Kyle and Stan

How does CIS mitigate this threat? (assuming the parent
browser process is not sandboxed).

Once the victim gets redirected to the final URL, the website automatically starts the download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike

I would assume the end result of is an unknown downloaded file, so if the user uses HIPS then he’ll get notifications for it, or if the user uses the auto-sandbox then the file will be sandboxed on launch. - That’s unless the malware is detected by the AV.

Or am I missing something?

Edit: You also have PrivDog which is installed alongside CIS unless you change it, which will by default replace ads with sanitized ads, effectively stopping malvertising.