Microsoft warns about a weeks-long malspam campaign that uses HTML smuggling to bypass email security measures.
The Microsoft security team detected a massive email spam campaign that uses a technique that enables attackers to secretly plant malicious code on users’ devices. The trick is to get behind the firewall, for example, within the browser on the target endpoint that is already inside the security perimeter of the network.
This method works by creating a download via a Data URL (data:) or a Javascript blob that is formatted to contain a MIME type that instructs the target device to start a download. The JavaScript code will then assemble a malicious file inside the victim’s browser.
An HTML-based attack does not generate a warning when the email is scanned, as it does not point to any dangerous file type (EXE, DOC, MSI, etc.).
The technique was described in the mid-2010s and first spotted used in the wild in 2019. It has been abused by various operators since then.
In a few posts on Twitter, Microsoft revealed that it has been tracking an email campaign that has been abusing HTML to distribute a malicious ZIP file to user devices.
The files contained inside the ZIP file are designed to infect users with a banking trojan known as Casbaneiro (aka Metamorfo). Casbaneiro is a type of banking trojan that targets various Latin American banks and cryptocurrency transactions, mostly in Brazil and Mexico. It uses a social engineering method that displays fake pop-up windows.
Even though Microsoft Defender for Office 365 could detect files dropped via HTML smuggling, Microsoft launched a warning to alert non-Microsoft users who may not be aware of the threat.