title: HTML Smuggling (T1027.006)
id: df00tech-t1027-006
status: experimental
description: "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs that can later be constructed into file-like objects. Data may also be stored in Data URLs, enabling embedding media type or MIME files inline of HTML documents. HTML5 introduced a download attribute that may be used to initiate file downloads. Adversaries deliver payloads that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. APT29 (NOBELIUM) used HTML smuggling to deliver ISO files embedded in HTML attachments (EnvyScout). QakBot was delivered in ZIP files via HTML smuggling. This technique bypasses web content filters because the HTML file itself contains only text/html MIME content."
references:
  - https://attack.mitre.org/techniques/T1027/006/
  - https://df00tech.com/detections/T1027.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate ISO downloads from software vendor websites (Microsoft, VMware, Linux distributions) via browsers"
  - Users intentionally downloading executable installers from known-good vendor sites
  - Developers downloading JavaScript bundles or build artifacts that happen to use download attribute
  - Browser extensions or web applications that legitimately generate and download files via JavaScript Blob API
level: high