HTML smuggling is a delivery technique that constructs a malicious payload entirely on the client side using JavaScript or HTML5 download attributes, bypassing perimeter controls that inspect downloaded files at the network layer. The payload is never transmitted as a recognisable binary over the wire — it’s assembled in the browser’s memory from encoded data embedded directly in the HTML file, then written to disk by the browser itself. Network proxies, secure email gateways, and sandboxes that analyse network traffic rather than executed browser behaviour are blind to it.

Multiple threat groups have adopted this technique in 2026. Gamaredon’s documented June campaign uses XHTML with HTML smuggling to deliver a WinRAR archive exploiting CVE-2025-8088. EXOTIC LILY (initial access broker) and various commodity phishing kits have used JavaScript-based smuggling to deliver ISO files and MSI installers. This guide covers the detection logic across three visibility layers: email gateway, endpoint, and SIEM.

How HTML Smuggling Works

The mechanics use two distinct approaches:

JavaScript Blob URL method:

<script>
  const data = [0x52, 0x61, 0x72, 0x21, ...]; // RAR/ZIP bytes
  const blob = new Blob([new Uint8Array(data)], {type: 'application/octet-stream'});
  const url = URL.createObjectURL(blob);
  const a = document.createElement('a');
  a.href = url;
  a.download = 'Invoice_Q2.rar';
  document.body.appendChild(a);
  a.click();
</script>

HTML5 download attribute method:

<a href="data:application/octet-stream;base64,UmFyIR..." download="update.exe">Click here</a>

Both result in a file being written by the browser to the default downloads folder with no corresponding network request for the file content visible to a proxy or NGFW.

XHTML variant (Gamaredon technique): The same Blob URL approach works in XHTML, with the added advantage that many email gateways classify .xhtml attachments differently from .html, reducing the probability of automatic detonation or blocking.

Layer 1: Email Gateway Detection

Most email security platforms allow custom rules on attachment characteristics. The challenge is that the payload arrives as an HTML/XHTML file — not a binary — so hash-based or file-type blocking of the final payload is ineffective at this layer.

Rules to implement:

  1. Block or quarantine .xhtml attachments — legitimate business email rarely uses XHTML attachments. A block-with-exception policy for internal senders covers the vast majority of cases.

  2. Scan HTML attachment content for smuggling indicators:

    • Presence of createObjectURL combined with new Blob
    • data:application/octet-stream;base64, in link href attributes
    • Uint8Array or ArrayBuffer construction from large literal arrays
    • Base64 strings exceeding 10KB embedded in <script> tags

These patterns can be matched with YARA rules in email gateway inline scanners:

rule HTML_Smuggling_Blob_URL {
    meta:
        description = "HTML smuggling via Blob URL pattern"
        mitre = "T1027.006"
    strings:
        $blob1 = "createObjectURL" nocase
        $blob2 = "new Blob" nocase
        $uint = "Uint8Array" nocase
        $dl = ".download" nocase
    condition:
        2 of them and filesize < 5MB
}

rule HTML_Smuggling_DataURI {
    meta:
        description = "HTML smuggling via data URI download attribute"
    strings:
        $data_uri = "data:application/octet-stream;base64," nocase
        $download = "download=" nocase
    condition:
        all of them
}

Layer 2: Endpoint Detection

Once the HTML file reaches the endpoint and the user opens it, detection shifts to process and file system telemetry. Key artefacts:

Browser spawning unexpected child processes or file writes:

HTML smuggling itself only writes a file to disk; execution requires a subsequent user action or another component (e.g., a path-traversal archive exploit). The detection pivot depends on what payload was delivered.

Sigma rule for suspicious browser file download followed by archive extraction to Startup:

title: Suspicious Archive Extraction to Startup Folder
id: a7d3c4e8-1234-4f56-b789-abcdef012345
status: experimental
description: Detects extraction of files directly to Windows Startup folder, indicative of path traversal archive delivery (e.g., CVE-2025-8088)
references:
    - https://attack.mitre.org/techniques/T1547/001/
author: SOC Analyst Hub
date: 2026/06/08
tags:
    - attack.persistence
    - attack.t1547.001
    - attack.initial_access
    - attack.t1027.006
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\'
            - '\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\'
        TargetFilename|endswith:
            - '.hta'
            - '.vbs'
            - '.js'
            - '.lnk'
            - '.bat'
            - '.cmd'
            - '.ps1'
            - '.scr'
    filter_main_installer:
        Image|contains:
            - '\Program Files\'
            - '\Program Files (x86)\'
    condition: selection and not filter_main_installer
falsepositives:
    - Legitimate software installers placing shortcuts in Startup
level: high

Sigma rule for mshta.exe launching with external URL (post-HTML-smuggling execution):

title: MSHTA Executing Remote URL
id: b8e5f9a1-2345-5678-c890-bcdef0123456
status: stable
description: Detects mshta.exe spawned with an HTTP/S URL argument, consistent with HTA-based payload delivery
references:
    - https://attack.mitre.org/techniques/T1218.005/
author: SOC Analyst Hub
date: 2026/06/08
tags:
    - attack.defense_evasion
    - attack.t1218.005
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\mshta.exe'
        CommandLine|contains:
            - 'http://'
            - 'https://'
    filter_main_legitimate:
        CommandLine|contains:
            - 'res://'
            - 'about:blank'
    condition: selection and not filter_main_legitimate
falsepositives:
    - Rare legitimate enterprise HTA applications using remote URLs
level: high

Layer 3: SIEM/KQL Queries

For Microsoft Sentinel, the following queries hunt for the post-delivery execution chain:

Hunt for files written to Startup by browser processes:

DeviceFileEvents
| where FolderPath contains @"Start Menu\Programs\Startup"
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe")
| where FileName endswith ".hta" or FileName endswith ".vbs" or FileName endswith ".lnk"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath, InitiatingProcessCommandLine
| order by Timestamp desc

Hunt for mshta.exe with URL arguments containing domain names:

DeviceProcessEvents
| where FileName =~ "mshta.exe"
| where ProcessCommandLine matches regex @"https?://[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,}"
| where not(ProcessCommandLine contains "res://")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Hunt for suspicious Telegram API connections from non-browser processes (dead drop resolver pattern):

DeviceNetworkEvents
| where RemoteUrl contains "api.telegram.org"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "slack.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| order by Timestamp desc

Detection Coverage Summary

Detection PointTechniqueData Source
XHTML/HTML attachment with Blob URLT1027.006Email gateway YARA
Large base64 data URI in HTML attachmentT1027.006Email gateway YARA
File written to Startup by browser processT1547.001Endpoint file events
HTA/VBS/LNK dropped in Startup folderT1547.001Sigma (file events)
mshta.exe with HTTP URL argumentT1218.005Sigma (process creation)
Telegram API connection from non-browserDead drop resolverKQL (network events)

HTML smuggling generates no network-layer artefacts for the payload delivery itself. Detection is entirely dependent on endpoint and email attachment visibility. If your coverage is weak in either area, this technique will consistently evade detection.