By 
Evasive attacks – those that utilize a range of techniques meant to evade traditional security controls – are growing at a faster rate than other types of browser-based phishing attacks because cybercriminals know they have a higher rate of success employing these methods. Evasive threats now make up 30% of total browser-based phishing attacks and include tactics such as SMS phishing (smishing), Adversary in the Middle (AITM) frameworks, image-based phishing, brand impersonation or Multi-Factor Authentication (MFA) bypass.
Menlo Security has released its 2023 State of Browser Security Report, demonstrating rapid growth of Highly Evasive Adaptive Threats (HEAT) targeting the browser. The research uncovered a 198% increase in browser-based phishing attacks in the second half of 2023 compared to the first half of the year. When specifically looking at attacks classified as evasive, the researchers observed a 206% increase.
Browser usage across managed and unmanaged devices has skyrocketed in recent years, exposing an immense attack surface enterprises are grappling to cover. Traditional network-based security controls unfortunately aren’t detecting zero-hour phishing attacks that deliver ransomware and steal credentials. Over a 30-day period, the Menlo Labs Threat Research team observed more than 11,000 zero-hour phishing attacks that exhibited no signature or digital breadcrumb, meaning no existing Secure Web Gateway (SWG) or endpoint tool could detect and block those attacks. The team also discovered that 75% of phishing links are hosted on known, categorized or trusted websites – not websites that can be easily identified as malicious or fly-by-night websites.
To compile this report, the Menlo Labs Threat Research team examined threat data and browser telemetry gathered from Menlo Security Cloud, including over 400 billion web sessions during 2023. Additionally, the team took a closer look at a 30-day period in Q4 2023 to glean more specific insights about cybercriminals’ evolving tactics and attack patterns. Other key findings from the State of Browser Security Report include:
- Over 550,000 browser-based phishing attacks were detected in the last 12 months.
- Legacy Reputation URL Evasion (LURE) attacks increased by 70% since 2022. LURE attacks are characterized by a method in which threat actors evade web filters that attempt to categorize domains based on implied trust.
- More than 73% of LURE attacks originated from categorized websites, based on 1 million URLs analyzed by Menlo Security researchers.
- Six days is the average latency between when a zero-hour phishing attack first appears and when it is finally added to the detection mechanism for traditional security tools.
“Evasive techniques are handcrafted to fly under the radar and are particularly hard for security teams to spot. Unfortunately, modern security tooling such as SWG and Endpoint Security are ineffective as attackers are able to bypass these protections,” said Devin Ertel, Chief Information Security Officer of Menlo Security. “However, our research found that browser security was able to stop these zero-hour phishing attacks even when they exhibited sophisticated evasion. Organizations must adopt a targeted approach to browser security by leveraging various AI-based approaches – including object detection, URL risk assessment, and web page element analysis – to fight against today’s evasive cyber threats.”
