- Cofense report claims that threat actors manipulate extensions to effectively bypass SEG file filters
- Multi-layered defenses are crucial to combating file-based malware threats
- Employee awareness strengthens defenses against suspicious files
The use of compressed files as malware delivery mechanisms is evolving, presenting challenges for secure email gateways (SEGs), new research claims.
A recent report from Cofense highlights how cybercriminals are exploiting various file formats to bypass security protocols, particularly after a major Windows update in late 2023. Traditionally, .zip files have been the most common file format used in malware campaigns due to their ubiquity and compatibility. between operating systems.
However, Microsoft’s introduction of native support for additional formats such as .rar, .7z, and .tar has expanded the arsenal of formats used by threat actors. These newer formats now account for an increasing proportion of malicious attachments observed in SEG-protected environments.
Why files act as malware vectors
Password protecting files is a common tactic used by attackers as it prevents automated tools from analyzing the contents of the file.
Between May 2023 and May 2024, Cofense identified 15 file formats used in malware campaigns. While .zip files dominated, taking up to 50%, formats like .rar, .7z, and .gz gained popularity, particularly after Microsoft’s late 2023 update.
Certain malware families have a preference for specific file types. For example, StrelaStealer and NetSupport RAT are constantly delivered via .zip files. Other malware, such as information stealers and remote access trojans (RATs), leverage a variety of formats depending on the attack method.
Password-protected files pose an additional challenge for SEGs. While only about 5% of the malicious files observed were password protected, these files often evade detection because SEGs struggle to differentiate passwords embedded in attractive emails. This tactic, combined with embedded URLs that lead to sites hosting malware, allows attackers to bypass traditional defenses.
To counter the growing threat of malware-laden files, organizations are advised to adopt a multi-layered defense strategy. Employee awareness is critical, as well-trained staff can identify suspicious files, particularly those with unusual extensions or misleading double endings, such as “.docx.zip.”
Organizations should also restrict the use of file formats that lack clear business purposes, such as .vhd(x) files, which are rarely necessary for email communication. Additionally, SEGs must be equipped with advanced capabilities to analyze real file formats, detect discrepancies, and manage password-protected files.
