How Attackers Are Using Password-Protected Files To Bypass Detection and How to Stop Them?"

In war, using enemy's weapon against them is a powerful tactic!

Cyber attackers apply this meticulously: Using the same defenses meant to protect us to their advantage. It's like turning our shields into their secret weapon.

In today's post, "password protected file" is that weapon.

Password-protected files are intended to share files securely with others. They can be documents, PDFs, ZIP files etc. They simply prompt for a password when opened. But attackers intelligently use it as an attack vector to bypass detection. Let's see how...

???????????? ????????:

1) Attacker creates & sends a password protected malware file as an email attachment.

2) Security tools can't analyze them as automated scanning fails (since file is password locked).

3) Victim opens the file that's disguised as legit doc (often as invoice).

4) Victim assumes that since its sensitive file it might have been password protected. Notices the password mentioned in the same email body. Enters it.

5) Victim now opens the files inside > Ransomware or malware gets executed on the device.

Thus, attackers bypass the email/network gateway security and reach the device very cunningly.

Instead of an attachment, a common trend these days is to use password protected Dropbox or Google Drive file link to achieve the same.

?????? ?????? ????????????????????????????????? ?????????????? ?????????

--> Depending on your company requirements, consider blocking or quarantining emails with password-protected attachments.?(With the current enterprise secure sharing options available, users should not be relying on password protected files anyway).

--> A few email security vendors do support scanning of password protected files if the password is present in the mail body. Turn on these features for SOC team's visibility.

--> To tackle these attacks, evaluate what dynamic preventative security controls at web browser and end point level are present. i.e. what controls do you have if the file redirects the user to a malicious site or attempts to install malware?

--> Educate the users about these scenarios. Tell them that password protected files are suspicious. Tell them that if the password is listed in the same email, it's even more suspicious.