The cybersecurity experts are constantly on the lookout for novel tactics for attack as criminal groups adapt to better defences against ransomware and phishing. However, in addition to the latest developments, some traditional strategies seem to be resurfacing—or rather, they never really went extinct.
Document-borne malware is one such strategy. Once believed to be a relic of early cyber warfare, this tactic remains a significant threat, especially for organisations that handle huge volumes of sensitive data, such as those in critical infrastructure.
The lure for perpetrators is evident. Routine files, including Word documents, PDFs, and Excel spreadsheets, are intrinsically trusted and freely exchanged between enterprises, often via cloud-based systems. With modern security measures focussing on endpoints, networks, and email filtering, seemingly innocuous files can serve as the ideal Trojan horse.
Reasons behind malicious actors using document-borne malware
Attacks utilising malicious documents seems to be a relic. It's a decades-old strategy, but that doesn't make it any less detrimental for organisations. Still, while the concept is not novel, threat groups are modernising it to keep it fresh and bypass conventional safety procedures. This indicates that the seemingly outdated method remains a threat even in the most security-conscious sectors.
As with other email-based techniques, attackers often prefer to hide in plain sight. The majority of attacks use standard file types like PDFs, Word documents, and Excel spreadsheets to carry malware. Malware is typically concealed in macros, encoded in scripts like JavaScript within PDFs, or hidden behind obfuscated file formats and layers of encryption and archiving.
These unassuming files are used with common social engineering approaches, such as a supplier invoice or user submission form. Spoofed addresses or hacked accounts are examples of email attack strategies that help mask malicious content.
Organisations' challenges in defending against these threats
Security analysts claim that document security is frequently disregarded in favour of other domains, such as endpoint protection and network perimeter. Although document-borne attacks are sufficiently commonplace to be overlooked, they are sophisticated enough to evade the majority of common security measures.
There is an overreliance on signature-based antivirus solutions, which frequently fail to detect new document-borne threats. While security teams are often aware of harmful macros, formats such as ActiveX controls, OLE objects, and embedded JavaScript may be overlooked.
Attackers have also discovered that there is a considerable mental blind spot when it comes to documents that appear to have been supplied via conventional cloud-based routes. Even when staff have received phishing awareness training, there is a propensity to instinctively believe a document that arrives from an expected source, such as Google or Office 365.
Mitigation tips
As with other evolving cyberattack strategies, a multi-layered strategy is essential to defending against document-borne threats.
One critical step is to use a multi-engine strategy to malware scanning. While threat actors may be able to deceive one detection engine, using numerous technologies increases the likelihood of detecting concealed malware and minimises false negatives.
Content Disarm and Reconstruction (CDR) tools are also critical. These sanitise and remove malicious macros, scripts, and active material while keeping the page intact. Suspect files can then be run through enhanced standboxes to detect previously unknown threats' malicious behaviour while in a controlled environment.
The network should also be configured with strict file rules, such as limiting high-risk file categories and requiring user authentication before document uploads. Setting file size restrictions can also help detect malicious documents that have grown in size due to hidden coding. Efficiency and dependability are also important here. Organisations must be able to detect fraudulent documents in their regular incoming traffic while maintaining a rapid and consistent workflow for customers.
