Richard Jenkins
August 5, 2022

File-based threats and where to find them

Digital files are critical to any organization. They enhance productivity, aid learning and boost collaboration. However, they are the Achilles heel of most organizations’ cybersecurity defenses. They can be used as an invisibility cloak where cybercriminals hide malicious content, passing through detection-based security solutions with ease.  

In this blog we are going to highlight the malicious content that can reside within files and pinpoint the attack vectors utilized by cybercriminals that help deliver file-based threats to your organization.

What are file-based threats?

As the name suggests, file-based threats are malicious pieces of code that reside within a file. Cybercriminals use vulnerabilities to embed threats within everyday files and use these often seemingly safe business documents to target individuals or organizations. Once a file passes undetected into an IT environment these threats can ‘detonate’ with disastrous effect.

Malware (short for malicious software) refers to any software designed to intentionally damage, disrupt or breach an organization’s IT infrastructure. It is a term that encompasses common threats such as viruses, ransomware, worms, trojans and more.

Hidden in files, malware bypasses detection-based cyber defenses. Once activated, cybercriminals are able to disrupt business operations, gain unauthorized access to classified and sensitive information, or can even hold an organization and its data to ransom.  

What vulnerabilities do my files contain?

Each file type contains certain vulnerabilities that leave an organization at risk of a cyber-attack. They can be manipulated by cybercriminals to steal data or to plant malicious content.

Common vulnerabilities include:


‘Acrobat forms’ look just like any other form, -but they may also contain active code such as JavaScript. This active code can be exploited by cybercriminals to launch attacks that are commonly missed by traditional detection-based cyber security solutions.  

Macros and JavaScript

Macros and JavaScript are forms of active code. These extra file functions can perform actions without a user’s permission, starting a chain reaction of malicious events. When these are present in a document, they are often used by cybercriminals to mount an attack against the user or receiving system.  

Dynamic Data Exchange (DDEs)

Cybercriminals can use DDEs in Microsoft documents to execute malicious code on a recipient’s computer.

Digital signatures

If the ownership and trust of the certificate chain has been compromised, a cybercriminal could trick a user into opening a document that contains malicious content.

Embedded objects

Embedded objects within files can be used to hide data or provide a way for active code to be triggered. These objects are often used by cyber criminals to perform actions without a user’s permission or knowledge.  


Hyperlinks are often used in phishing attacks. Cybercriminals create links that look legitimate and trustworthy on the surface, but once clicked, take a user to a different destination and a chain of malicious events is activated.  

Review comments and metadata

Sensitive information that a company does not want to disclose to the public can be found within metadata. This could be the name of the author of a file or review comments. Cybercriminals can access this data using it for malicious purposes, damaging the reputation of an organization when the breach is disclosed.

Where to find file-based threats:

Simply put, anywhere a file crosses a trust boundary there is risk. However here are the main attack vectors you should have proactive file-based protection for:

Cloud services

Cloud services provide infrastructure, platforms, software, and technologies to organizations via the Internet. There is no need for investment in internal infrastructure or hardware. The ‘online’ nature of these services means that unlike traditional internal infrastructure, files are now always found and downloaded from the web. This increases the number of files crossing organizations’ trust boundaries, which increases the risk faced from file-based threats.  

Recommended Glasswall solutions – API’s, Clean Room and Desktop

Web browsers

Web browsers give users the ability to download and upload files freely to the web. While this has profound benefits for boosting organizational productivity, it also significantly increases the file-based risks associated with malicious content entering an organization’s IT infrastructure. Don’t forget, most traditional protection systems are not able to fully protect against file based-threats due to their detection-based nature.

Recommended Glasswall solutions – API’s, Clean Room and Desktop

Social media

Social media is tool that promotes sharing and collaboration. While most of the activity on social media is confined to social feeds, many large players in the market, such as Facebook, Twitter and Instagram, allow users to upload and download files via their messaging services. Users that access their social media accounts on an organization’s hardware leave their infrastructure susceptible to file-based threats.  

Recommended Glasswall solutions – API’s, Clean Room and Desktop

Physical storage devices

When using a USB device or an external hard drive, the data held within can still harbor malicious content. If a user plugs a device into an organization’s network to transfer what they believe to be safe files, they could easily be exposing their organization to file-based threats. Once these files enter a network it is likely they will be either sent to colleagues or stored on a cloud for easy collaboration, spreading risky files to every corner of the organization.  

Recommended Glasswall solutions – Clean Room

The best defense against file-based threats is Glasswall CDR

Unlike other security solutions, Glasswall CDR (Content Disarm and Reconstruction) doesn’t rely on detection. Instead, we instantly rebuild every file back to a standard which removes the possibility for file-based threats to reside within a document – its ‘known-good’. We also ensure this standard matches the manufacturer’s specification, which means unlike other CDR vendors who use file-flattening, files processed by Glasswall CDR are fully functional for the end user.

At Glasswall we understand that a solution can only be effective if it can offer protection at the right time and the right place. Our range of solutions have been developed to ensure that your organization is protected against file-based threats across the attack vectors that deliver them to your organization.  

To find out more head to or follow the links earlier in the document to see which Glasswall CDR solution is best suited to your needs.  

Book a demo

Talk to us about our industry-leading CDR solutions

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.