Phishing attackers employed an HTML smuggling technique to deliver a malicious payload, as the attack chain started with a phishing email mimicking an American Express notification, leading to a series of redirects.
The final redirect pointed to a Cloudflare R2 public bucket hosting an HTML file, which loaded an external JavaScript code that contained a Base64-encoded string that, when decoded, revealed the actual phishing page, demonstrating the effectiveness of HTML smuggling in obfuscating malicious content.
The JavaScript code first waits for the page to load before executing its functionality and then decodes a Base64-encoded HTML string into plain text, which is likely a malicious phishing page that is designed to trick users into revealing sensitive information.
The code’s purpose is to create a hidden iframe within the web page and load the decoded phishing content into it, effectively disguising the malicious activity from the user.
The openFileURL function creates a downloadable or viewable file from decoded HTML content, which first constructs a blob object using the decoded data and the specified content type and then generates a URL referencing this blob.
Finally, it redirects the browser to this URL, causing the content to be loaded and displayed. To prevent memory leaks, the function revokes the blob URL after a short delay.
Blob URLs are temporary web addresses pointing to binary data stored in the browser. Cybercriminals exploit this feature to create malicious files locally, bypassing traditional security measures.
These files can be used to deliver harmful payloads directly to users, making attacks harder to detect and trace.
By generating files on the client side, attackers can embed them into seemingly normal web pages or exploit browser vulnerabilities, posing a significant security risk.
The phishing pages demonstrate a sophisticated HTML smuggling technique where malicious code is concealed within seemingly legitimate HTML elements.
The pages mimic reputable services like DocuSign and Microsoft, aiming to deceive users into entering sensitive information.
By exploiting HTML’s flexibility, the attackers successfully disguise the malicious code within the HTML structure, making it difficult to detect by traditional security measures, which underscores the importance of vigilant security practices and the need for advanced threat detection mechanisms to combat evolving phishing attacks.
HTML smuggling is a growing concern in phishing attacks due to its ability to bypass traditional security measures, which involves hiding malicious content within seemingly harmless HTML files, often using obfuscation techniques like blob URLs to reference hidden data.
According to Trustwave, as phishing attacks become more sophisticated, it is expected to see increased use of HTML smuggling, making it essential for organizations to adopt advanced security solutions capable of detecting and mitigating such threats.