Menlo Security recognized as leading enterprise browser company in GigaOm’s ZTNA report.
Icon Rounded Closed - BRIX Templates

The illusion of safety: Unmasking evasive browser attacks for a secure cyber landscape


Security used to be pretty straightforward. Enterprises would build a strong perimeter defense in front of a robust data center and shore up entry points into the network—ensuring that malicious actors couldn’t gain access. Then, a few decades ago, desktop computers connected to the Internet, and suddenly, threat surfaces extended to end devices. The browser itself wasn’t much of a target, because of limited functionality. There just wasn’t much there for malicious actors to exploit. So, enterprises tended to rely on security solutions that focused on network and endpoint security such as virtual private networks (VPNs), firewalls, sandboxes, antivirus and endpoint detection and response (EDR).

The recent decentralization of enterprise applications from the data center to Software as a Service (SaaS) platforms and public cloud infrastructure over the past several years has put pressure on developers such as Google, Microsoft and new browser players to build more robust browsers with advanced functionality that could mimic native applications.

However, the resulting investments in network security were not designed to protect the browser. Instead, endpoint security was expected to pick up the slack, but as browsers continue to expand in sophistication, malicious actors are finding new, innovative ways of exploiting these capabilities. New work from home policies put additional pressure on the browser—contributing to a failure to address increasingly sophisticated threat actors.

Given that the browser is where more than 75% of today’s workday takes place, it’s no surprise that threat actors are increasingly motivated to target it. According to the Verizon 2022 Data Breach Investigation Report, 90% of breaches now occur through a browser.

It’s clear that the days of building a robust perimeter defense around a hardened data center are long past. Browser security should be the number one priority for enterprise security teams.

Highly evasive threats on the rise

Given expanding threat surfaces due to digital transformation, hybrid work policies and cloud migrations, IT security teams need to do everything possible to protect the browser. Unfortunately, traditional security solutions that rely exclusively on a detect-and-respond approach are woefully ill-equipped to deal with today’s highly sophisticated threats. Today’s malicious actors leverage Highly Evasive Adaptive Threats (HEAT) to get around browser security, make an initial breach on an endpoint, seek out more tempting enterprise targets and strike when the time is right.

Evasive techniques range from phishing attacks on channels other than email, deploying malware as trusted file types, using human nature to trick users into clicking on a malicious link and avoiding analysis tools by reconstructing files on the other end of the firewall.

Here are three high-profile examples of these evasive techniques in the real world:

1. Oktapus

In a now notorious phishing campaign, ransomware group Oktapus relied on surprise and speed to deceive users into providing their credentials. The attacks focused on Okta customers, sending them text messages or emails containing links to fake Okta authentication pages. Upon clicking the link, victims were asked to input their username, password, and 2FA code into an online form – just one example of how threat actors are bypassing MFA. To break into the network before the expiration of unique codes or push notifications, usually within a two-minute window, the attackers had to move swiftly, likely keeping an eye on their tools in real time to utilize the compromised credentials instantly.

The speed at which security tools detected the fraudulent domains, which often shared similar images, fonts, and scripts, was not enough to thwart Oktapus. The group operated at an almost real-time pace, delivering its payload and extracting data before the threat could be mitigated. Even when a deceptive sign-in page was identified and blacklisted, the ransomware group quickly created new domains to target more individuals within the organization. Traditional security measures, such as blacklisting, URL filtering, or phishing training, weren’t enough to stop the attackers from gaining initial access.

Read more details about the Oktapus threat campaign from the Menlo Labs research team.

2. Lazarus Group

A North Korean group used a series of zero-day exploits in popular browsers as a way to install malware and ransomware on end devices. Users were first lured into visiting a compromised website that was either unknown or previously deemed safe. Unfortunately, most detect-and-respond approaches do not block uncategorized websites for fear of disrupting users’ productivity. In addition, websites already classified as safe were later compromised, providing another avenue for breach. Furthermore, the malicious files were then password-protected, shielding them from file analysis tools. Because there’s no way to analyze the content of these files without the password, file analysis tools typically allow all password-protected files into the network instead of blocking them and hampering productivity. Once past this browser security checkpoint, the malicious actors had free reign to spread throughout the network.

The Menlo Labs research team broke down this campaign in a popular article found here.

3. Qakbot

Qakbot, also known as QBot or Pinkslipbot, has become one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), though it has also acquired functionality allowing it to spy on financial operations, spread itself and install ransomware to maximize revenue from compromised organizations. Like the Lazarus Group, Qakbot uses multiple reputation evasion techniques to get a user to visit a recently compromised website and download a malicious file. The Menlo Labs research team observed malicious links being sent through password-protected ZIP files, which shield the links from being inspected by detection-based security technology. After clicking the link, the malicious payload is delivered through HTML smuggling—a HEAT technique that allows attackers to bypass browser security measures by hiding malicious code in an HTML page and reconstructing the malware on the end user’s device once it’s already past the firewall.

A full breakdown of the Quakbot campaign can be found here.

Evolving from the status quo

Malicious actors are getting smarter about exploiting vulnerabilities in popular browsers, using a variety of highly evasive techniques to get around traditional security solutions that rely on a detect and respond approach to cybersecurity. Oktapus, the Lazarus Group and Qakbot are just three examples of how threat actors are able to avoid detection, make an initial breach on a vulnerable end point and then spread laterally through the network in search of valuable targets. It’s clear that traditional detection-based approaches to security simply aren’t working, and many of the investments made in security stacks continue to fail organizations. In order to stop these attacks before they start, organizations need a preventative security layer on top of their existing detection capabilities to stop these attacks from making that initial breach.

One consideration is isolation technology, which makes it possible to prevent threats before they happen by ensuring that all content, whether or not it’s malicious, is executed in a virtual layer in the cloud, making it so that potential threats never come anywhere near the endpoint. This is necessary because, as we’ve seen, it is getting harder and harder to keep up with these evasive threats that are able to increasingly outmaneuver existing network and endpoint security solutions.

Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail