Combatting Emotet – the World’s Most Dangerous Malware

by | Apr 21, 2022 | Thought leadership

Emotet – the ‘world’s most dangerous malware’ – is an infamous trojan delivered via infected files or links that can auto-execute on devices without any user interaction. It can then swiftly seize control of devices and networks, downloading additional payloads along the way such as ransomware or info-stealers.

As such, it’s seen as particularly dangerous, with over 2.7 million cases detected since late last year in a new wave of attacks – this time using Excel files to disguise its presence. According to CISA, it costs upwards of $1 million to clean up each incident.

Designed to evade antivirus solutions, the first step in the chain of infection involves tricking the potential victim into opening an attached Microsoft Office file using social engineering. After the file has been opened and macros enabled, there is no need for additional user action because the file contains malicious Visual Basic for Applications (VBA) code that runs after a document has been opened.

The VBA code utilizes Windows Management Instrumentation (WMI) to launch a PowerShell code which downloads the payload – a malicious executable file from the webserver. From there, networks and devices are at significant risk of widespread infection.

How Glasswall Handles Emotet Attacks

Glasswall stops Emotet-infected files by removing macros, preventing information leakage and repairing broken document structures. Glasswall Content Disarm and Reconstruction (CDR) instantly removes the threat presented by Emotet, with no ‘protection delta’ – the time before antivirus and sandboxing tools are updated to protect against new threats.

This is achieved via a four-step process:


Step 1 – Inspect

Three layers of the incoming file are inspected to verify that its digital DNA complies with the manufacturer’s specification, and the system corrects any deviations instantly.



Step 2 – Clean

High risk active content such as macros and embedded links are cleaned and removed from the original file (based on company policy), so only the users who need active content receive it.



Step 3 – Rebuild

The file is rebuilt to the authorised manufacturer’s standard, ensuring the file is clean and threat-free.



Step 4 – Deliver

The user instantly receives a safe, identical file that’s compliant, standardized, and trusted. This reduces the risk of malicious code hidden in malware from entering, therefore maintaining business continuity.



By removing VBA macros and metadata, Glasswall ensures the file’s binary structure conforms to the manufacturer’s specification. Crucially, it does so before the user is exposed to any risk, meaning the ‘Glasswalled’ file is released in a safe state with no malicious Emotet content.

To learn more about Emotet, read our guide here.


What are file-based threats?

What is zero-trust file protection?

How does Glasswall CDR work?

Picture of a knight mask with swords to illustrate our battle for being the market leader in CDR

Glasswall vs Competitors

Why Glasswall CDR?

Learn about the simple way to protect against sophisticated file-based threats.

All resources



Case Studies

Use Cases




Product help



Contact us


strategic alliances

About our Partner Program

Our Partners

Become a Partner

Glasswall partner program

Bringing File-based threat protection to your customers

Offer a richer security portfolio with the most agile CDR platform on the market. Stand out from the competition with a partner program built for you. Let’s make files safer together.

About Glasswall

Our People




Contact Us

support lines


Raising the bar on file security

We believe people should be free to open their files without fear. To click on anything without risk of catastrophe. To use systems the way they were meant to be used. That’s why we’re raising the bar on file security at Glasswall.