How attackers use corrupted files to bypass security measures

New zero-day attack bypasses antivirus, sandbox and spam filters using corrupted files. Learn how ANY.RUN’s sandbox detects and combats these advanced threats.

A new zero-day attack campaign has emerged that exploits corrupted files to bypass even the strongest security protections. This attack, recently identified by cybersecurity researchers at ANY.RUN, shows how sophisticated modern cyber threats have become.

By bypassing antivirus software, sandbox environments, and email spam filters, these malicious files reach their targets with alarming efficiency. Let’s delve deeper into the details of this attack, find out why it is so effective, and find out how to identify it to prevent further damage.

New overview of zero-day attacks

According to ANY.RUN, this zero-day attack campaign has been active since at least August 2024. The investigation found that attackers use a unique technique: intentionally corrupting files to avoid detection.

These corrupted files, often disguised as ZIP archives or Microsoft Office documents such as DOCX, bypass traditional security measures by exploiting loopholes in standard file processing procedures.

Although the files appear corrupted, they remain fully functional and execute malicious code when opened in their intended programs. This makes this approach particularly dangerous:

• Antivirus bypass: Traditional antivirus solutions struggle to properly scan corrupted files. Therefore, many classify these files as clean or return a “not found” error message.
• Sandbox resistance: Many static analysis tools cannot process these files because their corrupted structure prevents accurate identification.
• Bypassing the spam filter: Even Outlook’s robust spam filters can’t block these malicious emails, so the malicious data goes straight to inboxes.

This allows the corrupted files to run successfully on the victim’s operating system and remain invisible to most defenses.

However, ANY.RUN’s interactive sandbox was able to overcome these challenges and detect malicious activities. Unlike other security tools, Sandbox dynamically analyzes corrupted files by interacting with them in real time. This makes it possible to uncover their true behavior and accurately identify them as threats.

In the following analysis session, the sandbox successfully detects the threat and flags it as malicious activity thanks to its automated interactivity feature. This advanced feature launches the corrupted files in their corresponding programs and allows the sandbox to observe and identify malicious behavior that traditional tools may miss.

How the zero-day attack is carried out

During this cyberattack campaign, attackers exploit the built-in recovery mechanisms of user applications to recover and execute corrupted or corrupted files. Below are more details about these steps:

The analysis session revealed that a corrupted file was delivered via email and traditional detection systems were not detected. Security tools had difficulty processing the file, so it went undetected.

However, ANY.RUN’s sandbox took a different approach and opened the file in the intended application. When built-in recovery features such as Microsoft Word’s repair mechanism were enabled, the malicious payload executed as expected.

The sandbox’s interactivity allowed it to detect this behavior and flag the file as malicious, demonstrating its effectiveness in detecting threats that bypass traditional tools.

Get your Black Friday deal from ANY.RUN

Combat complex cyber threats such as corrupted file attacks with ANY.RUN’s interactive sandbox. Its automated interactivity launches and analyzes even the most elusive files, uncovering malicious behaviors that traditional tools miss.

With ANY.RUN you can uncover the big picture of complex cyber attacks and effectively protect your systems. This Black Friday, take advantage of exclusive offers and strengthen your protection. Hurry, offers end December 8th:

• For individual users: Get 2 licenses for the price of 1.
• For teams: Enjoy up to 3 licenses + a basic annual plan for Threat Intelligence Lookup, ANY.RUN’s comprehensive threat intelligence database.

Check out all the offers and try the service today with a free trial →