Perfect use case: HTML Smuggling🔗
Image courtesy Microsoft Threat Intelligence.
Email attachments from sources external to an organization are often stripped. Hence why a website, with a link in the email, is usually used to deliver a payload in the first place. Most large email providers like Gmail or Outlook also always strip attachments with troubling extensions.
Above are the detections of one such HTML smuggling project: EmbedInHTML. In practice, a NGFW’s detection for this type of payload would be much higher. The antiviruses on VirusTotal aren’t as geared towards detecting this type of threat. Even still, we have lots of unwanted detections.
Flying under the radar…🔗
So, the defenders made a move. Now it’s the attacker’s turn: How do we become fully undetectable (at least… for now)?
Simple, just paste your payload into obfuscator.io then click the “Obfuscate” button!
Pro tip: If you’re HTML smuggling a binary file (like an EXE or DLL) then definitely make sure to select the
RC4 encryption option under
String Array Encoding. This is necessary to remove any last bits of data that NGFWs might use to signal on. Detecting the structure of any executable file (with its
This information is provided for the purposes of legitimate pentesting, education, and further security research only. Please use it responsibly.
Detection software (such as antivirus, endpoint detection and response, and next-generation firewalls) should only be used as part of a more holisitc defense-in-depth security strategy. This is mostly due to the fact that security through detection is a cat-and-mouse game. If ‘real’ security is what you want then have a look at my binary exploitation or Qubes OS content (upcoming).