Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  News  ›  HTML Smuggling

HTML Smuggling

April 05, 2023

HTML Smuggling

By Charles Edmond

HTML smuggling is a delivery method cyber criminals use to “smuggle” malicious coding in HTML or Javascript via an email attachment to deliver Malware and other malicious payloads to our devices. This may sound similar to how most malware is delivered, but it is a bit different. For typical malware delivery, most people and organizations have taken on preventive measures to prevent traditional attacks. HTML smuggling is a way for attackers to try to get around many of these methods.  In order for us to fully understand what the difference is, let's look into how it works.


How its Smuggled


HTML stands for Hyper Text Markup Language and is the written language used to tell websites the structure that should be displayed once you enter a webpage.  Essentially, it's the background “code” that provides the experience we have once entering a website. The coding in HTML Smuggling has the malicious information embedded in it and is executed after the webpage has been opened.  This particular form of malware delivery is more easily able to pass-through security procedures that block malicious attachments and links.  It also is particularly difficult to detect because it’s executed after the page is opened which allows it to build the malware behind any firewall.  The chart below provides an excellent example of how HTML smuggling works:

fig1-html-smuggling-overview.png

Be Prepared


HTML smuggling is a major danger to us all if we are unprepared.  One sure way to protect ourselves is to follow the same rules for any type of phishing email.   The most basic advice is to always be alert and cautious.  Never trust links or attachments from senders you don’t know or weren’t anticipating. It’s also imperative that you report any suspected phishing emails to the Information Security Office (ISO) or click the Report Phish option in Google Mail.  For University owned equipment, Carnegie Mellon has also invested in Crowdstrike, a next-level endpoint protection, detection and response security solution that protects against Malware attacks like HTML smuggling and other forms of malicious attacks.  CrowdStrike helps against these types of attacks because it does not rely solely on malware signatures like traditional anti-virus.  It detects and protects against malicious behavior in general.  For additional information on CrowdStrike including how to download it, please visit our page here!





















Work Cited

Microsoft. “HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks.” www.microsoft.com, 2021, https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/. Accessed 11 November 2023.