The majority of email service providers, including Gmail and Outlook, forbid attaching executable files like EXE, BAT, PS1, etc. to emails. When you try to attach the executable file to an email, you will be prompted with the following error message:
This restriction is placed to prevent a malicious actor from sending infected files, such as Trojans, ransomware, viruses, etc., to a user through social engineering or any other technique.
This security measure is adopted by most email service providers, with no indication of it being lifted in the future, so someone wanting to send an email with an executable file might be disappointed, but not today.
In this article, I’ll guide you through a method known as “HTML smuggling” to smuggle your executable file as an HTML file in your email.
Tutorial Details
| Description | HTML Smuggling |
| Difficulty Level | Low |
| Root or Sudo Privileges | No |
| OS Compatibility | Linux, Windows, and macOS |
| Prerequisites | – |
| Internet Required | Yes |
What is HTML Smuggling?
HTML Smuggling is a technique to encode and embed an executable file into an HTML file using HTML5 and JavaScript. Later, the HTML file containing the payload can be easily shared as an attachment to an email, and the JavaScript within the HTML file can effortlessly decode the embedded payload.
There are many HTML file smuggling builders available on the internet, but one we use today is the File Smuggling Builder by Eddie Chu, which can easily work on Linux, Windows, and macOS.
How to Encode, Embed, and Attach an Executable File to an Email
To share your executable file as an attachment to an email, you first need to encode and embed it in an HTML file. For that, we will use the File Smuggling tool, which you can easily download using the following command:
$ git clone https://github.com/eddiechu/File-Smuggling.gitNow, open your file manager, move into the downloaded directory, open “filesmuggling builder.html” using your default browser, and then you will interact with the following interface:
Here, you can (1) choose the file you want to share via email, (2) enter a password to protect it from unauthorized access, (3) write a message as a reference to the attached file, and then (4) click on the “Build Embedded HTML File” button to (5) generate the HTML file with an encoded and embedded executable file.
You can now write an email and attach the generated HTML file with the payload to share it with the recipient.
When the recipient opens the attachment containing the HTML file with payload, they will interact with the following interface in their default browser.
Here, the recipient needs to enter the password used to encode the executable file into the HTML file to decode and download it.
Final Word
This method is quite useful when you want to share an executable file with recipients via email. However, I suggest that you refrain from using this method to share any malicious files, as sooner or later, the file will automatically be detected by the built-in scanner provided by the email service provider.
So, that’s it for today’s article; if you have any questions or queries, then do let me know in the comment section.
Till then, peace!
Join The Conversation
Users are always welcome to leave comments about the articles, whether they are questions, comments, constructive criticism, old information, or notices of typos. Please keep in mind that all comments are moderated according to our comment policy.