How Hackers Are Using Corrupted Word Docs To Cleverly Evade Antivirus Tools

corrupted files bypass security hero1
Security researchers at Any.Run have found a new zero-day attack currently being used by threat actors to evade detection tools used by security professionals. This new technique “evades antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox.” It’s a devious new move in a never-ending game of cat and mouse between security attackers and defenders.

Threat actors are able to bypass all of these security mechanisms by making use of deliberately corrupted files. By doing this, these files become incredibly difficult to detect, allowing them to slip by malware detection. The researchers note that “although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their file types.”

corrupted files bypass security body1

These files are delivered to potential victims via e-mail, masquerading as communications from a company’s payroll or human resources department. When the victim attempts to open the file, software such as Microsoft Word will try to restore the file, which will prompt a user to allow this behavior. Once the file has been allegedly “fixed,” it will point a user to a site that is setup to steal credentials that can then be used to potentially infiltrate an organization’s network.

This is a potent combination of social engineering and malware that organizations’ security teams need to be weary of. The ease with which this attack can make it through detection tools, along with the use of seemingly legitimate communications, once a user "fixes" the file, makes this a powerful tool for attackers. This is especially true for organizations that rely on detection tools from preventing these kinds of e-mails ever making it to their employees to begin with.