Your employee visits a well-known news website during their lunch break. They do not click anything suspicious. They do not open any attachments. They do not respond to a phishing email. Yet within seconds of the page loading, malicious code executes silently in their browser and begins installing malware on their device. This is malvertising — one of the most insidious and under-appreciated threats facing businesses today, precisely because it requires no action from the victim beyond simply being online.

TL;DR — Key Takeaways

  • Discover how malvertising uses legitimate ad networks to deliver malware to unsuspecting employees, and learn the steps businesses can take to stay protected
  • Assess how Attackers Get Malicious Ads Into Legitimate Networks
  • Compare Drive-By Downloads vs Click-Required Attacks to make an informed decision

Visual Overview

flowchart LR
    A["Legitimate Ad Network"] --> B["Attacker Injects Malicious Ad"]
    B --> C["User Visits Trusted Site"]
    C --> D["Ad Loads Exploit Kit"]
    D --> E["Malware Downloaded"]
    E --> F["System Compromised"]

Malvertising (a portmanteau of "malicious advertising") refers to the use of online advertising infrastructure to distribute malware. Attackers inject malicious code into advertisements that are then served through legitimate ad networks onto reputable websites. The victim does not need to click the ad. In drive-by download attacks, simply rendering the page — and the ad it contains — is sufficient to trigger the infection. The website itself is not compromised; it is merely an unwitting delivery vehicle.

How Attackers Get Malicious Ads Into Legitimate Networks

The online advertising ecosystem is extraordinarily complex, involving multiple intermediaries between an advertiser and a publisher. Real-time bidding (RTB) systems process billions of ad impressions per day, with each ad slot filled in milliseconds through automated auctions. This scale and automation creates significant opportunities for abuse.

Attackers exploit this system in several ways. They may create seemingly legitimate advertising accounts, run benign campaigns for weeks to build credibility, then switch the ad content to deliver malicious payloads. They may purchase advertising through resellers who do not perform rigorous vetting. They may exploit vulnerabilities in the ad-serving software itself to inject malicious code into otherwise legitimate ad creative. Some campaigns use geo-targeting and user-agent filtering to serve malicious content only to specific audiences — making detection by ad network security teams significantly harder.

Once a malicious ad enters the network, it can appear on hundreds of thousands of websites before the campaign is identified and removed. High-traffic news sites, entertainment platforms, weather services, and other reputable destinations have all served malvertising campaigns — not through any fault of their own, but because they rely on the same ad networks as every other publisher.

Drive-By Downloads vs Click-Required Attacks

Malvertising attacks fall into two broad categories, distinguished by whether the victim needs to interact with the ad:

Drive-By Downloads

The most dangerous variant. Malicious code embedded in the ad exploits vulnerabilities in the victim's browser, browser plugins (such as outdated PDF readers or media players), or operating system to execute automatically when the ad loads. The victim sees nothing unusual — no popup, no download prompt, no warning. The infection is entirely silent.

Drive-by downloads rely on unpatched vulnerabilities in client software. This is why keeping browsers, plugins, and operating systems updated is a frontline defence: each update closes the vulnerabilities that drive-by attacks depend on. A fully patched device dramatically reduces the attack surface available to drive-by malvertising.

Click-Required Attacks

These ads require the victim to interact — clicking the ad, which redirects them to a malicious website or triggers a download prompt. These attacks often mimic legitimate software update notifications ("Your Flash Player is out of date — click here to update"), fake antivirus alerts, or enticing offers. They require social engineering to succeed, but remain effective because many users do not scrutinise the source of what appear to be routine prompts.

What Malware Gets Delivered

The malware delivered through malvertising campaigns mirrors the broader threat landscape. Common payloads include:

  • Ransomware: Encrypting the victim's files and demanding payment for the decryption key. Ransomware delivered via malvertising has affected businesses across every sector and can spread laterally from the initial infection point to other devices on the same network.
  • Information stealers: Malware that silently harvests credentials, browser cookies, saved passwords, cryptocurrency wallets, and other sensitive data before exfiltrating it to the attacker's server.
  • Banking trojans: Specialised malware that intercepts online banking sessions, modifying transaction details or harvesting authentication credentials to enable financial fraud.
  • Cryptominers: Software that hijacks the device's processing power to mine cryptocurrency for the attacker, degrading system performance and increasing energy costs without the user's knowledge.
  • Backdoors and remote access trojans (RATs): Malware that establishes persistent access to the infected device, allowing the attacker to return later, escalate privileges, and move laterally through the network at their leisure.

Why Businesses Are at Particular Risk

Individual consumers face the same malvertising threat, but businesses face compounding risks that make the consequences significantly more severe.

Employees spend a substantial portion of their working day browsing the web — researching suppliers, reading industry news, checking reference materials. Each browsing session on an unprotected device is a potential exposure. A single infected endpoint connected to a corporate network can serve as a bridgehead for attackers to move laterally to file servers, databases, and other systems holding sensitive business or customer data.

Small businesses often rely on a small number of devices, meaning a single malvertising infection can disproportionately impact operations. They also frequently lack the layered security controls — endpoint detection and response, network segmentation, centralised log monitoring — that would contain an infection before it spreads. Coupled with the reality that many small businesses run software that is not consistently patched and updated, the conditions for a successful malvertising attack are often present.

Defending Your Organisation Against Malvertising

Keep All Software Rigorously Updated

Drive-by download attacks depend on unpatched vulnerabilities. A disciplined patch management programme — covering operating systems, browsers, browser extensions, and any installed plugins — is the single most impactful technical control against this category of attack. Configure browsers to update automatically and audit managed devices regularly to confirm updates are being applied. Remove legacy plugins such as Adobe Flash (now end-of-life) entirely, as these are disproportionately targeted.

Deploy Ad Blockers on Managed Devices

Browser-based ad blocking extensions prevent most malvertising from rendering at all. By blocking the third-party ad scripts before they load, ad blockers eliminate the delivery mechanism for the majority of malvertising campaigns. Deploying a reputable ad blocking extension — such as uBlock Origin — as a standard configuration on all managed employee devices is a low-cost, high-impact control. It will not catch everything, but it removes the bulk of the attack surface.

Use DNS Filtering

DNS filtering services block connections to known malicious domains at the network level, intercepting attempts by malvertising payloads to contact command-and-control servers or download additional malware components. Cloud-based DNS filtering can be applied to all devices on your network and, with appropriate client software, to remote devices as well. Many services maintain continuously updated threat intelligence feeds that block newly identified malvertising infrastructure within minutes of detection.

Invest in Modern Endpoint Protection

Traditional antivirus software detects known malware by signature — it recognises threats it has seen before. Modern endpoint detection and response (EDR) solutions use behavioural analysis to identify suspicious activity even from previously unseen malware. For businesses where devices are regularly used to browse the internet, EDR provides a meaningful additional layer of defence against novel malvertising payloads that have not yet been added to signature databases.

Train Employees to Recognise Suspicious Prompts

For click-required malvertising attacks, employee awareness remains a critical defence. Staff should be trained to be sceptical of any prompt to install software, update a plugin, or download a file that appears during normal web browsing — particularly when the source is an advertisement rather than the website itself. Safe browsing habits training should explicitly cover malvertising scenarios alongside phishing awareness.

What to Do If an Employee Is Infected

If you suspect a device has been compromised through a malvertising attack, act immediately:

  1. Isolate the device. Disconnect it from the network — both wired and wireless — to prevent lateral spread. Do not shut it down, as this may destroy forensic evidence and some ransomware strains are triggered by shutdown events.
  2. Alert your IT team or managed service provider. They should begin forensic analysis to understand the nature and scope of the infection before any remediation begins.
  3. Identify what was accessible. Determine what systems, credentials, and data the infected device had access to. This scope informs both the remediation effort and any notification obligations.
  4. Change credentials. Assume any credentials stored on or recently used from the compromised device are exposed. Prioritise changing passwords for email, financial systems, and any cloud services the device accessed.
  5. Notify your cyber insurer. If data has been accessed or systems have been compromised, contact your insurer promptly. Most policies require timely notification and provide access to incident response resources.
  6. Consider regulatory obligations. If customer or employee personal data may have been accessed, assess your notification obligations under GDPR or other applicable data protection regulations.

Malvertising is a threat that exploits the infrastructure of the modern web — infrastructure that your employees interact with every working day. Unlike phishing, it does not require a lapse in judgement; unlike ransomware delivered via email, it does not need anyone to open an attachment. Defending against it requires a combination of technical controls and organisational practices that, taken together, dramatically reduce the likelihood of a successful attack. The good news is that most of these controls — browser updates, ad blockers, DNS filtering, and endpoint protection — are accessible and affordable for businesses of any size.