Does your security stack prevent HEAT attacks?

Threat actors are leveraging Highly Evasive Adaptive Threats (HEAT) – which are used as beachheads for delivering ransomware payloads – to compromise remote and hybrid users. These attacks evade multiple layers of detection in legacy security technology. This is an opportunity to see if your security stack can stop these attacks.

HEAT 101 Learn More

Top 4 Heat attacks types

HEAT attacks are one of the biggest unknown security threats organizations face. These threats leverage four evasive techniques to bypass legacy network security defenses such as sandboxes, anti-virus engines, malicious link analysis, offline domain analysis, and indicators of compromise (IoC) feeds:

Evades both static and dynamic content inspection

Threat actors are using HTML smuggling and/or JavaScript scams within browser environments to deliver malicious payloads to endpoints. This technique constructs the malicious file at the browser with no request for a remote file that can be inspected, consequently transferring the malware and effectively evading firewalls and network security solutions, including sandboxes and anti-virus in legacy proxies.

Learn More

Evades malicious link analysis

Link analysis engines are traditionally implemented in the email path, where links can be analyzed before arriving at the endpoint user. In some HEAT attacks, users are targeted (or speared) with malicious links via communication channels outside of email, such as social media, collaboration applications, SMS, shared documents, and more. These malicious links completely evade analysis engines and are increasingly used to steal corporate credentials, deliver malware to corporate endpoints, and consequently bypass corporate security.

Read blog now

Evades offline categorization and threat detection

HEAT attacks evade web categorization by using benign websites, either by compromising existing benign sites or creating new ones – what the Menlo Labs team has coined as Good2Bad websites. Once threat actors decide to activate these websites, they use them for malicious purposes for a short amount of time. They then revert the websites to their original content or simply remove them. From 2020 to 2021, the Menlo Labs team observed a 137% increase in Good2Bad websites.

Read blog now

Evades HTTP traffic inspection

This tactic involves malicious content – such as browser exploits, crypto-mining code, phishing kit code, and images impersonating known brand logos – being generated by JavaScript in the browser by its rendering engine, making any detection technique prior to the web page execution or rendering useless. This technique allows the attack to avoid detection by any static signatures that examine web page source code and HTTP traffic. Obfuscated JavaScript is often used, which increases the challenge for both security researchers and detection engines.

Read blog now