main logo icon

Published on

July 1, 2026

|

16 min read

HTML Smuggling in 2026: How It Slips Past Your Perimeter, and How to Detect It

A defender's guide to HTML smuggling in 2026: why email gateways and proxies miss it, where endpoint and browser telemetry catch it, and the layered controls that stop smuggled payloads.

Victor Villar

Victor Villar

Senior Penetration Tester

Social Engineering

Summarize with AI

ChatGPTPerplexityGeminiGrokClaude

TL;DR

HTML smuggling assembles a malicious file inside the victim's browser from data hidden in a benign-looking HTML page or attachment, so email gateways, proxies, and content inspection never see a malicious file cross the wire. It is one of the most common on-ramps for loaders, RATs, and container files (ISO, VHD, LNK, OneNote). The defensive edge is not at the perimeter. It is on the endpoint and in the browser, where the reconstructed file gets written, tagged with Mark-of-the-Web, and executed. This post explains the technique at a conceptual level and spends the majority of its length on detection surfaces and layered controls.

HTML smuggling in phishing rose 85.6% between November 2024 and February 2025, overtaking other obfuscation methods as the dominant way attackers hide a payload from scanners (KnowBe4 Threat Labs, Phishing Threat Trends Report). It works because the malicious file never crosses your network as a file. The HTML that lands in an inbox looks benign, and the browser on the endpoint quietly reassembles the payload from data embedded in the page. HP Wolf Security measured the downstream effect directly: 12% of email threats evaded gateway security in its telemetry, and 39% of threats arrived inside archives that gateways struggle to open (HP Wolf Security, Threat Insights Report, September 2024). The pattern is consistent across vendors: adversaries are moving detection off the wire and onto the host, where perimeter tools cannot follow.

Four forces make HTML smuggling the initial-access technique of 2026. First, it is a structural blind spot: Microsoft notes that network defenses "only see... benign HTML and JavaScript traffic" because the malicious file is built only after the page loads on the endpoint (Microsoft Security Blog). Second, it pairs with container files (ISO, VHD, LNK, OneNote) that historically stripped Mark-of-the-Web, the Windows tag that gates risky downloads (Microsoft Learn). Third, generative AI is now writing the delivery code: HP Wolf found a real smuggling chain whose scripts carried clear GenAI authoring telltales. Fourth, delivery has moved beyond email to compromised websites, as the JS#SMUGGLER campaign that dropped NetSupport RAT showed in December 2025 (Securonix Threat Research). This guide is written for security engineers, SOC analysts, and the CISOs who own initial-access risk.

This post is the Stingrai research team's canonical 2026 reference for defending against HTML smuggling. It draws on seven named primary publishers, MITRE ATT&CK, Microsoft, KnowBe4, HP Wolf Security, and Securonix among them, and every figure is attributed inline. Lead data is full-year 2024 and 2025 telemetry, the freshest available: primary publishers had not released full-year 2026 threat reports as of July 2026, so the numbers here carry their exact reporting windows. One frequently repeated statistic on average HTML attachment size could not be traced to a named primary report on verification and was dropped rather than estimated. Every stat below links back to its publisher so any claim can be audited inline.

TL;DR: HTML smuggling in 2026

  • HTML smuggling growth in phishing (Nov 2024 to Feb 2025): up 85.6%, the top payload-hiding technique in the window (KnowBe4 Threat Labs).

  • Email threats that evaded gateway security (Q2 2024): 12% reached the endpoint anyway (HP Wolf Security).

  • Threats delivered inside archives (Q2 2024): 39%, a format gateways struggle to inspect (HP Wolf Security).

  • What it is: MITRE ATT&CK technique T1027.006, a sub-technique of Obfuscated Files or Information (MITRE ATT&CK).

  • Why the perimeter misses it: the file is assembled in the browser, so gateways see only benign HTML and JavaScript (Microsoft).

  • Who uses it: APT29, QakBot, Mekotio, Trickbot, and NOBELIUM-linked activity are documented users (MITRE ATT&CK, Microsoft).

  • The container pairing: smuggled payloads are often ISO, VHD, LNK, or OneNote files that historically bypassed Mark-of-the-Web (Microsoft Learn).

  • Where you get signal: file creation after a browser Blob write, then rapid execution, plus Zone.Identifier inspection (MITRE ATT&CK).

  • The endpoint controls that stop it: Microsoft's attack surface reduction rules block script-launched downloads and obfuscated scripts (Microsoft Learn).

  • The 2025 escalation: GenAI-written delivery code and compromised-site delivery, seen in the JS#SMUGGLER NetSupport RAT campaign (Securonix).

Key takeaways

Your perimeter was never going to catch this, and that is by design. HTML smuggling exists specifically to defeat network and email content inspection. The payload is data, not a file, until the browser reassembles it on the host. Microsoft states plainly that gateways "only see... benign HTML and JavaScript traffic" during delivery (Microsoft). Budgeting more perimeter scanning against this technique buys very little.

Detection lives on the endpoint and in the browser, not at the gateway. The moment of truth is when the reconstructed file is written to disk, tagged (or not tagged) with Mark-of-the-Web, and executed. MITRE's own detection guidance for T1027.006 centers on file creation following a Blob write and Zone.Identifier inspection (MITRE ATT&CK).

Mark-of-the-Web is the single highest-leverage control, and container files are how attackers evade it. MOTW is why Office blocks internet macros and why SmartScreen warns on unknown downloads. Smuggled payloads are frequently packaged as ISO, VHD, or LNK precisely because those formats historically failed to propagate the tag to their contents (Microsoft Learn).

The delivery is getting cheaper and more automated. HP Wolf found smuggling code with generative-AI authoring telltales, and the JS#SMUGGLER campaign moved delivery onto compromised legitimate websites (HP Wolf Security, Securonix). Assume more volume and more variation, not less.

You cannot manage what you have not tested. The only way to know whether your email controls, browser policy, MOTW enforcement, and endpoint rules actually catch a smuggled payload is to safely emulate the delivery and watch what your stack does. That validation, not another product, is where most programs have a gap.

Methodology

This post synthesizes primary threat-intelligence and vendor-engineering sources, each cited inline with its publication date and reporting window:

  • MITRE ATT&CK, T1027.006 (HTML Smuggling): technique definition, documented procedure examples, mitigations, and detection analytics. Retrieved 2026.

  • Microsoft Security Blog (11 November 2021): the reference analysis of how HTML smuggling assembles payloads on the host and evades network inspection, with observed actors and recommended defenses.

  • KnowBe4 Threat Labs, Phishing Threat Trends Report (March 2025): phishing-technique trend data for the November 2024 to February 2025 window.

  • HP Wolf Security, Threat Insights Report (September 2024, reporting Q2 2024): measured gateway-evasion and archive-delivery rates, plus a documented HTML smuggling to AsyncRAT chain.

  • Securonix Threat Research (December 2025): the JS#SMUGGLER campaign delivering NetSupport RAT from compromised websites.

  • Microsoft Learn: current engineering documentation for attack surface reduction rules (updated May 2026), Mark-of-the-Web and internet-macro blocking (updated December 2025), Safe Attachments (updated May 2026), and Microsoft Defender SmartScreen (updated April 2026).

Research cutoff was 1 July 2026. Where a figure could not be reached on at least one verification pass against a named primary source, it was dropped rather than estimated. One widely repeated statistic on average HTML attachment file size was removed for that reason. This post is a conceptual and defensive reference. It deliberately omits any operational detail that would help build a smuggled payload, and concentrates on detection and defense.

What HTML smuggling actually is

HTML smuggling is catalogued as MITRE ATT&CK technique T1027.006, a sub-technique of Obfuscated Files or Information. MITRE defines it as adversaries who "smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files" (MITRE ATT&CK). The technique abuses features that every modern browser supports for entirely legitimate reasons: the ability to construct a file object in memory from encoded data, and the ability to save that object to the user's device.

The important mental model for a defender is this. A normal malware delivery ships a file, and your controls inspect that file in transit. HTML smuggling ships a recipe instead of a meal. What travels to the user is an HTML document, sometimes an attachment and sometimes a link, containing encoded data and a small amount of script. Nothing in transit is a Windows executable, an archive, or a container. When the user opens the page, the browser follows the recipe locally and produces the file on the endpoint. Microsoft describes the result precisely: "malicious files are created only after the HTML file is loaded on the endpoint through the browser" (Microsoft).

This is not a fringe technique used by a single crew. MITRE documents APT29 embedding an ISO file inside an HTML attachment, the EnvyScout loader extracting an encoded blob from an HTML body and writing it to disk, and QakBot delivered in ZIP files via HTML smuggling (MITRE ATT&CK). Microsoft separately observed the banking trojan Mekotio, Trickbot, and NOBELIUM-linked spear-phishing using it (Microsoft). It spans commodity crimeware and nation-state tradecraft because it solves the same problem for both: getting a file onto a host without that file being inspected on the way in.

Why your perimeter tools are structurally blind

Secure email gateways, web proxies, and network content inspection all share one assumption. They assume the thing they need to judge, the malicious file, will pass through them. HTML smuggling breaks that assumption at the root.

Perimeter Blind Endpoint Detection

Walk the delivery from left to right. At the gateway, the artifact is an HTML file or a link, plus benign-looking JavaScript. There is no executable to detonate, no archive signature to match, and the script can be encoded so that even static inspection of the HTML reveals little. This is why a smuggled file can carry a zero-detection score on multi-engine scanners even with a clearly embedded download, a point KnowBe4 makes in its trend reporting (KnowBe4 Threat Labs). HP Wolf's measured 12% gateway-evasion rate is the same phenomenon expressed as a number (HP Wolf Security).

Two design realities make it worse. Archives are a routine wrapper, and gateways often cannot fully open nested, large, or password-protected archives, which is why 39% of threats arrived in archives in HP Wolf's data (HP Wolf Security). And delivery no longer requires an email at all. In the JS#SMUGGLER campaign, the smuggling logic was injected into compromised legitimate websites, so there was no attachment for an email gateway to see in the first place (Securonix). The lesson is not that gateways are useless. It is that they are the wrong layer to rely on for this specific technique.

The container-file pairing and Mark-of-the-Web

To understand the defense, you have to understand the one control HTML smuggling most wants to avoid: Mark-of-the-Web (MOTW).

When Windows saves a file from the internet, it attaches a small hidden marker called a Zone.Identifier alternate data stream that records the file came from an untrusted zone. Microsoft documents the zone values directly, where a ZoneId of 3 means the Internet zone (Microsoft Learn). Applications read this marker and change their behavior. Office blocks macros in MOTW-tagged files by default, SmartScreen weighs reputation on tagged downloads, and endpoint rules can treat tagged files with suspicion. MOTW is, in effect, the operating system whispering "this came from outside, do not trust it yet" to every app that will handle the file.

Two properties of MOTW matter enormously for this technique. First, Microsoft notes MOTW "only applies to files saved on an NTFS file system, not files saved to FAT32" (Microsoft Learn). Second, and more importantly, container formats historically did not carry the tag through to the files inside them. This is the reason smuggled payloads are so often packaged as ISO, VHD, IMG, or LNK files, and why OneNote had its moment as a delivery vehicle. Package the real payload inside a container, and the file that finally executes may arrive without the "downloaded from the internet" marker that would otherwise gate it.

Motw Enforcement Flow

Microsoft has hardened MOTW propagation over successive releases, so newer Windows builds carry the tag into more container types than older ones did. That is exactly why patch level and configuration matter here. The defensive takeaways are concrete: keep endpoints current so MOTW propagation improvements are actually in force, block or gate the risky container types that add no business value in email, and make sure your macro-blocking and download policies are enforced rather than merely available.

Where defenders actually get signal

HTML smuggling moves the fight to the endpoint. The good news is that the endpoint is where the technique finally has to do something observable: write a file and run it. MITRE's detection guidance for T1027.006 is built around exactly these moments (MITRE ATT&CK). Below are the surfaces worth instrumenting, ordered roughly by signal quality.

Detection surface

What to look for

Why it fires on smuggling

Endpoint file-write telemetry

A browser process writing a file to Downloads or a temp path, immediately followed by execution of that file

MITRE describes detection of file creation following an HTML or JavaScript Blob write, then rapid execution (MITRE ATT&CK)

Mark-of-the-Web / Zone.Identifier

Files that should carry MOTW but do not, or a HostUrl value pointing at unexpected domains

MITRE calls out inspecting Zone.Identifier for HostUrl indicators; missing MOTW often means a container stripped it (MITRE ATT&CK)

Process lineage

Browser spawning a script host, or a script host spawning PowerShell, from a user-writable path

JS#SMUGGLER ran an HTA loader via mshta.exe that launched PowerShell stagers (Securonix)

Browser download behavior

Downloads produced without a corresponding network fetch, unusually large HTML files, or Blob and data-URI driven saves

The file is built locally, so the download appears with no matching inbound object

Email content analytics

HTML attachments containing large encoded blobs, or lures that ask the user for a password to open the content

HP Wolf documented a smuggled HTML invoice that prompted the user for a decryption password (HP Wolf Security)

The single most durable detection is the behavioral pair: a browser writes a fresh file to a user-writable location, and that file executes within seconds. Signatures do not matter to that logic, which is why it survives the obfuscation, the encoding, and the AI-written variation that defeats static rules. Zone.Identifier inspection is the close second, because a payload that runs without the MOTW it should have is a strong anomaly on its own.

Layered defenses that stop smuggled payloads

No single control stops HTML smuggling, because the technique deliberately routes around the layer most organizations lean on. A defensible posture stacks controls at the browser, the endpoint, the mail flow, and the human. The table maps each control to what it actually does and the authority behind it.

Layer

Control

What it stops

Source

Endpoint

ASR rule: Block JavaScript or VBScript from launching downloaded executable content

Script loaders that fetch and run a payload

Microsoft Learn

Endpoint

ASR rule: Block execution of potentially obfuscated scripts

The obfuscated scripts smuggling relies on

Microsoft Learn

Endpoint

ASR rule: Block executable content from email client and webmail

Executable and script content propagating from mail

Microsoft Learn

OS

Mark-of-the-Web enforcement and current patch level

Payloads running without an internet-origin warning

Microsoft Learn

OS / Browser

Microsoft Defender SmartScreen reputation checks

Unknown or low-reputation downloads and URLs

Microsoft Learn

Mail

Safe Attachments detonation in a virtual environment

Malicious attachments caught by dynamic analysis before delivery

Microsoft Learn

Mail / File

Block or gate risky container and attachment types (ISO, VHD, IMG, LNK)

The container formats used to strip MOTW

Microsoft Learn

Browser

Enterprise browser download policy and content disarm

Automatic saves and risky file types at the point of download

Microsoft

Human

Awareness of password-protected attachment lures

The social step that gets the user to open and run the content

MITRE ATT&CK

A few notes on sequencing. Deploy the attack surface reduction rules in audit mode first, review what would have been blocked, then move to block mode. Microsoft's own guidance is that these rules can be noisy on line-of-business scripting, so measure before you enforce (Microsoft Learn). Treat SmartScreen and Safe Attachments as valuable but incomplete: SmartScreen explicitly "doesn't protect against malicious files on internal locations or network shares" (Microsoft Learn), and Safe Attachments only helps for attachments that pass through a mail flow it inspects (Microsoft Learn). Content disarm and reconstruction, which rebuilds files to strip active content rather than trying to detect it, is a strong complement for the container problem because it removes the risky structure instead of guessing at intent.

What the 2024 and 2025 cases teach us

Three documented chains show the technique as it is actually used, and each points at a specific detection opportunity.

HP Wolf, HTML invoice to AsyncRAT (Q2 2024). HP Sure Click isolated a French-language HTML attachment posing as an invoice. Opening it in the browser prompted the user for a password, the payload was encrypted inside the JavaScript itself rather than in an attached archive, and the chain ended in AsyncRAT. Notably, the code carried consistent comments and naming that pointed to generative-AI authorship (HP Wolf Security). Detection opportunity: the password-prompt lure and the browser-to-file-to-execution behavior, neither of which depends on recognizing the specific malware.

Securonix, JS#SMUGGLER to NetSupport RAT (December 2025). Obfuscated JavaScript injected into compromised websites profiled the visitor's device, branched between mobile and desktop paths, and ran an HTA loader through mshta.exe that launched PowerShell stagers, ending in NetSupport RAT (Securonix). Detection opportunity: mshta.exe spawning PowerShell is a high-value process-lineage alert, and it fires regardless of the delivery site.

APT29 and QakBot (ongoing). MITRE documents APT29 nesting an ISO inside an HTML attachment and QakBot arriving in ZIP files via smuggling (MITRE ATT&CK). Detection opportunity: the container pairing itself. A mounted ISO or an extracted archive that yields an executable running without MOTW is the anomaly to hunt.

The common thread is that the malware family changes but the delivery shape does not. That is precisely why behavior-based detection outperforms signatures against this technique. For the post-execution side of the problem, where an operator tries to blind or bypass your endpoint agent after landing, our companion analysis of EDR bypass and evasion techniques covers the detection surfaces that matter once the payload runs.

What this means for defenders

  • Move your detection budget off the wire and onto the host. Prioritize endpoint file-write-then-execute analytics and Zone.Identifier inspection over additional perimeter scanning, which structurally cannot see a browser-assembled file (MITRE ATT&CK).

  • Turn on the three attack surface reduction rules, in audit then block. Blocking script-launched downloads, obfuscated scripts, and executable content from mail closes the most common execution paths (Microsoft Learn).

  • Enforce Mark-of-the-Web and cut risky containers. Keep endpoints patched so MOTW propagation is current, and block ISO, VHD, IMG, and LNK in email where they add no business value (Microsoft Learn).

  • Alert on process lineage, not payloads. A browser spawning a script host, or mshta.exe spawning PowerShell, is worth a high-fidelity alert on its own (Securonix).

  • Validate the whole chain, do not assume it. The only way to know your controls fire is to safely emulate delivery through execution and measure what your stack catches. Pair that with ongoing user testing, and use our eight essential defenses against phishing as a control checklist.

How Stingrai validates your defenses against smuggled payloads

Knowing the theory of HTML smuggling and knowing whether your own stack catches it are two very different things. Stingrai, a Toronto and London based offensive-security firm founded in 2021 and a CREST-accredited penetration testing service provider, closes that gap by safely emulating the delivery, not by handing anyone an attack kit.

Our social engineering and phishing simulation service runs controlled campaigns that mirror how a smuggled payload would be delivered, so you can measure whether your email controls, browser policy, and user awareness hold up under a realistic lure rather than a generic test message. Our adversary simulation and red and purple teaming practice takes it further, replicating documented initial-access-to-execution chains mapped to MITRE ATT&CK and giving your SOC per-technique feedback on what its detection logic caught and what it missed. We emulate the behavior that matters, the browser-to-file-to-execution sequence and the process lineage, so you validate the exact detections this article describes.

The output is evidence. Adversary simulation and phishing testing produce the kind of documented, technique-level results that support your SOC 2, ISO 27001, PCI DSS 4.0, and DORA programs, showing auditors and boards that your initial-access defenses were tested against a current, real technique rather than a checklist. You can see engagement scopes and packages on the Stingrai pricing page.

Frequently asked questions

What is HTML smuggling and why is it hard to detect?

HTML smuggling is a malware delivery technique, catalogued as MITRE ATT&CK T1027.006, in which a benign-looking HTML page or attachment carries encoded data that the victim's browser reassembles into a malicious file on the endpoint (MITRE ATT&CK). It is hard to detect at the perimeter because no malicious file crosses the network. Microsoft notes gateways "only see... benign HTML and JavaScript traffic" during delivery, so detection has to move to the endpoint and browser (Microsoft).

Why do email gateways and proxies miss HTML smuggling?

Gateways inspect files in transit, but HTML smuggling ships a recipe, not a file. The executable, archive, or container is built locally by the browser after the page loads, so there is nothing malicious to match on the wire (Microsoft). HP Wolf Security measured 12% of email threats evading gateway security and 39% arriving inside archives that gateways struggle to open (HP Wolf Security).

What is Mark-of-the-Web and how does it help stop smuggled payloads?

Mark-of-the-Web (MOTW) is a hidden Zone.Identifier marker Windows adds to files saved from the internet, recording that they came from an untrusted zone (Microsoft Learn). Applications use it to gate risky content: Office blocks macros in MOTW-tagged files and SmartScreen weighs download reputation. Attackers pair smuggling with container files like ISO and VHD because those formats historically failed to carry MOTW to the files inside, so keeping endpoints patched and blocking those containers restores the control.

Which endpoint controls block HTML smuggling execution?

Microsoft's attack surface reduction rules are the most direct controls: "Block JavaScript or VBScript from launching downloaded executable content," "Block execution of potentially obfuscated scripts," and "Block executable content from email client and webmail" (Microsoft Learn). Deploy them in audit mode first to measure impact on legitimate scripting, then move to block mode. Pair them with SmartScreen and MOTW enforcement.

How has HTML smuggling changed in 2025 and 2026?

Two shifts stand out. Delivery code is increasingly written with generative AI, which HP Wolf observed directly in a smuggling chain that ended in AsyncRAT (HP Wolf Security). And delivery has expanded beyond email onto compromised legitimate websites, as the JS#SMUGGLER campaign delivering NetSupport RAT showed in December 2025 (Securonix). KnowBe4 measured the technique's use in phishing rising 85.6% in the November 2024 to February 2025 window (KnowBe4 Threat Labs).

How can we test whether our controls catch a smuggled payload?

Emulate the delivery safely and watch what your stack does. A controlled phishing simulation tests your email controls and user response, while an adversary simulation replicates the initial-access-to-execution behavior and gives your SOC per-technique feedback on detection gaps. The goal is to confirm the file-write-then-execute and process-lineage detections in this article actually fire in your environment.

References

  1. MITRE ATT&CK. Obfuscated Files or Information: HTML Smuggling (T1027.006). Retrieved 2026. https://attack.mitre.org/techniques/T1027/006/. Technique definition, procedure examples (APT29, EnvyScout, QakBot), mitigations, and endpoint detection analytics.

  2. Microsoft Security Blog. HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks. 11 November 2021. https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/. Reference analysis of how smuggling assembles payloads on the host and evades network inspection.

  3. KnowBe4 Threat Labs. Phishing Threat Trends Report. March 2025. https://www.knowbe4.com/resources/reports/phishing-threat-trends-report. Phishing-technique trend data, including HTML smuggling growth for the November 2024 to February 2025 window.

  4. HP Wolf Security. Threat Insights Report, September 2024 (reporting Q2 2024). https://threatresearch.ext.hp.com/wp-content/uploads/2024/09/HP_Wolf_Security_Threat_Insights_Report_September_2024.pdf. Gateway-evasion and archive-delivery rates, plus a documented HTML smuggling to AsyncRAT chain with GenAI authoring telltales.

  5. Securonix Threat Research. JS#SMUGGLER: Multi-Stage Hidden Iframes, Obfuscated JavaScript, Silent Redirectors and NetSupport RAT Delivery. December 2025. https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/. Compromised-site delivery chain using obfuscated JavaScript, mshta.exe, and PowerShell.

  6. Microsoft Learn. Attack surface reduction rules reference. Updated May 2026. https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference. Verbatim ASR rule names and configuration details relevant to script and mail-borne execution.

  7. Microsoft Learn. Macros from the internet are blocked by default in Office (Mark-of-the-Web). Updated December 2025. https://learn.microsoft.com/en-us/microsoft-365-apps/security/internet-macros-blocked. Zone.Identifier and MOTW behavior, zone values, and NTFS-only application.

  8. Microsoft Learn. Safe Attachments in Microsoft Defender for Office 365. Updated May 2026. https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about. Attachment detonation in a virtual environment and Dynamic Delivery.

  9. Microsoft Learn. Microsoft Defender SmartScreen overview. Updated April 2026. https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/. Reputation-based checks on downloaded files and URLs, and their limits on internal shares.

  10. MITRE ATT&CK. Obfuscated Files or Information (T1027). Retrieved 2026. https://attack.mitre.org/techniques/T1027/. Parent technique covering the obfuscation and encoding methods that smuggling combines with.

Ready to find out whether a smuggled payload would reach execution in your environment? Stingrai's adversary simulation and phishing simulation safely emulate the delivery so you can validate your email, browser, and endpoint detections against a current technique. See packages and pricing to scope an engagement.

0 views

0

X

Related reading

Adversary-in-the-Middle: The Phishing That Beats MFA, and How to Detect It (2026)
Social Engineering

Adversary-in-the-Middle: The Phishing That Beats MFA, and How to Detect It (2026)

Adversary-in-the-middle and OAuth consent phishing steal your session after MFA succeeds. Why MFA fails, the detection surfaces, and how to defend.

17 min read

Device Code Phishing and ClickFix: The MFA Bypass Passkeys Can't Stop (2026)
Social Engineering

Device Code Phishing and ClickFix: The MFA Bypass Passkeys Can't Stop (2026)

How device code phishing and ClickFix bypass MFA and passkeys to hijack Microsoft 365. The attack chain, why passkeys fail, and how to defend.

16 min read

Vishing Statistics 2026: Voice Phishing, AI Cloning, and Help-Desk Compromise
Social Engineering

Vishing Statistics 2026: Voice Phishing, AI Cloning, and Help-Desk Compromise

Vishing rose 442% H2 2024 (CrowdStrike) and is now Mandiant's #2 initial-access vector. Pindrop, FBI IC3, FCC, DOJ, Microsoft data, fully sourced.

23 min read

Contents

X