T1027.006 Microsoft Sentinel · KQL

Detect HTML Smuggling in Microsoft Sentinel

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs that can later be constructed into file-like objects. Data may also be stored in Data URLs, enabling embedding media type or MIME files inline of HTML documents. HTML5 introduced a download attribute that may be used to initiate file downloads. Adversaries deliver payloads that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. APT29 (NOBELIUM) used HTML smuggling to deliver ISO files embedded in HTML attachments (EnvyScout). QakBot was delivered in ZIP files via HTML smuggling. This technique bypasses web content filters because the HTML file itself contains only text/html MIME content.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.006 HTML Smuggling
Canonical reference
https://attack.mitre.org/techniques/T1027/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".iso" or FileName endswith ".img" or FileName endswith ".zip"
    or FileName endswith ".exe" or FileName endswith ".js" or FileName endswith ".hta"
    or FileName endswith ".lnk" or FileName endswith ".bat" or FileName endswith ".vbs"
| where InitiatingProcessFileName in~ ("msedge.exe", "chrome.exe", "firefox.exe",
    "iexplore.exe", "brave.exe", "opera.exe")
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\")
| extend IsISO = FileName endswith ".iso" or FileName endswith ".img"
| extend IsArchive = FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
| extend IsExecutable = FileName endswith ".exe" or FileName endswith ".hta" or FileName endswith ".js"
    or FileName endswith ".bat" or FileName endswith ".vbs" or FileName endswith ".lnk"
| where IsISO or IsExecutable
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsISO, IsArchive, IsExecutable
| sort by Timestamp desc
high severity high confidence

Detects HTML smuggling payloads being dropped to disk by browsers. The key behavioral indicator is browsers creating ISO/IMG disk images, executables, script files, or LNK shortcuts in download/temp directories. HTML smuggling deobfuscates and assembles the payload in the browser's JavaScript engine, then triggers the HTML5 download attribute to save it to disk — making the browser the parent process of the dropped file.

Data Sources

File: File CreationMicrosoft Defender for Endpoint

Required Tables

DeviceFileEvents

False Positives & Tuning

  • Legitimate ISO downloads from software vendor websites (Microsoft, VMware, Linux distributions) via browsers
  • Users intentionally downloading executable installers from known-good vendor sites
  • Developers downloading JavaScript bundles or build artifacts that happen to use download attribute
  • Browser extensions or web applications that legitimately generate and download files via JavaScript Blob API
Download portable Sigma rule (.yml)

Other platforms for T1027.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create HTML Smuggling Page with JavaScript Blob

    Expected signal: Sysmon Event ID 11: smuggle_test.html created in %TEMP%, html_smuggled_payload.txt created in Downloads by msedge.exe. Sysmon Event ID 1: msedge.exe launched with HTML file argument. Browser file creation in Downloads directory.

  2. Test 2Simulate EnvyScout HTML Smuggling ISO Drop

    Expected signal: Sysmon Event ID 11: envyscout_sim.html created in %TEMP%. The HTML file contains Base64-encoded data and Blob/download attribute JavaScript patterns. Opening in a browser would trigger creation of update.iso in Downloads.

  3. Test 3Download and Execute Payload from HTA File via Browser

    Expected signal: Sysmon Event ID 11: smuggled.hta created in %TEMP%. Sysmon Event ID 1: mshta.exe launching the HTA file. The VBScript MessageBox dialog appears, confirming execution.

  4. Test 4Identify HTML Smuggling Pattern in HTML File

    Expected signal: PowerShell process execution. ScriptBlock Log Event ID 4104 with the analysis code. Output identifies specific HTML smuggling constructs present in the file.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1027.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.017SVG SmugglingT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1204.001Malicious LinkT1204.002Malicious FileT1553.005Mark-of-the-Web BypassT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections