Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

HEAT Attacks: Evading Malicious URL-Link Analysis

Illustration of a laptop with a chat application, with one of the users linking to a hidden bug

Share this article

People are working from home more than ever — and it’s going to stay that way long after the pandemic has passed. According to this Mercer study, 70 percent of responding companies said they would be adopting a hybrid office/remote work model. These companies are doing so for good reasons. Nearly 60 percent of worker respondents to this FlexJobs survey said that they would absolutely go looking for a new place to work if they couldn’t continue working remotely.

What does this mean for enterprise cybersecurity? It means attackers will focus on where remote staff tend to concentrate and work: in their web browser. For today’s cyberattackers, that often means sending workers a malicious link via a phishing or spear-phishing email. Interestingly, studies show more than 90 percent of all cyberattacks involve a phishing attack. These link threats aren’t going away, either, because they work. And attackers are adapting their methods as the “how” and “where” people use technology evolves.

One such way they’re revising their attacks, as we’ve been covering in this series, is by employing Highly Evasive Adaptive Threats (HEAT) tactics. When it comes to phishing attacks, threat actors do everything they can to sidestep malicious URL-link analysis engines, which are traditionally implemented within email to analyze links before the user even sees them. Attackers’ strategies are proving successful. The Menlo Labs research team has observed a 224 percent increase in HEAT attacks in the second half of 2021. In many cases, these attacks led to the delivery of ransomware.

Broadly, phishing attacks involve deceitful communications that trick users into thinking that they’re interacting with a reputable person or company. Historically, phishing attacks have been delivered through email. These emails typically try to trick users into clicking a malicious link by utilizing some form of general social engineering technique, exploiting the trust that the victim has with the brand or person impersonated in the communication. In spear-phishing attacks, the attacker researches their targeted victims and learns their likes, desires, and other aspects of their lives that can be used to lure the target in or lull them into complacency.

Now, threat actors are increasingly taking this approach outside the realm of email phishing. With HEAT attacks, users are targeted (or speared) with malicious links via communication channels beyond email, such as social media and professional web networks, collaboration applications, SMS, shared documents, shared folders, and more. These malicious links are increasingly used to steal corporate credentials instead of personal credentials in order to bypass corporate security and deliver malware to corporate endpoints.

A game of escalation and tactics

The challenge for attackers is that enterprises keep improving their email security and actively scan for malware and malicious links in these channels. Additionally, business-savvy users and staff (who know they are targets, thanks to security awareness training) are more careful about clicking on emails when they aren’t entirely sure of their safety. Yes, people still slip. And yes, many employees are still not cautious about what links they click on, and they get themselves into trouble. Yet, more people are growing careful, especially more sophisticated, adequately trained, and aware users.

People tend to trust social media contacts more, so attackers have gravitated there — so much so that the Federal Trade Commission issued a warning that scams starting on social media proliferated in early 2020. Users are also actively engaging on these platforms as they seek work-related content to read or watch, as well as information about industry conferences, jobs, and more. As they’re actively clicking, they’re more likely to click on something they shouldn’t.

As we covered in Too hot to handle: Why modern work has given rise to HEAT attacks, a recent attack campaign consisted of attackers leveraging spear-phishing with the messaging capabilities of LinkedIn. These attackers coaxed users with bogus job opportunities that were malicious links designed to compromise their endpoints with malware that would give the attackers complete control over their target’s computer or device. Attackers are increasingly doing so with impersonation websites for brands that users trust.

These attacks hit the web browser, bypassing all the traditional email security defenses that enterprises have in place.

Sidestepping traditional malicious link analysis

This is yet another way threat actors leverage HEAT attacks against organizations. They’re evading malicious link analysis engines that are typically deployed to protect email by analyzing all of the links before passing them along to their people. With HEAT attacks designed to bypass link analysis engines, users are targeted in other areas of communication, such as social media sites and their messaging platforms, communication platforms such as Discord or Slack, SMS, and more. When clicked, these links are just like the links used in typical email phishing attacks — they’re designed to steal login credentials or distribute malware.

Attackers can also use the information on LinkedIn and what users post on Facebook or Twitter to obtain special knowledge that can be used to connect to the targeted victims and build relationships over time. The attacks are effective because they’re quick and can be made personal — seemingly more connected to the user.

Threat actors can also strategically combine HEAT attacks, such as by launching HTML smuggling attacks that we detailed in our article about how attackers evade static and dynamic content inspection. By combining such HEAT tactics, digital marauders increase their odds of successfully bypassing traditional security controls and technologies such as Secure Web Gateways and email monitoring engines.

While email remains the primary attack vector (for now), these HEAT attacks designed to bypass traditional defenses, such as malicious link analysis, are increasing. Enterprises that aren’t looking at the attack vectors — which are all on the web — to find ways to cool down the HEAT will continue to miss these dangerous and growing link threats.

Download white paper: The threat landscape HEATs up with Highly Evasive Adaptive Threats

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.