Why document-borne malware needs to be back on the radar for organization

The cybersecurity profession is always on high alert for new attack tactics as criminal groups adapt to overcome improved defenses against phishing and ransomware. But alongside the new innovations, some old-school tactics appear to be evolving making a comeback – or rather they never quite went away.

Document-borne malware is one such tactic. Once considered a relic of early cyber warfare, this method continues to pose a significant threat, particularly for organizations handling large volumes of sensitive information, such as those in critical infrastructure.

The appeal for attackers is clear. Everyday files - Word documents, PDFs, Excel spreadsheets - are inherently trusted and flow freely between businesses, often through cloud-based platforms. With modern security more focused on endpoints, networks, and email filtering, these seemingly mundane files can act as the ideal Trojan horse.

Understanding this evolving risk is key to stopping seemingly innocuous documents before they can wreak havoc.

Why are cybercriminals still using document-borne malware?

On the surface, attacks using malicious documents feel like a bit of a throwback. It’s a tactic that’s been around for decades at this point, however, that doesn’t make it any less dangerous for organizations.

Still, while the concept is nothing new, threat groups are modernizing it to keep it fresh and bypass standard security controls. This means the seemingly old-school tactic is still a threat even for the most security-conscious sectors.

As with other email-based tactics, attackers typically seek to hide in plain sight. Most attacks use common file types such as PDFs, Word documents, and Excel spreadsheets as malware carriers. The malware is usually hidden in macros, embedded in scripts such as JavaScript within PDFs, or hidden with obfuscated file formats and layers of encryption and archiving.

These unassuming files are coupled with popular social engineering techniques, such as a supplier invoice or customer submission form. Email attack tactics, such as spoofed addresses or compromised accounts, further camouflage the malicious content.

The rise of cloud-based collaboration tools has increased the attack surface. We’re all used to receiving any number of emails throughout the day with links to SharePoint, Google Docs, and other common platforms. This makes it harder to detect malicious files before they enter networks.

What makes document-borne malware particularly dangerous for critical infrastructure?

Most attacks seek to breach networks unnoticed to maximize their impact and eventual rewards. The potential gains for exfiltrating sensitive data or shutting down a system means groups are willing to invest more time and resources in trying new tactics that can pass unnoticed.

Further, document-borne attacks are all about blending into the background. For example, in the financial sector, the ecosystem offers plenty of opportunities with the thousands of incoming documents from customers, suppliers, and partners daily. Most firms have a constant inflow of financial statements, loan applications, compliance paperwork, and myriad other files entering their system.

If opened, a single malicious document can spread malware across critical networks. Attackers leverage document-based threats to deploy ransomware, steal credentials, or exfiltrate sensitive data, so one wrong click can come with catastrophic consequences, especially for critical sectors that rely heavily on a reputation for trust and reliability.

Strict regulatory compliance demands can raise the stakes further and, depending on their region and function, firms could fall under the remit of the GDPR, DORA, NIS2, and more. Failing to meet these demands can result in severe financial penalties and a significant blow to the firm’s reputation.

Why are organizations struggling to defend against these threats?

From our experience, document security is often overlooked in favor of other areas like network perimeter and endpoint protection. Document-borne attacks are mundane enough to slip down the priorities list but advanced enough to defeat most standard security tools.

Security teams may lack the visibility or tools to inspect and sanitize every incoming file, particularly in fast-moving digital workflows.

There tends to be an over-reliance on signature-based antivirus solutions, which often fail to detect modern document-borne threats. While security teams are typically aware of malicious macros, formats like ActiveX controls, OLE objects, and embedded JavaScript may not be on the radar.

Attackers have also latched onto the fact there is a significant mental blind spot around documents seemingly delivered through familiar cloud-based channels. Even when employees have received phishing awareness training, there is a tendency to automatically trust a document coming in through an expected source like Google or Office 365.

What steps should businesses take to mitigate document-borne malware risks?

As with most evolving cyberattack tactics, a multi-layered strategy is the key to fending off document-borne threats.

One key step is adopting a multi-engine approach to malware scanning. While threat actors may be able to fool one detection engine, having multiple different tools will improve the chances of catching hidden malware and reduce false negatives.

Content Disarm and Reconstruction (CDR) tools are another important element. These sanitize and remove malicious macros, scripts, and active content while preserving document integrity. Suspect files can then be run through advanced standboxes to identify previously unknown threats by detecting their malicious behavior whilst in a contained environment.

The network should also be set with strict file policies, restricting high-risk file types and enforcing user authentication before document uploads. Setting file size limits can also help catch malicious documents where hidden code has made them larger than normal.

Efficiency and reliability are also key here. Organizations need to be able to identify malicious documents hiding in their typical incoming traffic, but without disrupting a workflow that customers expect to be fast and consistent.

Stronger email security measures will also help to detect and block malicious attachments before they reach users. Moving away from signature-based detection and towards behavioral analytics will improve the chances of catching out attackers posing as trusted contacts and services.

Including document-based threats in employee awareness efforts will also help staff spot signs like unexpected macros and spoofed invoices in case they make it through other measures. In particular, more scrutiny is needed for files shared through cloud platforms.

Companies should adopt a zero trust mindset, treating every incoming file as a potential threat until it has been scanned and sanitized.

We list the best document management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro