Tactic or Technique: HTML smuggling

HTML smuggling is a stealthy way for attackers to deliver malware by hiding it inside HTML files either in emails or linked web pages. Instead of attaching a file directly, the attacks use JavaScript to build the malicious payload inside your browser after it’s already passed through security filters encoded or encrypted.
The trick works because the email or link doesn’t look dangerous on its own. Security tools see harmless HTML and JavaScript, but once you open the file or click the link, your browser assembles and downloads the real malware—completely bypassing traditional scans.
Attackers often use this to deliver ransomware, credential harvesters, or remote access tools. The malicious code is usually Base64-encoded or obfuscated in the HTML, then decoded and executed using legitimate browser functions. It’s been used in targeted campaigns against businesses, especially when attackers want to avoid detection while still delivering high-impact payloads.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Low reputation link to auto-downloaded HTML file with smuggling indicators
1d ago
Jul 23rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6
Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment
8d ago
Jul 16th, 2025 UTC
@ajpc500
/feeds/core/detection-rules/attachment-double-base64-encoded-zip-file-in-html-smuggling-attachment-61ebb07b
Attachment: HTML Attachment with Login Portal Indicators
8d ago
Jul 16th, 2025 UTC
@ajpc500
/feeds/core/detection-rules/attachment-html-attachment-with-login-portal-indicators-3aabf4a7
Attachment: Any HTML file within archive (unsolicited)
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-any-html-file-within-archive-unsolicited-6a67c02c
HTML smuggling containing recipient email address
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f
Attachment: Any HTML file (untrusted sender)
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-any-html-file-untrusted-sender-57a8f5c5
Attachment: HTML With Emoji-to-Character Map
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-with-emoji-to-character-map-3119d086
Attachment: EML with Suspicious Indicators
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d
Attachment: HTML Smuggling Microsoft Sign In
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-smuggling-microsoft-sign-in-878d6385
Attachment: Any HTML file (unsolicited)
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-any-html-file-unsolicited-ef36763f
Attachment: Archive containing HTML file with file scheme link
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-archive-containing-html-file-with-file-scheme-link-edf6d0d9
Attachment: HTML smuggling with decimal encoding
8d ago
Jul 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-smuggling-with-decimal-encoding-f99213c4
Attachment: HTML smuggling with eval and atob via calendar invite
1mo ago
Jun 3rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd
Attachment: HTML smuggling with atob and high entropy via calendar invite
1mo ago
Jun 3rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-via-calendar-invite-94d84614
Attachment: Web Files With Suspicious Comments
2mo ago
Apr 28th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-web-files-with-suspicious-comments-93061d17
Attachment: HTML with obfuscation and recipient's email in JavaScript strings
3mo ago
Apr 10th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-with-obfuscation-and-recipients-email-in-javascript-strings-1aff486b
Attachment: EML file with HTML attachment (unsolicited)
3mo ago
Mar 28th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-eml-file-with-html-attachment-unsolicited-c24fd191
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
5mo ago
Feb 3rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-file-with-excessive-const-declarations-and-abnormally-long-timeouts-66f8a07a
Attachment: HTML smuggling with atob and high entropy
10mo ago
Aug 29th, 2024 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
11mo ago
Aug 27th, 2024 UTC
Sublime Security
/feeds/core/detection-rules/attachment-html-smuggling-with-excessive-string-concatenation-and-suspicious-patterns-e34fce8d