1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. HTML Smuggling

Obfuscated Files or Information: HTML Smuggling

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling
T1027.007 Dynamic API Resolution
T1027.008 Stripped Payloads
T1027.009 Embedded Payloads
T1027.010 Command Obfuscation
T1027.011 Fileless Storage
T1027.012 LNK Icon Smuggling
T1027.013 Encrypted/Encoded File
T1027.014 Polymorphic Code
T1027.015 Compression
T1027.016 Junk Code Insertion
T1027.017 SVG Smuggling

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.[1][2]

Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.

For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.[1][3][2][4]

ID: T1027.006
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Jonathan Boucher, @crash_wave, Bank of Canada; Krishnan Subramanian, @krish203; Stan Hegt, Outflank; Vinay Pidathala
Version: 1.3
Created: 20 May 2021
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0016 APT29

APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.[5]

S0634 EnvyScout

EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.[6]
S0650 QakBot

QakBot has been delivered in ZIP files via HTML smuggling.[7][8]

Mitigations

ID Mitigation Description
M1048 Application Isolation and Sandboxing

Use Browser Extensions or Built-in Security Tools that:

  • Monitor JavaScript API calls such as Blob, URL.createObjectURL, and msSaveOrOpenBlob
  • Intercept and analyze HTML5 download attributes for suspicious payload generation
  • Alert or block behaviors that match known HTML smuggling patterns (e.g., blob-to-disk payload construction)

Apply Content Security Policy (CSP) headers to:

  • Restrict inline JavaScript and dynamic script generation
  • Disallow downloads from unauthorized sources or blob URIs
  • Prevent cross-origin resource sharing (CORS) abuse commonly used in smuggling chains

Enable or enforce enterprise browser security controls, such as:

  • Endpoint's Network Protection and Attack Surface Reduction (ASR) rules, which can block Office and browser processes from creating child processes or writing to disk in suspicious ways
  • Google Chrome Enterprise Policies, which can control file download behavior, restrict extensions, and isolate risky browsing environments

Deploy browser sandboxing solutions that can isolate JavaScript execution environments and enforce behavioral policy restrictions

Detection Strategy

ID Name Analytic ID Analytic Description
DET0313 Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop AN0872

Detection of browser-based or email client-driven file creation (often from temp directories) following navigation to or execution of HTML files containing JavaScript Blob APIs or base64 Data URLs, with follow-on execution of the dropped payload. Leveraging Sysmon EventID 15 to inspect Zone.Identifier ADS for HostUrl/ReferrerUrl indicators (e.g., HostUrl=about:internet). Optional: absence of a large HTTP download record for the same URL/client in proxy logs (suggests local assembly)
AN0873

Detection of browser-based downloads from HTML sources that trigger file creation in temp or user directories followed by execution of new files within short timeframes and suspicious parent-child lineage.
AN0874

Detection of HTML-based downloads via Safari/Chrome that create obfuscated files (e.g., .zip, .app, .js) in user directories and are followed by suspicious executions from preview or launch services.

References

  1. Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.
  2. Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.
  3. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  4. Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved September 12, 2024.
  1. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
  2. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  3. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  4. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.