James Neilson, SVP International at OPSWAT
The financial services sector is an attractive target for cybercriminals, with groups motivated to steal money from bank accounts, access sensitive, private, and confidential data, or even destabilise financial markets for political purposes.
Whether financial or political motives drive them, cyberattackers leverage a wide range of tactics – including social engineering, phishing and ransomware – to exploit organisations, steal information or cause operational disruption. Often their chosen attack path is guided by the apps, solutions and tools that are most frequently used in the workplace.
With document-borne malware continuing to pose a major threat, James Neilson explains the threat posed by this attack vector and, more importantly, how financial service organisations can protect themselves.
What is document-borne malware, and why is it a threat?
Document-borne malware is a type of malware delivered to users through files, typically via email. It often appears as malicious attachments, leveraging Microsoft 365 files or PDFs containing harmful hyperlinks.
The widespread use of productivity apps such as Microsoft 365, Google Drive, and Dropbox has fuelled the rise of these attacks.
Sensitive and proprietary records are frequently uploaded via web applications and portals or shared within departments as attachments. As a result, cybercriminals gain access to a potential goldmine of information and can spread malicious code across entire financial networks.
By exploiting these apps, cybercriminals can conceal malware, embed advanced threats within common file types, leverage vulnerabilities and use social engineering tactics to trick users into executing malicious macros or launching 3rd party executables.
The 2024 Verizon Data Breach Investigations Report revealed that exploiting vulnerabilities in PDF readers remains one of the top 10 malware techniques cybercriminals use.
Once activated, the malware can compromise individual users or entire systems. Attackers may disrupt financial operations, exfiltrate sensitive data to sell on the dark web, or use it as leverage in ransom negotiations with their target.
Why are organisations struggling to protect themselves against document-borne malware?
With the increasing digitalisation of financial services and the vast amounts of sensitive data they handle, the sector has become an easy target for financially motivated criminals.
Financial services companies store, transmit, and process immense volumes of sensitive information. Every day, they receive, distribute, and share numerous productivity files with employees, partners, and customers. As a result, a single malicious document slipping through—or being clicked on by an employee—can have serious consequences.
Although organisations know the risks posed by malicious macros, they often overlook the need to audit and analyse all incoming files, allowing other advanced threats to go undetected.
For example, attackers can configure script-enabled ActiveX controls within documents to download malicious payloads. Even “spoofed files” with false extensions can bypass anti-malware security measures.
Therefore, every file entering an organisation should be thoroughly audited and analysed, regardless of its source.
How can organisations check files are not malicious?
For financial service organisations, protecting against document-borne malware requires multiple layers of defence. Cybercriminals use various techniques to deploy malware, so relying on a single solution is insufficient.
First and foremost, organisations should implement strict policies on permissible file types, require user authentication before document uploads, and set file size limits. These measures help prevent malicious content from being uploaded in the first place.
All files should be verified to ensure they are not masquerading as “allowed” types and must be thoroughly scanned for malware. Proactive scanning enables organisations to stop malware before it reaches critical financial systems.
Using multiple anti-malware engines enhances detection rates and minimises exposure to outbreaks and covers the blind spots of individual scanning tools. Layer on behavioural-based advanced sandboxing, and you can catch previously unknown threats too.
Additionally, files may contain hidden threats in scripts and macros, so sanitising them before a user gains access is essential.
Technologies such as Content Disarm and Reconstruction (CDR) deconstruct files, remove malicious content, and reconstruct them while preserving full usability. This ensures files are safe to open without disrupting or delaying operations.
Advanced email security tools that block phishing attempts and scan attachments or URLs for malicious content are also crucial for reducing risk and strengthening organisational resilience.
Beyond email other sources of inbound files and data need to be identified and scanned. For example web-facing apps that customers, business affiliates or suppliers use. There also needs to be scanning of files that traverse the boundaries of business units. Trust but verify clean content!
Ultimately, the financial services sector remains a prime target for cybercriminals, and document-borne malware is a growing yet often underestimated threat. By proactively auditing and securing all incoming files, financial institutions can significantly reduce their vulnerability to cyberattacks and safeguard critical systems, sensitive data, and operational stability.
