What is a drive-by download?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You click a link in an email. The page loads. You don't click anything, don't download anything, don't fill out any forms. But your computer is now infected.

That's a drive-by download. The name describes exactly what happens: malware installs while you're just "driving by". Visiting the page. The attack works by exploiting vulnerabilities in your browser, browser plugins (PDF readers, media players), or operating system. When the malicious page loads, exploit code runs automatically, finds a vulnerability, and installs malware before you've done anything beyond visiting.

The email connection: phishing emails are often just the delivery mechanism to get you to the exploit page. The email itself is harmless. It's the link destination that does the damage.

What makes these attacks particularly effective is that the victim does nothing obviously wrong. Unlike opening a suspicious attachment, visiting a webpage feels routine and safe. (Which is exactly why attackers use this approach.)

The main defenses: keep browsers and plugins updated (most exploits target known vulnerabilities that patches already fix), use email security tools that scan links before they resolve, and train your team to avoid clicking unexpected links even from recognizable addresses. If you're worried your email links might be getting checked for malicious content, our email header analyzer can help inspect what's happening to your messages in transit.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Learn how to spot and stop drive-by download attacks.

I need to explain drive-by download risks to my team. We use describe your email client/security tools. What's the most important thing they should know about avoiding these attacks in practice? And what warning signs, if any, would appear when they land on a malicious page that's attempting a drive-by download?

Edit the yellow boxes, then send to the AI of your choice.