This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component|
download may be a good indicator of HTML Smuggling. These strings may also be used by legitimate services therefore it is possible to raise false positives.
Consider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.