Menlo Security recognized as leading enterprise browser company in GigaOm’s ZTNA report.
Icon Rounded Closed - BRIX Templates

Escalating evasive browser attacks: Understanding the whys


Cybersecurity is a perpetual challenge of strategy and adaptation. Threat actors find a vulnerability, and, eventually, security vendors plug the hole. Attackers find another way into the network, and a patch is issued to seal that weakness as well. And so on and so forth. It’s this back and forth and the resulting need to be adaptive that makes cybersecurity a challenging and sought after skillset. Issues arise when security teams overlook shifting landscapes and neglect to adapt their strategies in response to their adversaries’ tactics.

The latest transformation revolves around the way we work. Users used to drive to the office, turn on their desktop and access a small portfolio of pre-authorized enterprise applications right from the corporate data center. A hardened perimeter secured a limited number of access points to the outside world, making it difficult to breach the network. Now, work is done primarily inside the browser from home and the road, and while it varies from organization to organization, in many cases the office seems to come in a distant third. Applications live in the cloud, critical business functions are outsourced to Software as a Service (SaaS) platforms, and we communicate and collaborate through web-based platforms that are ubiquitous to how we perform our everyday tasks.

An emerging opportunity for threat actors

Threat actors are not oblivious to the fact that our work and our lives have grown increasingly distributed and accessible online. They know that browsers have evolved significantly to enable this distributed model, adding advanced features and capabilities that allow users to do more within the browser than ever before. And they know that the cybersecurity industry has failed to evolve in line with these changes.

Before the evolution and proliferation of the web browser, most attacks were delivered via email or even physical media such as floppy disks or USB thumb drives, and traditional security tools appropriately focused on these threat vectors – building robust capabilities around protecting the network and end points. However, times have changed. According to Forrester, enterprise employees spend 75% of their device time in the web browser.

As a result of this transformation and security vendors inability to adapt to the growing threat surface, threat actors are targeting the web browser at an alarming rate. The Verizon 2022 Data Breach Investigation Report indicates that web applications and email–which are primarily accessed via web browsers–constitute the primary attack vectors in security breaches, accounting for over 80% of such incidents. These evasive threats are specifically designed to get around traditional detection-based technologies such as firewalls, URL filtering, sandbox analysis and signature-based AV engines. These attacks adapt over time to take advantage of new threat vectors and vulnerabilities – making it extremely difficult to detect abnormal behavior in time.

Their goal is to gain an initial foothold on an endpoint by targeting the unprotected web browser. From there, they lay in wait and stealthily observe the network in search of potential targets. When the time is right – whether it’s within a few seconds or months later – they deliver their payload so they can hijack business systems, lock out users, or exfiltrate valuable data.

A failure to evolve

Today’s agile world requires fast, reliable access to web-based tools through web browsers. This allows businesses and other organizations to make data-driven decisions quickly to take advantage of market opportunities as they arise. Increasingly, traditional security tools are seen as an inhibitor to business agility, and, as a result, security and authentication policies tend to err on the side of granting access when authenticity is in doubt to avoid inhibiting productivity. Today’s threat actors take advantage of this conflict between operations and security by tricking users and traditional security tools into thinking they are benign. This gives them initial access to the endpoint through the browser where they can launch subsequent attacks at will.

These innovative and highly effective approaches to compromising users and easily bypassing legacy security technology are known as Highly Evasive Adaptive Threats (HEAT).

HEAT attacks that allow threat actors to get around traditional security solutions and gain an initial foothold through the browser via four distinct characteristics:

Evading URL filtering

URL filtering solutions look at the reputation of a website and make an allow or block decision at the point of click. The problem with this technology is that it assumes a domain’s reputation is static when in fact, it is dynamic. Threat actors evade URL filtering solutions by building a website, letting it earn a good reputation over time and then, at some point, adding malicious content. Visitors that then go to the website are compromised until reputation engines are able to catch up. Along the same vein, attackers can also compromise legitimate websites that already have a good reputation, embed malicious content and allow someone else’s good reputation to get them through the door.

An example of URL filtering is Legacy URL Reputation Evasion (LURE). Recent attacks have used Google searches to steal Amazon Web Service (AWS) users’ login credentials by gaming search results to place malicious websites high up in rankings – often first after Amazon’s own paid search results. Users were tricked into thinking that the high-ranking results were legitimate.

Evading email security tools

Email security tools have gotten a lot better at identifying and blocking phishing links and other malware. Rather than trying to break these robust solutions, malicious actors simply go around them by delivering phishing links and documents through other channels such as text messaging, social networks and communications and collaboration apps such as Slack or Microsoft Teams. The ability to overwhelm users or groups of users with requests across multiple channels makes it more likely someone will make a mistake. Remember, all it takes is for a single user to click on a compromised comment in a Google Doc, a bogus LinkedIn connection request or a faked appeal to authenticate their Netflix account, and your network is cooked.

One of the more common examples is multi-factor authentication (MFA) bypass. Also called a man-in-the-middle (MitM) or a single sign-on (SSO) impersonization, MFA bypass attacks prompt users to provide an authentication token to a fake request that is then used to gain access to sensitive data and systems. These requests can be delivered by channels outside the purview of email security solutions–thereby evading detection.

Evading file-based inspection and sandboxing

File-based inspection and sandboxing allows security teams to identify and analyze a suspicious file in a safe environment before it reaches the browser. However, threat actors have come up with a number of ways to evade analysis–from delivering malicious payloads in pieces before reconstructing them after the fact to simply adding a password to the malicious file. When files are unable to be analyzed, most organizations are fine with erring on the side of productivity and let them through. Threat actors know this, and anything they can do to throw up a roadblock or obfuscate their malicious intent is likely to succeed.

Two examples of this type of attack are HTML smuggling and malicious password-protected files. Threat actors use HTML smuggling to impersonate a well-known brand to deliver malware. It works by breaking down malicious files into small Javascript blobs that file-based inspection solutions deem benevolent. However, once the files get past the initial detection engines, they dynamically rebuild themselves at the browser level. By then, it’s too late. In the same vein, threat actors can evade email gateway solutions, Secure Web Gateways (SWGs) and sandboxes by embedding malicious links in a password-protected file – taking advantage of policies that allow all password-protected files to be downloaded through the browser.

Evading HTTP inspection

HTTP inspection works much the same way by analyzing websites for malicious content before rendering it in a user’s browser. Threat actors can throw up any number of defenses that prevent inspection by traditional security solutions–such as adding a captcha gateway that prevents automated entities from accessing a website or inputting data into a form. Again, most organizations err on the side of getting work done, so they let websites that aren’t able to be inspected through to the browser. All threat actors have to do is wait until they get past the HTTP inspection engine and then deliver their payload – whatever that may be.

The way forward

It’s clear that today’s threat actors have evolved past the capabilities of traditional security solutions. It’s also clear that a cybersecurity strategy that solely relies on a detection-based approach is inherently flawed. Once HEAT attacks evade and adapt and make that initial breach through the browser, it’s too late. From there, they have free reign to observe and spread laterally through the network in search of more promising targets. All it takes is for one user to click on a compromised link, and you are putting your most valuable assets at risk.

Instead, organizations need to employ a preventative cybersecurity strategy on top of detection to stop threat actors from making that initial access. Most attacks come through the browser, so it makes sense to start there as your first layer of defense.

Since HEAT attacks are designed to evade traditional detection tools and continuously adapt to find other ways to compromise the browser, modern security solutions need to trick malicious actors to lay their cards on the table before they gain access. The key is to emulate user interaction by pretending that a user clicks on a compromised link or downloads a malicious file. However, you’re doing it in a safe environment away from the would-be victim’s endpoint. This forces their hand, so you can take appropriate action to stop the attack before it gains access.

Mastering the art of anticipation

Web browsers have become so widespread and powerful that they necessitate their own unique level of security. These next-gen browser security solutions need to be cloud-based where most work is currently done. This ensures that the security protocols follow users wherever they conduct their business– be it the office, at home, at a client site, or on the road. At this juncture, one can implement isolation technology within a cloud-based Secure Web Gateway (SWG).

So what is isolation technology in this context? It's an approach that allows organizations to access all web content through a remote browser in the cloud. By doing so, it effectively places a protective layer between the user and potential online threats. All content, whether malicious or not, is isolated in this remote environment. This simulates user interaction in a safe location, compelling any malicious actor to reveal their intent without harming the actual user's system.

What's more, isolation technology preserves the native user experience where the Internet functions as expected. It doesn't add unnecessary complexity to the network security management stack, enabling a smoother and safer browsing experience.

Most importantly, however, is gaining visibility into and control over what’s happening inside the web browser. Most organizations have granular visibility into other security events through logs on other reporting mechanisms. Security teams should extend this visibility and control to the browser. Use tools to identify phishing attempts by identifying fake logos, masked domains and other suspicious activity inside the browser. This is especially critical as browsers continue to add functionality and grow more powerful. However, while traditional security tools make an allow or block decision, next-gen browser security solutions need to make more nuanced decisions at the point of click that safeguard users without impacting productivity.

Context is king. And this can only be collected through visibility into everything the browser does. Once you know exactly what is going on and how the HEAT attack is attempting to gain access, you can take action through granular policies. Perhaps you only deliver content in read-only mode. Maybe you block any request that comes from outside North America. Or block certain applications or web traffic. From there, you need to continuously authenticate to make sure people are who they say they are at all times.

A phased approach to protection

Adding the protective isolation layer to an organization’s current security strategy can be incredibly simple and does not require a complete overhaul of their security stack. It’s as simple as forwarding traffic through an isolation-powered platform. This easily fills the security gaps left by traditional security tools. Delivered through the firewall or more likely in front of a cloud-based SWG, isolation will protect the browser no matter how many HEAT attacks evade traditional detection tools. It doesn’t matter where users, devices, applications or threat actors are located (inside or outside the corporate data center, for example), you know that you’ll always be protected.

Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail