Microsoft has recently shared details about a novel phishing strategy in the wild. Dubbed ‘HTML Smuggling’, this attack strategy uses spearphishing attacks to deliver malware. The tech giant observed this campaign actively targeting the banking sector.
HTML Smuggling Attack Active Against Banks
Regarding how this campaign works, the post reads,
HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page. When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall.
Microsoft calls it a “highly evasive malware delivery technique” as it ditches most of the usual security measures. Since the malicious script runs directly via the phishing page on the victim’s browser, it can easily evade email gateways, web proxies, and other techniques blocking malicious attachments.
The tech giant observed this campaign actively targeting banks in Brazil, Peru, Mexico, Spain, and Portugal. The threat actors are delivering DEV-0238 (aka Mekotio) and DEV-0253 (aka Ousaban) banking malware in these attacks.
Therefore, users should stay wary of phishing emails in the first place to avoid clicking the phishing web page.
Besides, Microsoft recommends applying rules to detect malicious email attachments, blocking scripts to launch executable files, and using appropriate anti-malware solutions that can block malicious web pages. Such blocking can prevent malware download even if the user accidentally visits a malicious page.