When was the last time you got excited about voicemail? (Yeah, us neither.) But apparently, cybercriminals think they’re onto something—leveraging the ancient art of fake voicemail notifications to dupe unsuspecting targets. They combine their love of deception with everyone’s least favorite language, JavaScript, to create elaborate spear-phishing campaigns that look almost elegant in their digital nastiness.
This article draws on insights from NVISO Labs, where security experts uncovered a cunning spear-phishing campaign using HTML smuggling to bypass email security filters. By unraveling this campaign, NVISO Labs showed us that even old tricks can still pull off some pretty dangerous cons when they’re given a modern twist.
Let’s break it down: cybercriminals are turning JavaScript into their personal smuggling vehicle, sneaking malicious code right under your nose. This technique, known as HTML smuggling, takes advantage of the mundane—like that seemingly innocuous HTML file attached to your email—to deliver devastating payloads that bypass your average email gateway and even dodge endpoint detection systems. And the best part? All you had to do was check your voicemail. Yep, that’s right—“You have one new message…”
Spear Phishing 101: The Voicemail Lure
Cybercriminals are smart, but they don’t need to reinvent the wheel every time they want to break into your system. Instead, they stick to tried-and-true tactics, like using fake voicemail notifications. The email looks official—coming from a seemingly legitimate business (though compromised, of course)—and contains a ZIP file named after your company. You see the familiar name and think, “This looks fine.” Spoiler: It’s not.
Once opened, the ZIP file delivers an HTML attachment that houses obfuscated JavaScript code. This code works silently in the background, decoding and decrypting itself multiple times until it leads you straight to a customized spear-phishing page. The lure? A simple fake voicemail that turns into a big headache.
The Smugglers’ Toolkit: How HTML Smuggling Works
Now, how does HTML smuggling sneak past your defenses like a crafty cybercriminal slipping through airport security with a false identity? It’s all in the deception. Attackers embed JavaScript into an HTML file, usually wrapped up in a ZIP folder that looks completely harmless. This isn’t your average phishing email—it’s much sneakier. HTML files don’t typically raise red flags for email gateways, making it easy for the file to waltz right past your security measures. Once you open the HTML file, though, your browser unknowingly plays accomplice, unfolding layers of decryption and exposing you to the attack.
You might be wondering, “Why bother with all the fancy coding?” Well, for starters, HTML smuggling lets attackers avoid detection systems that would normally flag suspicious executable files. Instead, they build the malicious payload into a seemingly innocent HTML file, which slowly reveals its true nature once inside your system.
Let’s Talk CVEs
Before you think HTML smuggling is just a creative way to package data, let’s be clear: these attacks often exploit known vulnerabilities, many of which have CVE IDs associated with them. For example, attackers might take advantage of CVE-2020-0601, a flaw in how Windows CryptoAPI validates Elliptic Curve Cryptography certificates. This allows them to spoof identities during the phishing process, making the attack even harder to detect. So while HTML smuggling might seem like old hat, it’s the perfect vehicle for delivering these kinds of vulnerabilities into your system.
Breaking Down the Stages: From Innocent HTML to Full-Blown Breach
Stage 1: The Hook
The whole saga begins with a seemingly innocuous email. The subject line is disarmingly simple: your company’s name, perhaps followed by the phrase “voicemail” or “important message.” Inside is a ZIP file containing an HTML attachment named something like “CompanyName.Micro.protected.zip”—totally normal, right? Once you open that HTML file, though, you’ve unleashed a multi-layered attack without even realizing it.
Stage 2: The HTML and JavaScript Shenanigans
The HTML file is the digital equivalent of a magician’s hat—it seems harmless until something unexpected pops out. Inside this file lies a convoluted mess of obfuscated JavaScript. If you took a peek at the code, it would look like a random string of binary and hexadecimal values. But your browser knows exactly how to decode and decrypt it—transforming that jumbled mess into a more sinister version of itself.
The JavaScript executes quietly, using functions like document.write to write additional malicious content onto the page. The goal? To get the final phishing page loaded into your browser without you, or your security system, noticing anything fishy.
Stage 3: The Payload
After the JavaScript finishes running, the malicious payload is revealed—another JavaScript file hosted on a third-party site (often Cloudflare, because hackers love efficiency too). This second file decrypts a block of AES-encrypted data, which ultimately leads to—you guessed it—a phishing page. In this case, it’s a clone of a Microsoft Office 365 login page designed to steal your credentials.
You might be thinking, “Surely my security system will catch this by now!” Think again. By using HTML smuggling and encryption, attackers can bypass your defenses, delivering the phishing page right into your browser.
Stage 4: The Finale
Now, with the phishing page loaded, you’ve officially entered the final stage of the attack. An iframe quietly points to a malicious URL like 9zg[.]aforenotedc[.]ru—this is where the magic happens. The page looks just like Microsoft Office 365, complete with your email pre-filled. All you need to do is log in, and your credentials will be sent straight to the attackers’ server. No alarms, no alerts—just another day in the life of a cybercriminal.
Why HTML Smuggling Is Making a Comeback
At first glance, HTML smuggling might seem like an outdated technique. I mean, HTML files? Really? But here’s the thing: what works, works. And in this case, HTML smuggling is making a serious comeback in the phishing world. It’s the digital equivalent of a Trojan horse—sneaking past your defenses disguised as something harmless, only to wreak havoc once inside.
This technique is becoming increasingly popular because it sidesteps the traditional methods of detection. Email gateways and antivirus software are designed to spot malicious executables, not seemingly benign HTML files. By the time your system realizes what’s going on, it’s already too late—the attack has successfully delivered its payload.
As corporate networks become more complex, attackers are looking for new ways to bypass sophisticated security measures. HTML smuggling is an old trick, but it’s being used in clever new ways to slip through the cracks in your defenses.
Defense Against the Dark Arts: How to Protect Yourself
Now that you know how HTML smuggling works, how can you defend yourself against it? Here are a few key strategies to keep in mind:
- Employee Training: The best defense is a good offense. Train your employees to recognize phishing attempts and be cautious about opening attachments from unknown or suspicious senders—especially ones masquerading as voicemail notifications.
- Configure Your Email Gateways: Tighten your email security settings. Make sure anti-phishing and anti-spam filters are in place and robust enough to catch these types of attacks. Consider flagging any external emails with suspicious attachments for extra scrutiny.
- Strengthen Endpoint Detection: Ensure your antivirus and Endpoint Detection and Response (EDR) systems are capable of identifying obfuscated JavaScript. Look for telltale signs like heavy use of functions like
evalanddocument.write, which are often used in malicious scripts. - Implement Advanced Threat Hunting: Regularly hunt for threats within your network. Look for unusual emails, file attachments, and other indicators of compromise before they turn into full-blown breaches.
- Use Proxy and Content Filtering: Set up proxy technologies to block access to known malicious domains. This can prevent attackers from delivering their final payload through phishing sites.
FAQs
What is HTML smuggling?
HTML smuggling is a cyberattack technique where malicious code is embedded within an HTML file. When the file is opened, the browser decodes and executes the code, often leading to phishing pages or further malware downloads.
How does HTML smuggling bypass security?
Because HTML files are generally not considered malicious, they often slip past email gateways and antivirus systems. The malicious code is executed by the browser once the file is opened, bypassing traditional detection methods.
How can I protect my organization from HTML smuggling attacks?
To prevent HTML smuggling attacks, you need a multi-layered defense strategy. This includes employee training, strong email gateway configurations, advanced endpoint detection systems, and regular threat-hunting activities.
Can antivirus software detect HTML smuggling?
Basic antivirus software may not detect HTML smuggling, especially if the code is heavily obfuscated. More advanced endpoint detection systems (EDRs) are better suited to identify suspicious activity, particularly in the behavior of scripts.
Wrapping It Up
HTML smuggling is a sneaky, effective tactic that’s making a big comeback in the phishing world. Cybercriminals have found a way to make even the simplest of tools—like an HTML file—work in their favor. And as long as it keeps bypassing your defenses, they’ll keep using it
. So the next time you receive a voicemail notification via email, stop and think twice before opening any attachments. Your system—and your sanity—will thank you.
Stay safe out there, folks, and if you haven’t already, subscribe to our blog for more updates on the latest in cybersecurity tactics and trends. Because, as you’ve seen, the bad guys aren’t slowing down anytime soon.
