New Year, Same Silent Threats: How Zero-Days Evade Detection

We’ve said it before and we’ll say it again — documents are the lifeblood of any business. From contracts to reports to proposals and customer files, these sensitive documents keep operations running smoothly. Millions of files flow through organizations daily via email, shared drives, and cloud platforms, enabling collaboration and productivity. But this convenience comes at a cost.

Cybercriminals have turned trusted documents into powerful tools for attack. A seemingly harmless PDF, Word file, or spreadsheet can carry hidden malware, ransomware, or data-stealing code. With files so ingrained in our workflows, they often go unnoticed as potential threats—until it’s too late. In a world where one click can bring down an entire system, protecting against weaponized documents has never been more critical.

The Dangers Start with Delivery

A phishing email posing as a vendor request, a seemingly harmless resume, or a financial report uploaded to a shared drive can carry hidden threats. These files arrive disguised as part of daily workflows, blending into routine operations without raising suspicion. Their familiarity makes them easy to trust—until they’re opened, and it’s too late.

What makes file-based attacks particularly insidious is their ability to bypass security measures. Unlike suspicious links or obvious attachments, weaponized files exploit a false sense of safety. They slip past traditional antivirus tools, often failing to detect manipulated file structures. The damage is already done by the time the malicious code executes—whether it exfiltrates sensitive data, encrypts systems with ransomware, or disrupts operations.

The consequences are severe:

• Malware Infection: Compromised files can steal credentials, leak confidential records, or give attackers a foothold in the network.
• Ransomware Disruption: Malicious code encrypts critical systems, halting operations until a ransom is paid.
• Financial and Reputational Loss: Breaches erode trust, damage reputations, and come with regulatory penalties.
• Downtime and Operational Chaos: A single compromised document can bring business continuity to a screeching halt.

In an environment where files are both ubiquitous and trusted, this blind spot creates an undeniable risk. Organizations remain vulnerable to an attack vector that thrives on stealth and familiarity without proactive solutions to neutralize malicious code before files are accessed.

Investigating a Current 0-Day

File-based attacks often appear harmless at first glance, but they follow a calculated series of steps designed to bypass defenses and exploit trusted systems. This particular zero-day attack was discovered by the ANY.RUN team, which showcases this sophistication. It demonstrates how corrupted files can slip through security measures and unleash their payload undetected. 

Here’s how such an attack unfolds:

Step 1: Delivery of a Weaponized Document

The attack begins with a corrupted file disguised as something routine—a resume, invoice, or internal report. These files are typically distributed through phishing emails, masquerading as legitimate communications from colleagues, vendors, or trusted partners. Alternatively, attackers may place the file in a shared drive, cloud platform, or collaboration tool, waiting for an unsuspecting user to access it.

Step 2: Obfuscation Through Corruption

This attack’s reliance on file corruption as an evasion technique makes it so effective. As detailed by the ANY.RUN team, these corrupted files are intentionally malformed in ways that prevent traditional antivirus (AV) tools and endpoint detection systems from unpacking and scanning their contents. By manipulating file structures—such as headers, directories, or metadata—attackers ensure the malicious payload remains hidden, passing through static security checks undetected. It’s why even the best AV tools are not enough on their own. 

Step 3: Exploitation Through Trusted Applications

The real danger occurs when the corrupted file is opened by a trusted application like Microsoft Word or Excel. Unlike security tools, these programs are designed to recover and reconstruct damaged files, prioritizing usability over caution. Attackers exploit this feature to ensure the file’s embedded malicious code executes once the document is opened. At this stage, the user remains completely unaware that their trusted software has become a vector for compromise. Here, as with all cybersecurity efforts, is why a proactive defense will always triumph over a reactive one.

Step 4: Compromise

With the malicious payload activated, the consequences unfold. Attackers may install malware to steal sensitive data, capture credentials, or establish persistent access to the network. In ransomware scenarios, files are encrypted and operations grind to a halt until a ransom is paid. The ANY.RUN team highlights how this technique allows attackers to deliver malware that traditional defenses miss entirely, emphasizing the severity of this threat.

Why File-Based Attacks Still Work

The success of file-based attacks lies in a combination of technical manipulation, trusted applications, and the inherent limitations of traditional security tools. This issue’s core is how documents—like Word files—are structured and how attackers exploit that structure to evade detection.

Word documents and similar file types (PDFs, Excel files, etc.) are not simple text containers. Instead, they operate like archives, comprising multiple sections: local file headers, central directories, and end records. These sections are intricately linked and designed to ensure the file remains recoverable, even if parts are corrupted or manipulated. Applications like Microsoft Word are built to reconstruct damaged files automatically, prioritizing usability. While this is helpful for users dealing with accidental file corruption, it gives attackers a critical opening: malicious code can be hidden in manipulated file sections, undetectable to most security tools, but recoverable—and executable—by trusted software.

Antivirus and traditional endpoint security tools rely on unpacking files and scanning their contents for known malware signatures or suspicious patterns. However, attackers leverage file obfuscation techniques—altering headers, metadata, or structures—to prevent AV tools from fully reconstructing and analyzing the file. Unlike Microsoft Word or Adobe Reader, designed to recover and render documents for user readability, security tools lack the advanced recovery mechanisms required to interpret these manipulated files. This creates a blind spot where malicious content remains hidden during the scanning process but activates when opened in the trusted application.

File-based attacks work because they exploit the intersection of trust and stealth:

• Trusted Applications: Employees inherently trust documents opened in familiar tools like Word, Excel, Teams, or PDF readers. These programs are used daily and rarely raise suspicion.
• Technical Evasion: Manipulated files bypass traditional AV and endpoint defenses, which cannot analyze the file structure as comprehensively as the native application.
• Human Behavior: The seamless appearance of malicious documents—often delivered via emails or shared platforms—makes them appear legitimate, prompting users to open them without hesitation. A human error that hasn’t changed as we head into 2025. 

This blend of technical evasion and social engineering ensures attackers can execute their payload without detection. Addressing this gap requires a proactive solution that neutralizes threats before they ever reach trusted applications or unsuspecting users.

Why CDR is Still the Best Bet for File-borne Threat Prevention

Modern cyber threats have outpaced traditional detection-based defenses, creating a critical need for proactive solutions. Content Disarm and Reconstruction (CDR) fills this gap by taking a zero-trust approach to files, assuming every document is potentially malicious by default. Instead of scanning for known signatures, CDR deconstructs files, removes any hidden or manipulated threats, and reconstructs clean versions that can safely be delivered to end-users.

This approach eliminates risks before files ever reach the endpoint. By dismantling the document to its core components, CDR removes malicious headers, scripts, or embedded code that attackers use to evade detection. When it comes to advanced CDR tools, such as Votiro’s Positive Selection® technology, once sanitized, the file is safely rebuilt to maintain its original functionality, ensuring workflows remain uninterrupted.

While effective gatekeepers for a slew of common and re-used threats being deployed daily, AV solutions often fail to detect new threats. Why? Because they cannot fully unpack or reconstruct manipulated file structures as generally trusted applications—like Microsoft Word—can. This gives attackers a stealthy entry point.

CDR eliminates this weakness entirely. CDR neutralizes threats at the source by breaking files apart and removing malicious elements, proactively preventing zero-day and unknown attacks. Because the process occurs before files are delivered to endpoints, there’s no reliance on human judgment or endpoint recovery mechanisms to detect or mitigate risks.

Votiro is Zero Trust Prevention for Zero-Day Threats

Advanced CDR technology is the foundation of our Zero Trust Data Detection and Response (DDR) platform. With our CDR solution in your tech stack, we’re able to deliver unparalleled protection against file-based threats by sanitizing every file before the point of entry. Unlike reactive AV tools alone, Votiro CDR proactively deconstructs, removes hidden threats, and reconstructs files into clean, usable versions without disrupting workflows, bogging down IT with alerts and false alarms, or interrupting the user experience.

Seamlessly integrating into existing infrastructure, Votiro works across email gateways, file-sharing platforms, and collaboration tools to provide comprehensive coverage. While AV tools still play a role in identifying known threats, Votiro fills the critical gap with proactive, signature-less defense against unknown and evasive attacks.

Contact us today for a demo and take the first step toward preventing malicious code in your files — today, throughout 2025, and as long as threat actors continue to deploy these silent threats.