What is Threat Extraction? How It Can Prevent Malware from Hiding in Files

Man pushing a red block in a stack of light brown blocks - Votiro

What is Threat Extraction?

Threat Extraction is a security technology that protects organizations against known and unknown threats hidden within documents by removing malicious content. Threat extraction is also known as file sanitization or Content Disarm and Reconstruction (CDR). 

Threat extraction comes in multiple forms. In general, threat extraction does not rely on detection to prevent malicious content from entering the organization. Instead of relying on databases of known signatures, the technology assumes all files are malicious and scrutinizes all files outside of the approved firewall. Depending on the type of threat extraction, the technology can remove malware, strip any embedded code, and rebuild the file in a way that disrupts any additional covert malicious code.

The three levels of threat extraction technology are:

Type 1:  A flattened file delivered as a safe but unfunctional PDF
Type 2: A file with active content, macros, and other malicious and safe content removed
Type 3: A safe copy of the original file on a clean template, with all functionality intact, also known as Positive Selection® technology

Why the Focus on Documents?

Hackers have long realized that the easiest way to infiltrate businesses and organizations is to embed malicious code into seemingly innocent files. They mainly use productivity files, such as Microsoft Office files, PDFs, or images, but other file types may be used to deliver malicious payloads as well. In the first six months of 2022, SonicWall found Microsoft Office files responsible for more than 10% of all malware, and PDFs accounted for more than 18% percent. Many of these threats first enter an organization through email phishing schemes — underhanded attempts to fool employees and individuals into opening and clicking on malicious links or attachments in emails. In fact, according to Verizon’s 2022 Data Breach Investigations Report,  around 20% of all data breaches involve phishing.

When the file is opened, the hidden malware automatically executes and allows the criminals to carry out their malicious plans – whether to gain access to valuable company data or to cause damage to an organization. These file-borne malware threats are especially challenging to detect; many of them are unknown or Zero Day, meaning that standard malware detection tools or solutions will not prevent the attacks. As 80% of successful breaches are new or unknown zero-day attacks, proactive cybersecurity measures to protect against file-based attacks – such as threat extraction – are necessary.  

Examples of File-based Breaches

RLO: In February 2022, hackers targeted Microsoft 365 users with phishing emails that utilized a technique known as the right-to-left override (RLO). The aim was to lure Microsoft 365 users into clicking on a file attachment by spoofing the extension of a file using a special Unicode character. Unsuspecting users thought they are clicking on an .mp3 voicemail file or a simple .txt message, but they were actually executing a malicious .exe script. 

MirrorBlast: In October 2021, a phishing campaign known as MirrorBlast started with a document attached to an email. Later, the attack used a Google feed proxy URL with a SharePoint and OneDrive lure that posed as a file share request. When users clicked on the URL, they were directed to a compromised SharePoint or OneDrive site, leading to the weaponized MS Office document.  

Zloader: In July 2021, legacy users of Microsoft Excel were targeted in a phishing campaign that used an innovative evasive malware technique to disable Office security mechanisms and deliver the Zloader payload without triggering alerts. Zloader is a banking trojan designed to steal financial institutions’ credentials and other customer details. When the user opened the XLSM file, a legitimate-looking image prompted the user to enable the content. 

How Votiro Can Protect Your Organization using Advanced Threat Extraction

In the face of the ongoing increase of cyberattacks, organizations must secure their day-to-day operations. Instead of scanning for suspicious elements and blocking some malicious files, Votiro, backed by Positive Selection® technology, rebuilds every document, copying only the known-good, positively selected content and ensuring only the safe template elements remain. Votiro’s capability as a file sanitizer and threat extractor means all external documents are sanitized before they penetrate the internal environment, preventing threats in files such as malware and the ransomware it causes.

If you’d like to learn more about how our proprietary threat extraction technology can secure your organization from file-based malware, click here

background image

News you can use

Stay up-to-date on the latest industry news and get all the insights you need to navigate the cybersecurity world like a pro. It's as easy as using that form to the right. No catch. Just click, fill, subscribe, and sit back as the information comes to you.

Subscribe to our newsletter for real-time insights about the cybersecurity industry.