Microsoft has recently shared details about a novel phishing strategy in the wild. Dubbed ‘HTML Smuggling’, this attack strategy uses spearphishing attacks to deliver malware. The tech giant observed this campaign actively targeting the banking sector.
HTML Smuggling Attack Active Against Banks
As elaborated in a recent blog post, Microsoft spotted HTML Smuggling attack active in the wild. This malicious campaign is different from most others in that it exploits legitimate JavaScript and HTML5 features.
Regarding how this campaign works, the post reads,
HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page. When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall.
Microsoft calls it a “highly evasive malware delivery technique” as it ditches most of the usual security measures. Since the malicious script runs directly via the phishing page on the victim’s browser, it can easily evade email gateways, web proxies, and other techniques blocking malicious attachments.
The tech giant observed this campaign actively targeting banks in Brazil, Peru, Mexico, Spain, and Portugal. The threat actors are delivering DEV-0238 (aka Mekotio) and DEV-0253 (aka Ousaban) banking malware in these attacks.
Preventing this attack is possible by disabling JavaScript in the browser. However, this would severely affect the browsing experience as it breaks many websites.
Therefore, users should stay wary of phishing emails in the first place to avoid clicking the phishing web page.
Besides, Microsoft recommends applying rules to detect malicious email attachments, blocking scripts to launch executable files, and using appropriate anti-malware solutions that can block malicious web pages. Such blocking can prevent malware download even if the user accidentally visits a malicious page.