Menlo Security Cloud Security Platform is FedRAMP® Authorized
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Neko Papez | May 02, 2023
Share this article
Attackers are constantly crafting new ways to evade enterprise cybersecurity defenses. Consider both how phishing attacks and the delivery of malware are evolving. In this case, through password-protected files to infect endpoints. It’s a growing risk for all organizations.
There was a time when nearly all phishing attacks, whether crafted to cull credentials from an unsuspecting target or to distribute a malware payload, were delivered via email. No more. Today, because email has lost its dominion as the singular communication channel it once was, threat actors are increasingly targeting other communication channels, such as text, social media direct messaging, and collaboration tools. Attackers are not only turning to different social media communication channels and improving their social engineering tactics. They are also using an old and very effective evasion technique: password-protected files with malicious payloads.
Their goal is to evade the protections enterprises’ have put into place to defend their email: anti-virus, content filters, and signature-based security tools. Attackers simply find new delivery vectors by sending phishing attacks via communication channels different from email and cleverly hide the malicious payload through encryption.
Attackers use password-protected files, typically delivered through a phishing email, to obfuscate payloads within widely used and legitimate file formats. By encrypting their payloads within these files, the attackers make it much more difficult for traditional anti-malware engines and content filters to identify and stop this malicious content. Despite the risk of malware-infected password-protected files, most organizations have decided not to block them at the email gateway because it can dramatically hurt productivity.
The password-protected files attackers use most often to deliver their malicious payloads include Microsoft Word and Excel (which is more common now since Microsoft disabled macros in Word documents), PDF files, and ZIP files.
Let’s examine how these attacks work.
Because password-protected files are encrypted, they can’t be accessed without the password, making them unreadable by most security tools, which cannot open and examine them. Consider how this negatively impacts the defenses in place at the typical organization: A threat actor sends a password-protected file through social media messaging or email. To add credibility to the social-engineering aspect of the attack, the attacker uses file names that will entice the target, such as an invoice or financial information. The attacker also sometimes texts or emails the password to the protected file in a separate communication, trying to add further legitimacy.
The password-protected file containing malware then manages to:
Because the file is encrypted with a commonly used file extension, the organization allows the file to pass through the email gateway and through any security sandboxes or automated analysis tools (which don’t have the password) onto the user. When/if this file encounters a network security scanning engine, it’s again (because of business productivity concerns) allowed on through to the end user.
The phishing email and attachment finally reach the endpoint. Whether pretending to be a trusted vendor or perhaps someone from another department in the organization, the attacker manages to trick a certain percentage of users into clicking on the attachment and entering the password provided. The user clicks on the document, or embedded link, which launches the web browser, and the endpoint is now infected.
As mentioned above, attackers could skip email altogether and leverage social media channels to deliver phishing attacks. Here, attackers will send a social media message with a link that launches the web browser and goes to an external storage service such as Box, Dropbox, or Google Drive. In this scenario, the malicious password-protected file is automatically downloaded to the endpoint. The user clicks on the file and enters the password. The attack is identical to the above, except there’s no email necessary. The entire attack occurs within an app and the web browser, or just the web browser.
There are many examples of password-protected files being used in attacks. Here are a few:
According to HP Wolf, 42% of all malware is now delivered as archive files, such as ZIP and RAR. “Archives are attractive to threat actors because they are easily encrypted, making them difficult for web proxies, sandboxes, and email scanners to detect malware,” HP Wolf’s Q3 2022 Quarterly Insights Report said.
Cyber attacks that leverage password-protected malicious files are classified as Highly Evasive Adaptive Threats (HEAT). As we’ve covered previously, HEAT attacks arose during the increase in remote work and the hybrid workforce, cloud migration, and the accelerated adoption of software-as-a-service (SaaS) applications. HEAT attacks, such as malicious password-protected files, utilize techniques that successfully avoid detection-based security tools today, such as malicious password-protected files.
Further, HEAT attacks target knowledge workers’ go-to productivity software: the web browser. Password-protected malicious files enable threat actors to successfully deliver and execute exploitative payloads because they can avoid the most commonly deployed security defenses.
Organizations that successfully stop HEAT attacks, such as those attacks that hide malicious payloads within password-protected files, will be those that leverage preventative security technology that provides visibility into web browser activity and applies dynamic policy enforcement to prevent zero-hour attacks.
That’s the only way to identify and prevent such HEAT attacks in real time. Because defending against the previous generation of attacks that are known and recognized by current signature-based technologies–such as those that solely targeted email– is not sufficient when it comes to these evasive threats.
Posted by Neko Papez on May 02, 2023
Tagged with Awareness, Blog, HEAT, HEAT Shield, Isolation
Threat Trends & Research
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.