Malicious password-protected files

What is a malicious password-protected archive file?

In an attempt to make malicious content impossible to detect, threat actors often use password-protected files and archives. Security solutions that are designed to analyze file content have no visibility inside the archive, making it impossible for them to detect any malicious intent. These files are often distributed via phishing emails or shared drives to conceal malicious payloads within commonly used and legitimate file formats.

How do malicious password-protected files work?

Malicious password-protected archive files are designed to deceive users and bypass commonly deployed inspection engines to deliver malware and ransomware down to a user’s endpoint. Threat actors know that most organizations set their security policies to allow password protected files to pass through to end users, as security does not want to be seen to be impacting business operations. This creates an opportunity for them to strike.

What makes enterprises susceptible?

Password protected files and archives are used for legitimate business reasons, and therefore should not be blocked by default. Several factors can make an individual or an organization more susceptible to malicious password-protected archive files. These include:

• Relying on sandboxing analysis as the core element in determining if content is malicious
• Opening files from untrusted sources (web or email). Make sure to validate the website you are working on or the email user you are communicating with
• Lax security policies that are set to allow all when it comes to specific file types or archive files

It’s important to note that malicious password-protected archive files can be delivered using a combination of these techniques and can vary in sophistication.

How do I prevent myself from being the victim of a malicious password-protected archive file attack?

Password-protected archive files are used every day for legitimate business purposes. To reduce the risk of falling victim to these malicious password-protected archive files, it is important to make sure your users are only opening files from trusted sources and are cautious of emails or messages that are requesting you to open these password-protected archive files, especially if they are unsolicited or seem suspicious. The challenge with these best practices is that it relies on the conscientiousness of the user to hopefully avoid accidentally opening a malicious attachment. Many organizations should consider the use of a cloud-based Browser Security solution that protects against this type of attack automatically. A Browser Security solution intercepts the users’ web browsing sessions in a virtual browser in the cloud instead of the user’s endpoint device and prompts the end user to enter the password to open the archive. Once the archive is unlocked, the content can be scanned for threats before being downloaded to the endpoint, ensuring the prevention of threats.

With granular visibility and control over activity inside the browser, organizations can greatly reduce their attack surface and ensure that users and their endpoints are completely protected against any malicious content and highly evasive threats when viewing password-protected archive files.