In an attempt to make malicious content impossible to detect, threat actors often use password-protected files and archives.
In an attempt to make malicious content impossible to detect, threat actors often use password-protected files and archives. Security solutions that are designed to analyze file content have no visibility inside the archive, making it impossible for them to detect any malicious intent. These files are often distributed via phishing emails or shared drives to conceal malicious payloads within commonly used and legitimate file formats.
Malicious password-protected archive files are designed to deceive users and bypass commonly deployed inspection engines to deliver malware and ransomware down to a user’s endpoint. Threat actors know that most organizations set their security policies to allow password protected files to pass through to end users, as security does not want to be seen to be impacting business operations. This creates an opportunity for them to strike.
HEATcheck security assessment
Password protected files and archives are used for legitimate business reasons, and therefore should not be blocked by default. Several factors can make an individual or an organization more susceptible to malicious password-protected archive files. These include:
It’s important to note that malicious password-protected archive files can be delivered using a combination of these techniques and can vary in sophistication.
Password-protected archive files are used every day for legitimate business purposes. To reduce the risk of falling victim to these malicious password-protected archive files, it is important to make sure your users are only opening files from trusted sources and are cautious of emails or messages that are requesting you to open these password-protected archive files, especially if they are unsolicited or seem suspicious. The challenge with these best practices is that it relies on the conscientiousness of the user to hopefully avoid accidentally opening a malicious attachment. Many organizations should consider the use of a cloud-based Browser Security solution that protects against this type of attack automatically. A Browser Security solution intercepts the users’ web browsing sessions in a virtual browser in the cloud instead of the user’s endpoint device and prompts the end user to enter the password to open the archive. Once the archive is unlocked, the content can be scanned for threats before being downloaded to the endpoint, ensuring the prevention of threats.
With granular visibility and control over activity inside the browser, organizations can greatly reduce their attack surface and ensure that users and their endpoints are completely protected against any malicious content and highly evasive threats when viewing password-protected archive files.