Drive-by downloads in the browser

How it usually happens in the browser

• A user lands on a compromised site, malvertising landing page, or an attacker-controlled page.
• Scripts fingerprint the browser and environment to decide which exploit or download prompt to show.
• The site triggers a download automatically or nudges the user into clicking a deceptive prompt.
• If a vulnerability is present, the payload can execute or drop additional malware.

What traditional defenses miss

• Not every malicious payload looks like an executable—some are scripts, archives, or staged downloads.
• Browser exploits can execute without obvious user actions; “don’t click downloads” isn’t always enough.
• Endpoint tools may detect after execution rather than preventing the browser from reaching the payload.

How isolation changes the game

• Isolation keeps risky web execution away from endpoints by running content in a separate container and streaming the safe output.
• Downloads can be blocked, scanned, or routed through controlled workflows from the isolated environment.
• Deleting isolated sessions reduces persistence and leftover state from risky browsing events.

Operational checklist

• Block automatic downloads and restrict download types in risky browsing contexts.
• Route unknown domains and ad-driven traffic into isolation by default.
• Keep browsers and extensions patched; reduce the extension footprint across the org.
• Add file-scanning gates for any downloads that must reach endpoints.
• Instrument alerts for “download started” events from high-risk sources and investigate quickly.

FAQs.