Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1027.006: HTML Smuggling

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.[1][2]

Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.

For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.[1][3][2][4]

EnterpriseT1027.006Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

HTML Smuggling matters because it can move a malicious file through controls that normally inspect downloads by packaging the payload inside apparently benign HTML or JavaScript content. For leaders, the key issue is not just “malicious HTML,” but whether web, endpoint, and sandbox controls can see a file that is assembled only after it reaches the user’s browser.

Executive priority

Prioritize this where business processes allow users to open HTML attachments or download HTML content from the web. This technique can weaken confidence in content filtering and compliance evidence if the organization cannot show how browser-generated downloads, obfuscated embedded data, and post-download file creation are inspected. Ask whether isolation/sandboxing is applied for risky web content and whether SOC playbooks connect suspicious HTML delivery to endpoint file-drop activity.

Technical view

ATT&CK defines HTML Smuggling as a stealth sub-technique of Obfuscated Files or Information across Linux, macOS, and Windows. Defenders should validate coverage for HTML/JS that uses JavaScript Blobs, Data URLs, MIME types such as text/html or text/plain, HTML5 download behavior, and browser-mediated file creation. The related detection strategy, DET0313, specifically points to HTML Smuggling via JavaScript Blob plus dynamic file drop. Relationship context also shows use by APT29 and software entries EnvyScout and QakBot, so threat intelligence enrichment can help prioritize triage without assuming attribution.

Likely telemetry

  • Web proxy, secure web gateway, or content-filter logs for HTML/JS downloads and MIME-type handling
  • Browser download telemetry and browser security events
  • Endpoint file creation events for files generated by browsers or script-capable content
  • EDR/process telemetry linking browser activity to newly written or opened files
  • Sandbox or detonation results for HTML files, JavaScript behavior, Data URLs, Blob construction, and download attributes

Detection direction

  • Validate whether controls inspect embedded Data URLs, JavaScript Blob usage, and HTML5 download attributes rather than relying only on declared MIME type or file extension.
  • Tune detections around browser-generated file drops and suspicious HTML/JS behavior while accounting for legitimate web applications that use Blob downloads.
  • Correlate suspicious HTML delivery with later deobfuscation/decoding behavior and file creation, consistent with the parent technique T1027 and related T1140 reference in the description.
  • Use DET0313 as the relationship-driven starting point for engineering detections focused on JavaScript Blob plus dynamic file drop behavior.
  • Do not treat a benign-looking HTML MIME type as sufficient evidence of safety; require downstream endpoint and sandbox visibility.

Mitigation priorities

  • Apply Application Isolation and Sandboxing, as mapped by M1048, for untrusted or higher-risk web content so browser-executed code is contained.
  • Review policy for HTML attachments and HTML downloads where business need is limited.
  • Ensure web and endpoint controls evaluate behavior after rendering or execution, not only static content labels.
  • Use incident response playbooks that preserve the original HTML, browser download evidence, and endpoint file creation chain for analysis.
  • Prioritize cross-platform validation for Linux, macOS, and Windows environments where users can receive or open HTML content.
Analyst notes and limits

The ATT&CK object provides a strong behavioral description and relationship context but no official detection text. The most decision-useful validation is whether security tooling can observe the transition from benign-looking HTML/JS content to a dynamically generated file on the endpoint.

This take is limited to the supplied ATT&CK fields, references, and relationships. It does not assert active exploitation, customer exposure, or guaranteed detection. Local browser policy, attachment handling, sandbox configuration, and endpoint telemetry determine actual risk and coverage.

Official MITRE ATT&CK definition

HTML Smuggling

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.[1][2]

Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.

For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.[1][3][2][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027 Obfuscated Files or Information This object subtechnique of Obfuscated Files or Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

Malware Enterprise

S0650: QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

Windows
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1048: Application Isolation and Sandboxing Enterprise subtechnique of · Technique T1027: Obfuscated Files or Information Enterprise uses · Malware S0650: QakBot Enterprise uses · Group G0016: APT29 Enterprise detects · Detection Strategy DET0313: Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop Enterprise uses · Malware S0634: EnvyScout Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1048: Application Isolation and Sandboxing

Application Isolation and Sandboxing refers to the technique of restricting the execution of code to a controlled and isolated environment (e.g., a virtual environment, container, or sandbox). This method prevents potentially malicious code from affecting the rest of the system or network by limiting access to sensitive resources and critical operations. The goal is to contain threats and minimize their impact. This mitigation can be implemented through the following measures:

Browser Sandboxing:

- Use Case: Implement browser sandboxing to isolate untrusted web content and prevent malicious web pages or scripts from accessing sensitive system resources or initiating unauthorized downloads. - Implementation: Use browsers with built-in sandboxing features (e.g., Google Chrome, Microsoft Edge) or deploy enhanced browser security frameworks that limit the execution scope of active content. Consider controls that monitor or restrict script-based file generation and downloads commonly abused in evasion techniques like HTML smuggling.

Application Virtualization:

- Use Case: Deploy critical or high-risk applications in a virtualized environment to ensure any compromise does not affect the host system. - Implementation: Use application virtualization platforms to run applications in isolated environments.

Email Attachment Sandboxing:

- Use Case: Route email attachments to a sandbox environment to detect and block malware before delivering emails to end-users. - Implementation: Integrate security solutions with sandbox capabilities to analyze email attachments.

Endpoint Sandboxing:

- Use Case: Run all downloaded files and applications in a restricted environment to monitor their behavior for malicious activity. - Implementation: Use endpoint protection tools for sandboxing at the endpoint level.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
d1adbd31627c35da...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle d1adbd31627c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    HTML Smuggling Menlo Security 2020

    Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.

    Open source URL
  2. [2]
    Outlflank HTML Smuggling 2018

    Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.

    Open source URL
  3. [3]
    MSTIC NOBELIUM May 2021

    Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.

    Open source URL
  4. [4]
    nccgroup Smuggling HTA 2017

    Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved September 12, 2024.

    Open source URL
  5. [5]
    mitre-attack T1027.006
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use