Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is Drive-by download?
A drive-by download is an unintended download of malicious code or software that occurs when a user visits a compromised website, malicious page, or infected ad network. It may happen without a click, or after a user clicks a deceptive prompt they do not fully understand. MITRE maps the broader technique as Drive-by Compromise for initial access.
How does it work?
Attackers place exploit code on a website, ad, script, iframe, or browser-facing component. When a vulnerable browser, extension, plug-in, or operating system loads that content, the code attempts to download malware, run a payload, or redirect the user to another exploit site. The Australian Cyber Security Centre notes that these attacks often exploit weaknesses in browsers or plug-ins.
Common outcomes include spyware, ransomware loaders, remote access tools, credential theft, and botnet enrollment.
| Attack path | What happens |
|---|---|
| Compromised website | Legitimate page serves injected malicious code |
| Malvertising | Ad networks deliver hostile scripts or redirects |
| Fake update prompt | User installs malware disguised as a browser or software update |
| Exploit kit | Site fingerprints the device and serves a matching exploit |
Why is it dangerous for businesses?
Drive-by attacks reduce reliance on phishing success. A user may only need to browse a normal-looking page during routine work. That makes endpoint hardening, patching, browser control, and least-privilege access critical.
For managed fleets, Hexnode UEM can support this defense by helping IT teams enforce OS updates, configure browser restrictions, manage apps, and apply security policies across corporate endpoints.
Signs of a potential drive-by attack
Unexpected browser redirects, sudden software downloads, fake update alerts, unusual pop-ups, and degraded system performance may indicate a drive-by compromise attempt. Security teams should also watch for unauthorized browser extensions, abnormal outbound traffic, and unknown processes launched through browsers or scripting engines. Early detection helps contain malware before attackers gain persistence or move laterally across the environment.
How can organizations prevent it?
Keep browsers, operating systems, and applications patched. Remove unsupported plug-ins, restrict unauthorized software, block risky sites, use DNS/web filtering, and run endpoint protection. Security teams should also limit local admin rights and monitor unusual downloads, script execution, and browser-spawned processes.
Is a drive-by download the same as phishing?
No. Phishing mainly tricks users into revealing data or opening malicious content. A drive-by attack focuses on silently or deceptively delivering code through web exposure.
Can it happen on legitimate websites?
Yes. MITRE notes that adversaries may compromise legitimate websites, modify scripts, use malvertising, or inject content through web features.