Threat Detection Library


Troj/Iframe indicates that Sophos has blocked access to a malicious inline frame or IFRAME being loaded by a webpage.

IFRAME is an HTML tag that essentially enables one website to pull elements from another website.

Iframe detections indicate malicious components loaded by webpages, typically to download further malicious code silently from a different website. These malicious web components are often inserted into clean websites; this can happen due to a database hack through SQL injection, through malicious web advertising subverting an ad network, or through attacks on third-party web components used by the site.

The HTML IFRAME element, when abused, can be used to load code not present on the original page. Unsuspecting users that visit and trust the previously clean site can be subjected to malicious file downloads or hijacking of the web session that directs them to malicious content.

Attackers will typically use malicious IFRAMEs by compromising a legitimate site to include their malicious IFRAME code. The attacker’s malicious IFRAME code can attempt to download malicious code from another, malicious website as part of a social engineering attack. The IFRAME can make it seem that the malicious code isn’t coming from a malicious site but is instead coming from the (compromised) trusted website.

It's generally easier for attackers to compromise legitimate sites to change HTML code than to host malicious code. This is one reason why attackers utilize IFRAME attacks

Malicious IFRAMEs were a common attack vector in the mid 2000s and early 2010s.

You can find information about Iframe attacks on Sophos Naked Security here and on the Sophos X-Ops blog here.

If you believe this detection is incorrect, please report this file to Sophos Support.

Send our lab samples for analysis.

Submit a Sample