Cybersecurity defenses have evolved, but so have the tactics used to evade them.
Attackers today are targeting the browser: the core tool your employees rely on for email, SaaS access, and collaboration. It’s where work happens, and where security often stops watching.
Highly Evasive Adaptive Threats (HEAT) represent a new class of browser-based attacks. They don’t rely on malware files, exploits, or obvious red flags. Instead, they blend into normal web traffic, bypassing traditional defenses unnoticed.
If your security stack still relies heavily on firewalls, antivirus, or email filters, you may already be exposed.
Why HEAT Threats Are Now the Core Challenge
Browsers now handle the majority of business procedures. From email to SaaS access, spreadsheets, and collaboration tools, employees live in web browsers. Menlo Security’s 2023 report found that 75% of enterprise work occurs in browsers, making them the most attractive attack vector.
Since mid‑2021, Menlo Labs saw a 224% increase in HEAT-style campaigns. About 69% of malicious domains now rely on HEAT techniques to evade detection. Nearly 62% of IT leaders report browser-based attacks in the last year, yet only 27% had robust protection in place on all endpoints.
These attacks succeed because one click in a trusted-looking browser session can trigger compromise, even with no download. Encrypted traffic shields attackers, and dynamic code avoids signature tools.
How HEAT Attacks Work: The Tactics Behind the Threat
HEAT attacks (Highly Evasive Adaptive Threats) rely on stealth and adaptation. These threats don’t behave like traditional malware that can be scanned or flagged by known patterns. Instead, they operate entirely within the browser environment, where most traditional defenses lack visibility. Here’s a breakdown of the four core tactics used, and why they’re so dangerous:
HTML Smuggling
HTML smuggling is a method where attackers embed encoded, often Base64-obfuscated, malware inside seemingly harmless HTML or JavaScript files. When a user opens the HTML attachment or clicks a malicious link, the browser reconstructs and executes the payload locally, bypassing network-based defenses like Secure Web Gateways (SWG), firewalls, or antivirus software.
Unlike traditional attachments, the malicious file isn’t directly downloaded from the server. Instead, it’s assembled in-memory on the user’s device, often via the HTML5 Blob or File API, making it invisible to most inspection tools.
For example, Microsoft has reported multiple campaigns where HTML smuggling was used to deliver banking trojans like Mekotio, or remote access tools like AsyncRAT, and even malware loaders such as Trickbot and Qakbot. These attacks were embedded in seemingly benign emails with HTML attachments or links pointing to trusted platforms like SharePoint or OneDrive.
According to Menlo Security, more than 27,000 malware payloads were delivered using HTML smuggling techniques in just 90 days. These campaigns often avoided detection entirely, even by organizations using updated secure email gateways (SEGs).
Obfuscated & Polymorphic Scripts
These scripts are written to constantly change their structure, without altering what they do. This makes them extremely difficult for static scanning tools to detect.
- Obfuscation involves scrambling code using variable renaming, encoding, or injecting junk code to make analysis difficult.
- Polymorphism takes this further by generating a new variant of the code each time it runs, effectively creating a “new” piece of malware with every execution.
These techniques defeat traditional antivirus and endpoint detection systems that rely on known file signatures. Since the scripts run entirely within the browser, often using JavaScript, they’re also invisible to most sandbox tools unless specific browser behavior is monitored.
Some campaigns use JavaScript obfuscation to reconstruct C2 (Command and Control) beacons only after ensuring they aren’t being sandboxed, creating delayed payloads that only activate on real machines.
Sandbox Evasion
Modern malware often detects when it’s being watched. Sandbox evasion techniques allow HEAT attacks to avoid detonation in security environments designed to observe behavior before delivery to endpoints.
Some common tactics include:
- Time-based delays: The script waits several minutes before executing, exceeding typical sandbox timeouts.
- User interaction checks: Code won’t execute unless it detects mouse movement or keyboard activity.
- Fingerprinting: Scripts scan the environment for sandbox indicators (like virtual machine artifacts, lack of GPU drivers, or emulator settings).
For instance, the IcedID banking malware campaign used sandbox evasion by delaying execution until the system passed multiple environment checks. It remained inert in most detection environments.
Good‑to‑Bad Domains (Good2Bad Switching)
In this tactic, threat actors register domains that initially serve benign content to build a good reputation with reputation-based security systems like SWGs or domain reputation filters. Once the domain is classified as safe or “greenlit,” the content is swapped to deliver malware, credential phishing, or redirect to malicious infrastructure.
This is often paired with SEO poisoning, where attackers manipulate search engine rankings to elevate malicious content for high-volume search terms, ensuring a broader, unwitting audience.
According to Menlo Security’s 2022 State of Browser Security report, Good2Bad domain usage rose 137% year-over-year, becoming one of the fastest-growing methods to defeat domain reputation checks.
One real-world campaign embedded malicious redirects in online search results for COVID-19 travel policies, leading users to credential-harvesting pages hosted on previously benign WordPress sites that had recently changed hands.
Why Traditional Defenses Fall Short
HEAT attacks succeed because they operate where legacy defenses have limited visibility, the browser. Here’s why your current tools likely fall short:
Firewalls
They inspect network traffic, not dynamic scripts or payloads assembled inside the browser. If the threat is built after the connection is established, the firewall never sees it.
Email Filters
They can block suspicious attachments, but not what happens after a user clicks a link. HTML smuggling and fake login forms delivered via trusted services often slip through.
Antivirus Software
Most AV tools look for known file signatures. HEAT attacks are fileless, they run scripts in memory, leaving no files behind to scan or flag.
Secure Web Gateways (SWGs)
SWGs struggle with encrypted web traffic (which now makes up over 90% of browser activity). They also miss fast-changing or delayed domain behavior used in Good-to-Bad tactics.
Sandboxes
Sandboxing relies on malware triggering quickly. But HEAT payloads often delay execution or detect when they’re being analyzed, staying dormant until they reach the real user.
These gaps allow attackers to slip in through the browser, quietly, quickly, and without triggering the alarms your security stack depends on.
How Modern Defenses Respond
Protecting the browser requires a different strategy, one that doesn’t rely on identifying bad behavior after it happens.
Browser isolation is emerging as a critical control. These tools execute all browser activity in a secure, remote environment, separate from the user’s device. Users interact with a visual stream of safe content, but no code from the website ever touches their local machine.
There are two main types of solutions:
- Remote Browser Isolation (RBI): Content is executed in a cloud container, and only safe rendering is streamed to the user.
- Enterprise Browsers: Some security vendors embed isolation directly into a hardened browser built for enterprise use.
These approaches prevent:
- Malicious scripts from executing
- HTML smuggling attacks
- Credential harvesting via fake login forms
- Malware delivered through embedded cloud links
It’s a practical, proactive way to treat all web content as untrusted, regardless of the source.
What You Can Do Right Now
You don’t need to rebuild your entire security infrastructure to start addressing HEAT threats, but you do need to close the blind spot around browser activity. These attacks don’t need malware or exploits. They rely on trust, user behavior, and overlooked gaps in visibility. Here’s how you can respond effectively:
1. Review Your Security Stack for Browser Visibility
Start by auditing your existing tools. Can your current solutions inspect encrypted web traffic, dynamic JavaScript execution, or in-browser fileless activity? Most legacy tools, firewalls, antivirus, and email filters can’t.
Look for technologies that provide deeper browser-level monitoring. Secure enterprise browsers, Remote Browser Isolation (RBI), and behavior-based threat detection platforms can offer visibility where traditional tools fall short.
Tip: Include your SOC and IT teams in the review. Make sure you understand not just what’s being monitored but also what’s being missed.
2. Train Employees on Web-Based Threat Awareness
HEAT attacks often start with a single click inside a legitimate-looking interface, Google Docs, cloud email, shared PDFs, or embedded HTML.
Train employees to be cautious of:
- Unexpected login prompts from familiar apps
- Shared links that open login pages or forms
- Documents that require enabling scripts or macros
- “Clean” attachments from unusual senders
Focus training on your most targeted departments, HR, finance, legal, and executive assistants, where attackers know one click can open the door.
Action step: Use simulated phishing campaigns and browser-based threat scenarios to make training real and memorable.
3. Roll Out Browser Isolation for High-Risk Roles
Browser Isolation prevents threats from reaching the endpoint by executing web content in a remote environment. The user only sees a safe rendering of the page, nothing active runs on their device.
Start by implementing isolation for roles most likely to be targeted or exposed:
- Executives and assistants
- Finance teams accessing third-party payment sites
- HR teams reviewing resumes and external forms
- Remote or BYOD users working outside your firewall
Choose isolation tools that integrate with your existing identity and access management (IAM) systems so you can enforce policies without disrupting user operations.
Browser Isolation is not just a defense, it’s a safety net for everyday mistakes.
4. Monitor Browser Sessions for Unusual Behavior
Use tools that can track browser activity at the session level. Look for signs like:
- Repeated credential entries
- Login attempts at odd hours
- Interactions with unfamiliar or newly registered domains
- Suspicious downloads initiated from cloud apps
Feed this telemetry into your SIEM or XDR platform to correlate with other user activity. Early indicators, like visiting a Good-to-Bad domain, often surface before a full compromise occurs.
Extra tip: Integrate browser session monitoring with identity platforms to detect anomalies tied to specific users or roles.
5. Adopt a Zero Trust Approach to Web Access
In a Zero Trust model, all content is treated as untrusted, no matter where it comes from. This means enforcing strict controls on who can access what, from where, and under what conditions.
Apply this mindset to browser protection by combining:
- Identity verification (MFA, device trust)
- Browser Isolation for unknown or uncategorized URLs
- Conditional access policies for SaaS apps
- DNS or SWG policies that limit access to risky categories
Rather than trying to detect every new HEAT tactic, Zero Trust assumes everything could be hostile, and prevents access unless it’s explicitly allowed.
Start with key apps like cloud storage, HR platforms, and finance systems, places where data is both valuable and vulnerable.
Why It’s Urgent to Act Now
Browser-based phishing jumped 198% in 2023. Zero-hour attacks rose 206%. Legacy tools missed malware for an average of six days before detection. The cost of a breach? $4.9 million on average.
Browser-based threats now account for the majority of malware delivery, far surpassing email, with industries like finance and healthcare among the most targeted.
These threats aren’t theoretical. They’re here, they’re working, and they’re evolving faster than traditional defenses can keep up.
Security That Supports the Way People Work
You can’t stop business in the name of security, but you can rethink how security works with the browser. HEAT attacks exploit visibility gaps and trust. Isolation and real-time monitoring close that gap, quietly, without breaking processes.
Blocking threats is important, but not the end goal. It’s keeping employees productive while making sure risks never reach them in the first place.
Organizations that act now, adapting their browser security to match the way people actually work, will be better protected, more agile, and ready for whatever’s next.
