HTML smuggling

Prevent this sophisticated evasion technique using seemingly benign HTML files to deliver malware and bypass traditional detection.

See a demo Explore product

Problem

Seemingly benign HTML files deliver malicious code

HTML smuggling embeds malicious code within seemingly benign HTML files, making it hard for traditional email filters to detect. Instead of attaching malware directly to an email, attackers embed JavaScript or encoded data within an HTML file, which only becomes active when the user opens the file in their browser.

Security solutions often miss these files, focusing on known threats like malicious attachments or links. By relying on the user's browser to assemble and execute the payload, HTML smuggling also bypasses network security tools like sandbox analysis and antivirus software.

Solution

Detect and block HTML smuggling with xorlab

xorlab analyzes HTML files and scripts to identify potentially dangerous features, leveraging sender-recipient relationships and history to detect attempts to smuggle malicious code through attachments.

The platform flags high-risk emails with unusual attachments or hidden code that triggers downloads or other risky actions upon opening and blocks them before delivery.

Obfuscation

Attackers hide malicious code within HTML or JavaScript to bypass security filters.

Delayed Execution

Payloads are triggered upon file opening only, making them hard to detect at email gateway level.

Multi-stage Delivery

The initial HTML file acts as a dropper, downloading additional malware.

Bypass of Network-Based Defenses

As the attack is triggered in the user's browser, network security tools like sandboxes are often bypassed.

Blending with Legitimate Content

HTML files appear benign and blend with legitimate emails, increasing the likelihood of a successful attack.

Within the MITRE ATT&CK® Matrix, HTML smuggling maps to Phishing (sub-technique: Spearphishing Attachment) and User Execution (sub-technique: Malicious File) as techniques aimed at the tactical objective of Initial Access and Execution.

Explore defense capabilities

Ciso Guide

Explore our ebook about smarter email security – an attacker-centric, proactive approach.

Learn more

Blog

HTML smuggling: How malicious actors use JavaScript and HTML to fly under the radar.

Learn more

Attack simulation

Stress test your email security with our realistic email attack simulation.

Learn more

Detect and block sophisticated HTML smuggling attacks

See how xorlab proactively identifies and blocks HTML smuggling attempts, protecting your organization from these sophisticated, file-based multi-stage attacks.

Book a demo

PRODUCTS

Inbound Email Security

Abuse Mailbox Automation

EXTENSIONS

Contextual Banners

PLATFORM

Platform overview

FEATURED CONTENT

Product updates

PLATFORM

Platform overview

BY ENVIRONMENT

On-premise

Microsoft 365

BY ATTACK TYPE

BEC/fraud

Credential phishing

Email thread hijacking

Extortion scam

HTML smuggling

Malware/ransomware

QR code phishing

Spearphishing

Become a partner

Partner portal

RESOURCES

Blog

Customer stories

SERVICES

Email attack simulation

DOWNLOADS

CISO guide

Healthcare checklist

FEATURED CONTENT

Threat analysis

About us

Careers

Contact

HTML smuggling

Seemingly benign HTML files deliver malicious code

Detect and block HTML smuggling with xorlab

HTML smuggling techniques and characteristics

Obfuscation

Delayed Execution

Multi-stage Delivery

Bypass of Network-Based Defenses

Blending with Legitimate Content

Resource center

Ciso Guide

Blog

Attack simulation

Detect and block sophisticated HTML smuggling attacks

Trusted by organizations with highest security needs