NACE vs. HTML Smuggling: Catching What Conventional Technology Misses

Quick Read:
- Phishing Strategy: Threat actor using HTML Smuggling to bypass email security and deliver phishing payloads directly to inboxes.
- Objective: The campaign aims to steal corporate credentials, emphasizing the need for enhanced detection strategies.
- Tactics Observed:
- Office 365 Anti-Phishing Bypass: The email passed SPF, DKIM, and DMARC, had a low suspicion score, and evaded Safe Attachments and Safe Links protection.
- Attachment Tactics: The obfuscated JavaScript within the HTML file was designed to evade static analysis and included anti-debugging mechanisms to detect sandbox instrumentation, redirecting to a legitimate site if a debugger was detected.
- Cloudflare CAPTCHA: Used as an evasive mechanism to obstruct automated analysis and bypass domain reputation technologies and extend the campaign’s lifespan.
- Low Detection Rates: The phishing HTML attachment evaded all 60 antivirus engines on VirusTotal, while the final phishing domain was detected by only 7 out of 96 AV engines.
- Deployment: NACE deployed to analyse emails behind Microsoft 365 Security.
Campaign Summary and Technical Flow
In recent years, HTML smuggling has become one of the most effective evasion techniques used by threat actors to bypass email security and deliver phishing payloads directly to inboxes. This technique embeds malicious JavaScript inside seemingly benign HTML attachments, allowing attackers to construct and execute malware or phishing pages on the victim’s device. Security research shows a 150% increase in phishing campaigns leveraging HTML smuggling over the past two years, making it one of the most commonly used evasive tactics.
The NACE™, Intent-based AI Threat Prevention Platform identified an active corporate-targeted phishing campaign that leverages HTML smuggling to deliver a phishing redirector page to recipients.
Image: Email with attachment
O365 Header Analysis Summary
Microsoft Office 365 applied multiple security layers to assess the email:
Image: Checks performed by O365 protections
Despite these efforts, the email slipped through due to its seemingly legitimate appearance and low suspicion scores. The protective measures in place might need refinement to better detect sophisticated phishing attempts involving smuggled HTML attachments.
The email likely reached the recipient's inbox due to the following reasons:
- Successful Email Authentications: The email passed SPF, DKIM, and DMARC checks, making it appear legitimate.
- Low Suspicion Scores: Both the antispam and URL scanning systems assigned relatively low suspicion scores, failing to trigger blocking mechanisms.
- Sender Reputation: The sender had a decent reputation score, reducing the likelihood of the email being flagged.
- Inadequate Detection of Smuggled Content: Although the email contained an HTML attachment, the protective measures in place (Safe Attachments, Safe Links) may not have detected the smuggled content effectively enough to block the email.
Attachment Analysis with Techniques to Bypass Sandboxes and Detection:
The attached HTML file was heavily obfuscated into a single-line script, incorporating multiple layers of obfuscation to evade detection. Once executed, the HTML file loaded a phishing site behind a Cloudflare CAPTCHA, ensuring automated sandboxes could not access it directly.
Layers of Attachment Obfuscation
MalSpam actors are increasingly adopting anti-debugging techniques to obstruct analysis and detection of their malicious payloads. These techniques are specifically designed to prevent security researchers and automated tools from reverse-engineering or monitoring their activities.
Anti-Automated tools, Anti-Debugger code
By leveraging these methods, MalSpam campaigns aim to prolong the lifespan of their phishing links, malware downloads, and other malicious content by delaying detection and analysis.
An interesting discovery in the code shows that if a debugger is attached to the browser, the user is redirected to an intermediate page that ultimately leads to an Etsy shopping page instead of the intended phishing site.
Code to Evade Analysis
These evasive tactics highlight the growing sophistication of threat actors and emphasize the need for advanced detection mechanisms capable of countering such strategies effectively.
The ultimate objective of this campaign is to compromise corporate user accounts and harvest credentials, emphasizing the need for enhanced detection mechanisms and proactive security measures.
Final Phishing Page
Campaign Insights and Analysis
A long-running phishing campaign utilizing HTML and PDF attachments has been active for several months. The final phishing page is protected by Cloudflare CAPTCHA and frequently changes domains to evade detection.
Campaign Data
At the time of writing, the attachment evaded detection from all 60 Antivirus engines on Virustotal. This shows how basic obfuscations can be used to evade legacy detection systems.
Virus Total hit for Redirector URL
Even older attachments used in this campaign, as observed on VirusTotal, had a low detection score despite communicating with the phishing IP.
Virus Total hits for older files Communicating to phishing page
However, the redirector URL was flagged by only 4 out of 96 antivirus engines on VirusTotal, while the final phishing domain was detected by just 7 out of 96 engines. Given the duration this campaign has been active in the wild, these detection rates remain relatively low.
Virus Total hit for Redirector URL
Virus Total hit for Phishing Landing Page
NACE™ Leveraging Intent as a feature set for detection
NACE Leveraging Intent as a feature for detection
The email was successfully flagged as malicious by InceptionCyber’s Neural Analysis and Correlation Engine (NACE™). Unlike traditional detection systems that primarily rely on payload inspection or final landing URL analysis, NACE™ leverages semantic and thematic analysis to determine the intent of an email. By analyzing contextual relationships across multiple email components—including headers, subject line, and file attachments—NACE™ effectively identified the use of HTML smuggling in this campaign without needing the final landing Phishing URL.
- Header and Subject Indicators
- Header Analysis: The email was identified as the first-time communication (is_first_email) from an external sender (is_probable_external_email), increasing its risk profile.
- Subject Analysis: The subject line contained elements suggesting an "evaluation" request and a "call to action," both of which are commonly exploited in phishing campaigns.
- Attachment Feature Tags: The analysis identified the following suspicious characteristics:
- Script: The attachment contained JavaScript execution.
- Suspicious Obfuscation: The script was heavily obfuscated to evade detection.
- One-liner Script Page: The entire JavaScript code was compressed into a single-line script, a common evasion tactic.
By leveraging advanced feature extraction and contextual analysis, NACE™ was able to classify the email and its attachment as a malicious payload—without relying on external threat intelligence feeds or detection of the final phishing URL. This proactive approach enhances detection accuracy, mitigating evasive techniques used in modern malspam campaigns.
Conclusion
This phishing campaign demonstrates the growing sophistication of HTML smuggling techniques used to evade detection. By leveraging advanced obfuscation, CAPTCHA verification, and anti-debugging tactics, attackers successfully bypass security controls, enabling widespread credential theft. As threat actors continue refining their tactics, organizations must adopt a multi-layered security approach to combat these evolving threats.
Traditional technologies like signature-based detection, sandboxing, and machine learning/deep learning rely on examining malicious payloads, which often remain hidden during analysis due to evasion techniques. This allows multi-stage, evasive, AI or threat actor generated malicious attachments and call-to-action URLs to reach endpoints.
Inception Cyber is transforming threat protection with Intent AI. Our NACETM platform employs patent-pending advanced semantic and thematic analysis to comprehend intent, and leverages the contextual relationships between intent, SMTP headers, and auxiliary features to classify URLs and attachments as malicious or benign. This advancement moves far beyond traditional reliance on malicious indicators generated by threat actors or AI, to stop the evasive threats that other technologies simply can’t identify.
Feb 12, 2025 5:51:21 PM