New file upload security policies are typically workshopped in response to threats which successfully breached (or came close to breaching) some reputable organization's systems. Once brought to fruition, these advancements allow our own systems to inch closer towards becoming havens for valuable and sensitive customer data.
The challenge is that determined threat actors work equally hard to overcome new attempts to ward them off, and they’re quite often successful. Right when we least expect it, clandestine file upload attacks are carried out through even more convoluted pathways than we first imagined possible, often catching us off guard completely.
Why are password-protected file threats so dangerous?
Password-protected files are a particularly subtle threat type, designed to slip malicious code past poorly configured input validation/content verification policies while relying on us – the internal (or external) user accessing that file – to eventually execute that code within the targeted system. One of the most challenging aspects of threats involving password-protected files is that they tend to leverage simple & effective social engineering concepts, goading us into unlocking a threat which we aren’t alert to.
A threat actor can, for example, infiltrate systems adjacent to ours – i.e., a trusted client or partner – and then email or upload password-protected files to our system from a seemingly legitimate source. If we normally trust content originating from that source, we’re quite unlikely to suspect a potential threat, and we might blindly follow instructions to unlock that file with a password supplied alongside it. Many commonly shared file types like Excel (XLSX) and PDF are capable of housing malicious code behind password protection, and that code is designed to execute immediately once the file’s password is supplied.
How can I stop password-protected file threats from harming my system?
First and foremost, if password-protected files are a recurring and immutable form of content our job necessarily deals with, our own vigilance is key. Malicious password-protected files are sometimes identifiable by their incongruous names and suspect purposes; if we see a file that doesn’t look right, there’s a good chance it isn’t. It’s important to exercise extreme caution if we’re suddenly equipped with the means to unlock content which we don’t fully understand the origin or purpose of. We should always feel entitled to question where a file came from, who the original creator is, what the intended use-case for that file is, and more.
If password-protected files are not a necessary part of our workflow, however – which is often the case in scenarios involving external client-side file uploads – blocking them altogether is a sensible step to take.
The Cloudmersive Advanced Virus Scan API can be used to block password-protected files from a file upload process entirely. By setting the allowPasswordProtectedFiles Boolean to “false” in our request (configurable via our Cloudmersive Account page), we can ensure that all files with password protection will categorically receive a CleanResult: False response from the API, allowing us to easily delete (recommended) or quarantine these files and protect our underlying system from potential harm.
For more information on how the Cloudmersive Advanced Virus Scan API can protect any system from non-malware content threats, please feel free to reach out to a member of our sales team.