Technical Articles

Review Cloudmersive's technical library.

Understanding File Masquerading in Phishing Attacks: Detection and Protection
2/20/2024 - Brian O'Neill

phishing hook graphic

File masquerading is one of the many evasive methods threat actors can use to deceive prospective victims in phishing attacks (or other attacks that require user interaction with a file to run malicious code).

In this article, we’ll review how file masquerading works and what implications it can have.

What is File Masquerading?

File masquerading is a relatively simple technique aimed at hiding the true nature of a malicious file’s contents. This technique abuses the way certain operating systems (or, in some cases, applications such as internet browsers) display file names to users.

How does File Masquerading Work?

The true nature of a malicious file's content can sometimes be concealed by entering a fake, secondary extension in the file name (text box) displayed to the user.

Let’s imagine, for example, a threat actor has crafted a Windows executable (.exe) file containing malicious code. Files with .exe extensions are designed to run programs on Windows operating systems; they’re commonly used to install applications, games, and other software.

To successfully inject their malicious payload onto a target user’s Windows operating system, the attacker will require user interaction.
In other words, they will need their victim to ‘voluntarily’ run the executable by clicking on & opening the file. Since most modern application users are trained to avoid interacting with unknown executable files, the attacker might decide to conceal the file type to convince their potential victim that the file’s contents are actually harmless.

By changing the name of their file to something innocuous like “file.txt”, the attacker can make the file seem harmless when it displays in certain contexts where the user might see it (e.g., file extensions for known file types can be hidden by default on Windows OS). The full file name is actually “file.txt.exe”, but because periods are valid entries in file name displays, the user might believe the phony extension displayed in the file name represents the actual file content. In this example, the attacker’s file is an executable file masquerading as a text file.

Threat actors frequently use other extremely common file extensions like .pdf, .docx, .jpg, and .png to increase the likelihood that victims will interact with and execute malicious file contents.

Outcomes of Masquerading File Attacks

Attacks via masquerading files can have very severe consequences. In general, running an attacker's executable code tends to hand them a great deal of control over the target operating system or application server.

These attacks often result in the creation of backdoors into a system, allowing the attacker to steal sensitive data or deploy ransomware to hold data hostage. These attacks also frequently result in the deployment of spyware to gather data about a user (or group of users) on a particular operating system.

Uncovering Masquerading Files with Cloudmersive

The Cloudmersive Advanced Virus Scan API offers 360-degree content protection, simultaneously scanning files for viruses, malware, and non-malware content threats. Masquerading files can be detected and blocked by setting customizable, in-depth content verification policies that look past the file extension and rigorously analyze the content type.

For more information on the Cloudmersive Virus Scan API, please do not hesitate to reach out to a member of our team.

800 free API calls/month, with no expiration

Get started now! or Sign in with Google

Questions? We'll be your guide.

Contact Sales