* [Blog](https://www2.paloaltonetworks.com/blog)
* [Network Security](https://www2.paloaltonetworks.com/blog/network-security/)
* [Announcement](https://www2.paloaltonetworks.com/blog/category/announcement/)
* Meet Exfiltration Shield:...

# Meet Exfiltration Shield: Prevent Relayed Data Exfiltration Attacks

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fexfiltration-shield-prevents-relayed-data-exfiltration-attacks%2F)  
[](https://twitter.com/share?text=Meet+Exfiltration+Shield%3A+Prevent+Relayed+Data+Exfiltration+Attacks&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fexfiltration-shield-prevents-relayed-data-exfiltration-attacks%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fexfiltration-shield-prevents-relayed-data-exfiltration-attacks%2F&title=Meet+Exfiltration+Shield%3A+Prevent+Relayed+Data+Exfiltration+Attacks&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/network-security/exfiltration-shield-prevents-relayed-data-exfiltration-attacks/&ts=markdown)  
\[\](mailto:?subject=Meet Exfiltration Shield: Prevent Relayed Data Exfiltration Attacks)  
Link copied  
By [Rajesh Gwalani](https://www.paloaltonetworks.com/blog/author/rajesh-gwalani/?ts=markdown "Posts by Rajesh Gwalani"), [Nina Smith](https://www.paloaltonetworks.com/blog/author/nina-smith/?ts=markdown "Posts by Nina Smith") and [Olivia Vort](https://www.paloaltonetworks.com/blog/author/olivia-vort/?ts=markdown "Posts by Olivia Vort")  
Mar 05, 2025  
5 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Data Security](https://www.paloaltonetworks.com/blog/network-security/category/data-security/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Advanced DNS Security](https://www.paloaltonetworks.com/blog/tag/advanced-dns-security/?ts=markdown)  
[Advanced Threat Prevention](https://www.paloaltonetworks.com/blog/tag/advanced-threat-prevention/?ts=markdown)  
[CDSS](https://www.paloaltonetworks.com/blog/tag/cdss/?ts=markdown)  
[Data Exfiltration Attacks](https://www.paloaltonetworks.com/blog/tag/data-exfiltration-attacks/?ts=markdown)  
[Exfiltration Shield](https://www.paloaltonetworks.com/blog/tag/exfiltration-shield/?ts=markdown)

Cybercriminals are evolving, and their latest technique for stealing sensitive data is nearly invisible to traditional defenses. Instead of breaking in through conventional methods, attackers now use a slow and stealthy approach, exfiltrating data by hiding inside host headers of web requests. To stop this, we're introducing a new feature, Exfiltration Shield, that prevents [data exfiltration](https://www.paloaltonetworks.com/cyberpedia/data-exfiltration) via DNS relay attacks.

# How Attackers Are Bypassing Defenses

Imagine a thief trying to smuggle stolen jewelry out of a high-security building. If they walk out the front door with a bag of stolen goods, security will stop them immediately. Instead, they hide small pieces of jewelry inside everyday mail, letters, invoices, or packages, going to well-known, trusted companies. Since security doesn't usually check these types of outgoing mail, the stolen jewelry passes through unnoticed.

How does the thief get the stolen jewelry back? The mail is first sent to trusted companies, which then unknowingly forward it to an address controlled by the thief. Once intercepted, the thief collects and reassembles the stolen pieces, completing the heist without ever being detected.

This is exactly how relayed data exfiltration via HTTP headers works. Instead of sending stolen data in large chunks, which might raise red flags, attackers break it into tiny pieces and hide it inside web traffic that goes to trusted websites. Many security tools only focus on the most obvious threats, like hacking attempts or malware. Still, they don't inspect the details inside web traffic, especially the host headers, which are a behind-the-scenes part of web communication.

# Why Relayed Data Exfiltration via HTTP Headers Is Dangerous

The reason this is such a huge problem is that traditional security tools don't catch it.

* Most security systems don't check host headers in HTTP and TLS requests, meaning attackers can hide stolen data in plain sight.
* The attack leverages trusted domains, so security tools don't flag the traffic as suspicious.
* New websites are created every day, giving attackers an ever-growing pool of domains to exploit, making it nearly impossible to manually block every potential threat.

A recent study tested one million top websites and found that attackers were leveraging many of them for data exfiltration, exploiting trusted domains to evade detection. That means even web traffic that looks benign could be leaking sensitive data without you ever realizing it.

# How Exfiltration Shield Stops It

To combat this stealthy and highly evasive attack, we've developed Exfiltration Shield, an industry-first feature that combines relay detection in [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention) (ATP) with FQDN validation in [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security) (ADNS) to extract hostnames in web requests and verify those domains in real time. Unlike traditional security solutions that rely on limited header inspection and outdated signature-based detection, Exfiltration Shield automates detection and blocking with no manual configuration required.

Attackers take advantage of millions of trusted host websites, using them to exfiltrate data without validation. Our solution cuts them off at the source, stopping exfiltration before it can begin. Here's how:

* \*\*Unmatched Visibility:\*\*Analyzes every HTTP and TLS request, ensuring attackers can't hide stolen data where traditional security tools aren't looking.
* \*\*Real-Time Blocking:\*\*Automatically detects and stops malicious traffic, eliminating the need for security teams to track every possible website attackers might exploit manually.
* \*\*Adaptive Protection:\*\*Uses AI-powered analysis to instantly identify and block emerging threats without relying on outdated, signature-based security.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/03/word-image-335879-1.png)

*Exfiltration Shield blocks data exfiltration by preventing DNS relay attacks via HTTP headers.*

This isn't just another feature, it's a key part of our ongoing mission to provide consistent, best-in-class protection everywhere. By combining the strengths of two of our security subscriptions, [ATP](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention)and [ADNS](https://www.paloaltonetworks.com/network-security/advanced-dns-security), we deliver best-in-class protection that works seamlessly to stop even the most sophisticated threats. This is the power of [platformization](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization).

# Protecting Against the Latest Attack Techniques: The Proof Is in the Data

And the data speaks for itself. Our latest advancements in [Cloud-Delivered Security Services (CDSS)](https://www.paloaltonetworks.com/network-security/security-subscriptions) show the real impact of our continuous innovation:

* We've seen an**18% increase in events --** analyzed daily, from an average ≤4.6 billion to now ≤5.43 billion, which includes benign and malicious activity across files, URLs, domains and network sessions.
* What's most troubling is that\*\*new and unique attacks have increased by ~4X --\*\*every day (increasing from ≤2.3 million to ≤8.95 million). This includes detections of new threats like relayed attacks.
* Of all these threats, we're\*\*blocking ~3X more attacks inline --\*\*Jumping from ≤11.3 billion to ≤30.9 billion each day, stopping them in real-time before they reach the network, endpoint or user, preventing damage before it even starts.

# Now Available: Get Industry-Leading Protection Today

Exfiltration Shield is now generally available. If you're a current ATP customer, you can [enable inline cloud analysis](https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevention/configure-inline-cloud-analysis) in your configuration to start protecting your organization from data exfiltration immediately.

If you are not an ATP customer yet, now is the time to upgrade. [Contact a sales representative today](https://start.paloaltonetworks.com/secure-your-enterprise-contact-us.html) to learn how you can get best-in-class security that stops evasive threats before they cause harm.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### The Rise of Advanced Attacks --- What Business Leaders Need to Know](https://www2.paloaltonetworks.com/blog/2025/03/rise-advanced-attacks-what-business-leaders-need-to-know/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/network-security/category/data-security/?ts=markdown), [Precision AI](https://www.paloaltonetworks.com/blog/category/precision-ai/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Redefining DNS Protection](https://www2.paloaltonetworks.com/blog/2025/07/redefining-dns-protection/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/network-security/category/data-security/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Palo Alto Networks Prevents Data Loss at Enterprise Scale with NVIDIA](https://www2.paloaltonetworks.com/blog/2024/10/data-loss-at-enterprise-scale-with-nvidia/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### The Power of Glean and Prisma AIRS Integration](https://www2.paloaltonetworks.com/blog/2026/02/power-of-glean-and-prisma-airs-integration/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### New Year, New Program, New Opportunities](https://www2.paloaltonetworks.com/blog/2026/02/new-year-new-program-new-opportunities/)

### [AI Application Security](https://www.paloaltonetworks.com/blog/network-security/category/ai-application-security/?ts=markdown), [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Palo Alto Networks Announces Support for NVIDIA Enterprise AI Factory](https://www2.paloaltonetworks.com/blog/2026/01/support-nvidia-enterprise-ai-factory/)

### Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language