The Top HEAT Attacks of 2022

Hackers are getting smarter, and the number of cyberthreats is only going to rise in 2023. With the number of new threats individuals and organizations are seeing on a daily basis, cybersecurity experts are growing weary. As a majority of these attacks begin to surpass traditional security systems, historically complacent cybersecurity defenses must adapt to stop new threats in their tracks.

Menlo Security’s Menlo Labs research team continues to see that highly evasive adaptive threats (HEAT) attacks are some of the most prolific threats made against security systems in the past year. A HEAT attack is a class of cyberthreat that leverages web browsers as the attack vector and employs various techniques to evade multiple layers of detection in current security stacks. These attacks are hard to spot and even harder to thwart once one has breached a network. The key to protecting both individual and corporate devices against these attacks is understanding what they may look like and learning how to prevent them.

In a recent survey, we found that a third of organizations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day. Let’s take a look at the top HEAT attacks of 2022 and see what was learned from each attack.


A large-scale supply chain attack, codenamed Oktapus, impacted over 130 organizations. The Oktapus gang used highly targeted spear phishing campaigns to obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations.

The attackers targeted employees of companies that are Okta customers by sending a text message or an email to users that contained a link to a fraudulent Okta authentication page. Users were then asked to enter their username and password into a login and were then asked for their two-factor authentication code. The attackers had to act within the two-minute mark before the unique codes or push notifications expired. This means that they were most likely monitoring this process in real-time so they could use the victims’ credentials as soon as they were compromised.

To the average employee, the phishing scam looked authentic because they were sent individual codes associated with their Okta accounts, but security experts were able to identify these messages as malicious almost immediately.

Unfortunately for the organizations that were attacked, the HEAT tactic of shifting the attack from traditional channels to text messages, and the speed at which the 0ktapus hacker gang was able to act so quickly to evade the security layers that were in place proved the tactic works. After the initial security breach, they were almost impossible to stop or block.


Qakbot has become one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), though it has also acquired functionality allowing it to spy on financial operations, spread itself, and install ransomware to maximize revenue from compromised organizations.

Qakbot generally arrives via email as its primary vehicle for the delivery of this malware. The recipients of these emails either contain password-protected attachments or use of links to websites with benign/good reputations to evade security systems.

This year, attackers behind Qakbot improvised their modus operandi to breach traditional security measures including HTML smuggling, email luring with hyperlinks, Excel 4.0 macros, and Follina exploit (CVE-2022-30190). Layering different adaptive techniques maximize the chances of success for the threat actors.

MICARD and AMEX Phishing Scam

While most of the HEAT attacks we saw this year targeted companies or large enterprises, a phishing campaign targeted Japanese MICARD and American Express users. This showcased how hackers can use these tactics to target individuals to access their personal data.

The initial vector of these attacks was an email with a link that directs the intended target to the phished page. The attackers behind this campaign used the geofencing technique to allow only Japanese IPs to access the website which limits the ability of security solutions to identify, analyze and block these fraudulent websites.

Classes of HEAT Attacks

The top HEAT attacks employ one or more of these four key evasive attack surface characteristics:
1. Evades URL Filtering
a. By using ephemeral and/or compromised malicious sites with benign categorization

2. Evades Email Security Tools
a. By expanding from email phishing links to other sources such as web, social media, SMS, professional docs, etc.

3. Evades File Based Inspection
a. By using dynamic file downloads (i.e. HTML smuggling).

4. Evades HTTP Content/Page Inspection
a. By using dynamically generated and/or obfuscated content (JavaScript code and images)

HEAT attacks are on the rise and bad actors have figured out how to navigate past traditional security measures. This is alarming to cyber experts as many organizations and individuals have not updated their security technology and thus are exposing themselves to these highly intelligent threats. As we enter 2023, the best way for cyber professionals to prepare themselves for a slew of new HEAT attacks is to learn from this past year and be able to better identify a HEAT attack before it compromises an enterprise’s security stack.

Avatar photo

Mark Guntrip

Mark Guntrip has over 20 years experience in security marketing including strategy, product management, and product marketing across enterprise and commercial markets. Specific market areas include advanced threat protection, web security, cloud-based security, firewalls, and managed security services. He has a proven track record of building success in new markets as well as promoting growth within more established areas. Prior to Menlo Security, Guntrip held various management roles with Proofpoint, Symantec, and Cisco.

mark-guntrip has 17 posts and counting.See all posts by mark-guntrip