this case was almost certainly used to harvest credentials. As we previously observed during our research report on account takeover, credential harvesting is often pretty simple, but it works.
Minimizing the Risk of HTML Smuggling
There are several steps you can take to minimize the risks associated with HTML smuggling.
- Establish a group policy object (GPO) that forces commonly abused files—in this case HTML—to open by default in a text editor like Notepad instead of a browser. Testing of these controls is recommended to ensure they don’t impact business function.
- User awareness: As we commented earlier, victims can be socially engineered, so make sure your security training adequately details the risks of clicking links. Training needs to include executive-level employees and departments that are frequently phished, including finance and human resources.
- Enable employees to proactively report suspicious emails. In many campaigns, multiple victims in an organization will receive the same phishing email. Even if just one employee reports a suspicious email, it will increase the likelihood that your security team can act before someone else makes the mistake of clicking the link.
- Harden perimeter security to restrict company assets from making arbitrary connections to the internet. This may be accomplished through firewall or proxy configurations.
GreyMatter Phishing Analyzer
GreyMatter Phishing Analyzer takes the burden of monitoring abuse mailboxes off your plate, and it provides the ability to identify and remove email threats from inboxes before they can cause damage. You don’t want the HTML smuggling technique to be the beachhead that allows initial access into your environment.