I'm not sure if truly defeating such attacks is feasible, but if you demand employees use a (ssl terminating) proxy, you can at least monitor and/or log all traffic (not necessarily legal or ok in many jurisdictions) -- and so have a reasonable way to look for malware (possibly only useful after the fact).

That is if the routers inside your own network can be trusted. Paranoid turtles, all the way down.