{"id":3372,"date":"2021-11-15T15:40:58","date_gmt":"2021-11-15T15:40:58","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3372"},"modified":"2026-06-08T23:01:16","modified_gmt":"2026-06-08T23:01:16","slug":"html-smuggling-attack-technique","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/html-smuggling-attack-technique\/","title":{"rendered":"HTML Smuggling attack: an increasingly common technique"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In recent months, multiple phishing email campaigns have been identified containing malicious <em><strong>HTML<\/strong><\/em><em> files (<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/11\/11\/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks\/\">report<\/a>). <\/em>The attached files contain <em><strong>JavaScript<\/strong> <\/em>code that exploits HTML5 functionality for automatic malware downloads.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The attack has been designated <strong>HTML Smuggling<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">HTML Smuggling Attack Phases<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"740\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/Fig1-HTML-smuggling-overview-1024x740-1.png\" alt=\"\" class=\"wp-image-3377\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/Fig1-HTML-smuggling-overview-1024x740-1.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/Fig1-HTML-smuggling-overview-1024x740-1-300x217.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/Fig1-HTML-smuggling-overview-1024x740-1-768x555.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">HTML Smuggling attack phases &#8211; Source: <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/11\/11\/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks\/\" target=\"_blank\" aria-label=\"Microsoft (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"ek-link\">Microsoft<\/a><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The attack consists of a series of automated steps that enable automatic download of a <em><strong>JavaScript Blob<\/strong><\/em> following complete page load. Within the HTML code, a link is inserted (via code or through the &lt;a&gt; tag) to which the <em><strong>download<\/strong><\/em><span style=\"text-decoration: underline\"> property<\/span> is associated, which allows a file to be saved to disk, preventing direct opening by the browser. Below is an example in HTML of a link with the <em><strong>download<\/strong><\/em><em> property.<\/em><\/p>\n\n\n\n<pre class=\"wp-block-preformatted lang:xhtml decode:true\">&lt;a href=\"\/archivio\/malevolo.zip\" download=\"malware.zip\"&gt;Click here&lt;\/a&gt;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Within the same file\/site, JavaScript code is present whose task is to assemble the malicious file and download it automatically. The file is constructed via a <em><strong>Blob<\/strong><\/em><em> and associated with the link, all through the same code.<\/em><\/p>\n\n\n\n<pre class=\"wp-block-preformatted lang:js decode:true\">var anchorLink = document.createElement('a');\nanchorLink.download = 'malicious_file.zip';\nvar blob = new Blob([malicious_data], {type: 'octet\/stream'});\nvar url = window.URL.createObjectUrl(blob);\nanchorLink.href = url;\nanchorLink.download();<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In malware campaigns, malicious content is typically downloaded in the form of a password-protected archive. This enables evasion of automated scanning systems that analyze the contents of downloaded archives. Our <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> operations have tracked this technique across multiple threat actors leveraging HTML Smuggling to bypass perimeter defenses.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Opening the contents of the .zip file by the user initiates a series of commands (typically PowerShell or VisualBasic scripts) for download and execution of the malware (final stage).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Among these, the known malware <strong>TrickBot<\/strong> has been observed targeting multiple Italian organizations, demonstrating the operational effectiveness of HTML Smuggling as a delivery mechanism for banking trojans and loader payloads.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HTML Smuggling: payload assembly client-side from JavaScript-encoded blobs, perimeter-bypass mechanics and detection considerations for email and web gateways.<\/p>\n","protected":false},"author":1,"featured_media":3377,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3263,1587,1589,1591,1439,1593,1441,3264,3262,3265],"class_list":["post-3372","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-defense-evasion","tag-html-smuggling-it","tag-html5-it","tag-javascript-it","tag-malware-it","tag-malware-zip-it","tag-phishing-it","tag-phishing-delivery","tag-t1027-006","tag-web-gateway-bypass"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3372"}],"version-history":[{"count":3,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3372\/revisions"}],"predecessor-version":[{"id":9894,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3372\/revisions\/9894"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3377"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}