Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Security researchers are exposing corruption, and the abuse of trust is happening at the highest levels of email attachment.
IT pros have seen threat actors cleverly corrupting documents so they sneak past email security gateways. What happens next? The application recovers the document and its malicious contents.
Analysts from malware-analyzing service ANY.RUN shared research in December 2024 demonstrating how attackers are able to deliberately change the structure of archives and Office documents.
“The attackers corrupt files only to a certain point, so that they still can be recovered by their native applications (e.g., WinRAR for .zip and Word for .docx). When a user opens a corrupted file with its native application, such as Microsoft Word, the application’s recovery features repair the file, revealing the hidden malicious content,” Stas Gaivoronskii, ANY.RUN malware analyst, wrote in an email to IT Brew.
ANY.RUN shared attack details (and a demo of how the tactic works with a Word doc).
- Manipulating document components, attackers create corrupted files that are then successfully put back together again, Humpty Dumpty-style, by the application.
- A targeted user opens the attachment and clicks, “Yes” to the built-in recovery option.
- The method works, according to ANY.RUN, for a “simple” reason: Most antimalware tools do not have the recovery functionality found in apps like Word, which prevents some detectors from accurately identifying the type of corrupted file.
- ANY.RUN shared one example of a recovered file featuring a “View Document” phishing link.
Chris Campbell, senior VP, CISO, and head of technology at Bitsight, sees the tactic as an advancement of earlier evasion tactics like detecting virtual machines, attaching payloads that begin idle and execute later, and password-protecting a file.
“This latest novel attack is that further evolution of, ‘Hey, how can we bypass or evade the sandboxes?’’’ Campbell told us.
In May 2024, security vendor Trend Micro revealed that it detected and blocked 19.1 million malware files in 2023—a 349% increase from the previous year. “This substantial increase in file detection is due to the heightened use of phishing links within email attachments,” the report read.
Diego Matos Martins, X-Force incident response leader for Latin America, said he has seen at least two instances of the corrupted-file tactic; in one case, he said, the threat actor aimed to steal credentials by loading a replica Microsoft 365 site. To defend against the corruption, he recommended:
- Email authentication standards like DKIM, DMARC, and SPF (“Basically, things that will say, ‘Hey, if I’m seeing a lot of emails coming from a specific sender, then I need to know that this sender is a validated one,” Martins said)
- Disabling macros
- Awareness training for end-users, IT, and security teams
- Web-traffic filters that block unknown URLs
- Endpoint-detection tools
- Multi-factor authentication, of the phishing-resistant variety
“Security systems have not yet developed a clear logic for detecting such attacks, exposing the security of their users,” ANY.RUN’s report said in its conclusion.