Digital files are the lifeblood of any modern organization, driving productivity, enabling collaboration, and powering day-to-day operations. But they are also the Achilles heel of most cybersecurity defences. Files can be used as an invisibility cloak in which cybercriminals conceal malicious content, slipping past detection-based security tools with alarming ease.
The scale of the problem has never been greater. Security researchers detect around 500,000 malicious files every single day, and by 2024, more than 1.2 billion distinct malware samples existed. Meanwhile, the average cost of a data breach reached $4.88 million in late 2024 and that figure is trending upward. In this blog we highlight the malicious content that can reside within files, the latest threats reshaping the landscape, and the attack vectors cybercriminals use to deliver file-based threats to your organization.
As the name suggests, file-based threats are malicious pieces of code that reside within a file. Cybercriminals exploit vulnerabilities to embed threats within everyday documents and use those seemingly harmless files to target individuals and organizations. Once a file passes undetected into an IT environment, these threats can 'detonate' with devastating effect.
Malware (short for malicious software) refers to any software designed to damage, disrupt, or breach an organization's IT infrastructure. It encompasses viruses, ransomware, trojans, worms, infostealers, and much more. Hidden inside files, malware bypasses detection-based defences. Once activated, it can disrupt business operations, enable unauthorized access to sensitive data, or hold an organization's systems to ransom.
The financial stakes are severe. The average ransom payment increased 500% to $2 million in 2024, and the average cost of recovery from a malware attack reached $2.73 million. Ransomware was present in 44% of confirmed breaches in 2024, up from 32% the year prior.
Each file type contains certain vulnerabilities that leave an organization exposed to attack. Cybercriminals manipulate these to steal data or plant malicious content. Common vulnerabilities include:
'Acrobat forms' look like any other form, but may also contain active code such as JavaScript. This active code can be exploited to launch attacks that are commonly missed by traditional detection-based solutions. In the first half of 2025, PDF attachments remained the most common malicious file type, accounting for 23.7% of malicious email attachments, favoured because they appear trustworthy and bypass many filters.
Macros and JavaScript are forms of active code that can perform actions without a user's permission, starting a chain reaction of malicious events. Approximately 45% of dangerous file attachments sent in phishing attacks use one of the Microsoft Office file formats, precisely because macros embedded in these documents are such an effective delivery mechanism.
Cybercriminals can use DDEs in Microsoft Office documents to execute malicious code on a recipient's machine, often without any visible indication that something is wrong.
If the ownership and trust of a certificate chain has been compromised, a cybercriminal could trick a user into opening a document that contains malicious content, relying on misplaced trust to bypass scrutiny.
Objects embedded within files can hide data or trigger active code without a user's permission or knowledge. They remain a reliable tool for attackers seeking to execute malicious actions covertly.
Hyperlinks are a staple of phishing attacks. Cybercriminals craft links that look legitimate on the surface but redirect users to malicious destinations. Malicious SVG files, which can appear as harmless graphics but bypass many anti-spam tools, increased fifty-fold in 2025 compared to 2024, illustrating just how rapidly attackers adapt their techniques.
Sensitive information that an organization does not intend to share, such as an author's name, tracked changes, or internal comments, can be found within file metadata. Cybercriminals can harvest this data for malicious purposes, with the reputational damage often compounding the initial breach.
The emergence of artificial intelligence has fundamentally changed the file-based threat landscape. Cybercriminals are no longer limited to manually crafting malicious files. AI now allows them to generate, adapt, and deploy threats at a scale and speed that was simply not possible before.
Generative AI tools have dramatically lowered the barrier to entry for cybercriminals. Attackers can now produce convincing, error-free phishing documents, fake invoices, and weaponized attachments at scale, with none of the spelling mistakes or awkward phrasing that once made malicious files easier to spot. AI is being used to generate phishing emails that are nearly impossible to distinguish from legitimate communication, and the same capability extends to the files attached to them.
Perhaps the most significant development is malware that uses AI to actively evade detection. Google's Threat Intelligence Group has identified malware families that use large language models during execution, dynamically generating malicious scripts, obfuscating their own code to evade detection, and creating malicious functions on demand. One strain observed rewrote its entire source code every hour to ensure it never presented the same signature twice. Traditional signature-based scanning is powerless against a file that looks different every time it is analysed.
AI has supercharged the older concept of polymorphic malware, which changes its appearance to evade detection while preserving its malicious function. During 2025, over 70% of major breaches involved polymorphic malware that generates unique variants with each execution. For security tools that rely on recognising known threats, this creates an almost impossible challenge.
AI is also accelerating the use of fileless techniques, where malicious code is delivered inside a legitimate-looking file but then executes entirely in memory using built-in system tools such as PowerShell. Fileless attacks are up to ten times more successful than traditional malware attacks, and fileless malware attacks increased by 78% between 2024 and 2025. Because nothing malicious is ever written to disk, conventional antivirus tools have no file to scan.
It is not only sophisticated nation-state actors driving this trend. The underground cybercrime market for AI tools has matured significantly, with researchers seeing advertisements for tools that write convincing phishing content, create deepfakes, and identify software vulnerabilities, making it easier for even unskilled cybercriminals to launch attacks well beyond their own capabilities.
The implications are clear: a security approach that depends on recognising known threats will increasingly struggle against files that are generated, mutated, and deployed by AI in real time. The only reliable defence is one that does not rely on detection at all.
Simply put, anywhere a file crosses a trust boundary there is risk. Here are the main attack vectors requiring proactive file-based protection:
Email remains the single most dangerous delivery channel for malicious files. According to the Verizon Data Breach Investigations Report, 94% of malware is delivered via email attachments. According to ESET, scripts accounted for 44.5% and executables 24.2% of malicious email payloads in the first half of 2025. Attackers are also becoming more sophisticated: the 'ClickFix' social engineering technique, which tricks users into running malicious scripts themselves, surged 500% in early 2025.
Cloud services provide infrastructure, platforms, and storage to organizations via the internet. But the shift to cloud has dramatically expanded the attack surface. Attacks targeting SaaS platforms like Microsoft 365 grew by 61% as more corporate data moved to the cloud. Malicious fi les uploaded to cloud storage can be accessed by unsuspecting users or integrated into automated workflows, spreading infection silently across an organization.
Web browsers give users the freedom to upload and download files freely, boosting productivity but significantly increasing risk. Unit 42 research found that around 44% of incidents involved malicious activity launched via employee browsers. Most traditional security tools are not equipped to fully protect against file-based threats delivered through the browser, due to their detection-based nature.
Social media is built for sharing and collaboration. But major platforms including Facebook, LinkedIn, and Instagram allow users to share files via their messaging services. Around 33% of data breaches studied involved social attacks, which typically exploit direct messaging on social media platforms. Users accessing social media on organizational hardware leave their infrastructure exposed.
A newer attack vector that has grown sharply since 2023. One in five organizations experienced at least one QR code phishing incident in the past twelve months, with these attacks regularly bypassing the native protections in Microsoft 365 and other traditional email security solutions.
USB drives and external hard drives can still harbour malicious content. If a user connects a device to an organizational network believing the files to be safe, they may expose the entire infrastructure to file-based threats, which will then typically spread via email or cloud storage to every corner of the organization.
The threat landscape has evolved dramatically, from macro-laden Office documents to AI-powered adaptive malware that rewrites itself every hour. What hasn't changed is this: detection-based security will always be playing catch-up.
Unlike other security solutions, Glasswall CDR (Content Disarm and Reconstruction) doesn't rely on detection. Instead, we instantly rebuild every file back to a known-good standard that removes the possibility for file-based threats to reside within a document. We also ensure this standard matches the manufacturer's specification, meaning files processed by Glasswall CDR are fully functional for the end user, with no loss of usability.
Whether the threat arrives via email, cloud upload, web browser, social media, or USB device, Glasswall CDR ensures your organization is protected at every trust boundary, before the threat has any chance to detonate.
.png)
Our Senior Technical Writer and Product Marketing Manager, Riyya, is exceptional at authoring, organizing, and simplifying our product documentation. Using her keen eye for detail and wealth of experience in tech, Riyya helps our clients and partners seamlessly integrate with industry-leading Zero Trust CDR.
Eliminate malware before it reaches your network and ensure your files are always safe and secure with Glasswall’s Zero Trust and intelligent file protection.
Fill out the form and we’ll be in touch shortly.
.png)
