Today’s cyber attacks appear relentless, growing in frequency and intensity, and proliferating throughout all industries. There is no ‘normal’ and the impact of each attack is felt throughout organizations--from supply chain to customers, partners, and beyond.
Prevent Advanced Malware and Ransomware Attacks from Striking
Today’s cyber-attacks appear relentless, growing in frequency, intensity and proliferating throughout all industries. There is no normal and the impact of each attack is felt throughout the business through the organization’s supply chain to its customers, partners and beyond. It is almost impossible not to notice the cybersecurity stories in the media. It doesn’t seem to matter where you are in the world, or what industry you are in. But what has come to light is traditional cybersecurity protection is becoming increasingly ineffective against this next generation of ever evading malware and the myriad attacks.
Cyber attackers have become patient. Mounting increasingly sophisticated campaigns against both organizations and the individuals within them using all the latest social engineering methods available. Silently harvesting information from social media platforms and hidden document metadata readily found on the company website or cloud collaboration tools, preparing for targeted attack. To combat this onslaught, organizations need to deploy a more effective layer of advanced threat protection, aimed at securing their most valuable asset — critical information. Mitigating the new threat vectors of embedded malware in conjunction with supporting collaborative working practices enable the business to remain secure, yet agile.
Are the Number of Threats Really Increasing?
For most CFOs, their favorite graph is ‘up and to the right.’ Unfortunately for the CIO, when it comes to cyber threats this is certainly not what they want to see. Numbers are difficult to get to grips with; it is the impact of the malware on organizations which is easier to relate to.
The Next Generation of Evading Malware
Today’s cyber attacks are not just after credit cards or bank details, they are also targeting critical information. The information could be new product designs or personnel records, contract information, or customer details. Critical information takes on many forms, and is pertinent to each organization, but each guise of critical information can be monetized very easily on the dark web or simply for the attackers own personal gain or held hostage for ransom.
Evolution of Attacks
Early hackers were often driven by notoriety rather than profit, targeting high-profile “trophy” organizations for recognition within niche communities.
Over time, motivations shifted toward financial gain. Attackers began focusing on easy-to-monetize data such as credit card numbers, followed by bank account credentials. Entire underground ecosystems emerged to rapidly process and cash out stolen financial information.
As defenses improved, attackers moved further up the value chain to personally identifiable information (PII), enabling identity theft and broader fraud. Medical records have since become especially valuable — often worth significantly more than credit card data — due to their usefulness in insurance fraud and identity impersonation. Usernames and passwords are also heavily traded, particularly corporate credentials that can unlock enterprise networks and higher-value targets.
Today, nearly all sensitive data has a market value, depending on who wants it and for what purpose. Even when direct monetization isn’t the goal, as with hacktivist groups, data breaches may be used for disruption or leverage, sometimes combined with tactics like distributed denial-of-service (DDoS) attacks.
The threat landscape has also expanded dramatically. Attackers are no longer isolated individuals seeking fame, but include organized cybercrime groups, ideologically motivated collectives, and state-sponsored actors operating globally without geographic constraints.
At the same time, attack methods have evolved. Early threats relied on users executing malicious attachments. Later, phishing links became common. Today, malware is often hidden inside seemingly legitimate documents. Opening a file can silently trigger infection, allowing attackers to compromise both endpoints and entire networks. These modern threats are frequently highly targeted, evading traditional security tools such as antivirus, firewalls, and sandboxing systems.
Once inside, the malware is designed to remain stealthy — operating “low and slow,” carrying out objectives over extended periods rather than acting immediately and drawing attention.
What Are the Options to Mitigate APTs?
Information-borne threats are particularly difficult to mitigate against. In essence, the malware is embedded into the document – but the document can also contain information which is actually required for legitimate business; for example, infecting documents stored in a cloud-based collaboration repository so that their payload is delivered when they are opened while on a corporate network. Cloud-based collaboration is now the defacto standard when working with other organizations, but due to lack of control, they can become the weakest link in the security chain.
What About Sandboxing?
APTs are seldom detected by traditional anti-virus solutions, detection can be improved by using multiple AV engines, however even this is not 100% effective. Another approach is to use a sandbox. This is where the executable is run, or the document is opened in a controlled environment, such as a sandbox, and its behavior monitored. The major disadvantage of this approach is the ever-increasing sophistication of the malware, which can now evade detection in sandboxes.
“Malware sandboxes have registered good results and potential in curbing the problem; however, authors of the malware have found ways of bypassing the analysis measures put in place. It is sound to say that sandboxes no longer provide or guarantee the needed protection that required to be afforded computing systems to prevent against malware attacks.”
Sandboxing’s secondary impact is the delay in delivery while the behavioral monitoring is taking place. Business communication is frequently time-critical, especially those with documents attached (which is why people tend to open them before considering where they came from, and who might have sent it), so any delay is a delay to business. Organizations who deploy sandboxing technology often switch off the technology to ensure that the communication is delivered immediately and then take a copy for analysis. If malware is detected, they then have a process to try and delete the offending document before it infects the organization; the remediation often being too late.
What about a Dual Anti-Virus Solution?
Most organizations have an anti-virus solution of one sort or another. Best practice is to have different vendor solutions on the ingress points to that which is on the endpoint. The reason for this being that each will detect viruses slightly differently, especially through heuristics. While it is not practical to have multiple AV solutions on each endpoint, it is on the ingress points, the email and web gateways. Over time, all the anti-virus engines will detect the same viruses, but it is that additional coverage when a virus is first discovered which makes dual anti-virus effective.
What About Next-Generation Anti-Virus?
Traditional anti-virus relies on signatures and heuristics, which means protection depends on how quickly new threats are identified and distributed to endpoints. Even with frequent updates, there is still a short window where new malware can go undetected.
Next-generation anti-virus (NGAV) reduces this gap by using cloud-based intelligence to check suspicious files and behavior in real time. This allows new threats to be identified and blocked much faster than waiting for local signature updates.
However, it doesn’t eliminate the risk entirely. Highly targeted or novel attacks can still evade detection, so NGAV improves protection but does not provide complete security on its own.
Why Is Our Approach Different?
Fortra Email Security has built its reputation on a technology called Deep Content Inspection, which is the ability to take a document or an archive and pull it apart and then analyze the constituent pieces. Further innovation came with the launch of Adaptive Redaction and with it the ability to rebuild documents having removed any data which breaks information security policies. While the technology was originally developed as part of an Adaptive Data Loss Prevention solution, it has been refined to additionally deliver an easy-to-use, cost-effective, advanced threat protection solution; the key component being Structural Sanitization.
Structural Sanitization
Deep Content Inspection (DCI) is used to fully understand a document and its constituent parts in real time. When it comes to protecting against APTs, it is primarily about detecting and removing active content. These are embedded macros and scripts which activate when a document is opened. It can also look for and remove piggybacked content, which is attached to other embedded objects, such as images.
In order to be effective, DCI doesn’t stop at one level, it recurses through 50 of them until the end is found. So, if there is embedded malware in a spreadsheet, which is embedded in a Word document, which is in an archive, then DCI will find and remove it. Unlike anti-virus solutions, it doesn’t rely on signatures and doesn’t require constant updating.
Structural Sanitization can be rapidly deployed and typically costs less than a fifth of sandbox technology. It requires no specialist training and does not impact business agility. It can also be combined with sandboxing, enabling a safe version of the document to be delivered while analysis takes place, at which point the original can be forwarded on if there are no threats detected. Furthermore, active DCI within the email (or web gateway) can ensure that only documents with active content are forwarded to the sandbox solution, reducing the overhead of the sandbox scanning non-malicious files.
Document Sanitization
Today’s documents can contain hidden threats beyond their visible content, especially in the form of metadata. Metadata includes details such as who created a file, when it was created, the device or system used, and even location data like GPS coordinates in photos. While useful for organization and tracking, this information can also be exploited by attackers to gather intelligence about individuals and organizations.
Cybercriminals use metadata to strengthen phishing attacks by making malicious messages appear more legitimate and targeted. For example, an email referencing internal systems, usernames, or printer names is more likely to be trusted because it reflects real organizational details. These subtle clues should not typically leave the organization, as they provide attackers with valuable context.
Documents may also expose sensitive information through revision history or embedded change tracking, sometimes unintentionally included via features like “track changes” or fast-save data. This can reveal prior versions of content, internal discussions, or confidential edits, creating a risk of data leakage.
To mitigate these risks, technologies such as Deep Content Inspection and Document Sanitization are used. These systems analyze files as they move in and out of an organization — via email, web uploads, or cloud collaboration tools — and automatically remove metadata and revision data. They can also be deployed through mechanisms like reverse proxies to sanitize documents before they are downloaded from external-facing systems, helping prevent sensitive information from being exposed.
Distributed Operational Management
As with any security solution, there is often a management overhead. For many solutions, this administration falls to the IT department or other system administrators. Our DCI technology is not restricted to understanding the content in documents (or emails), but also to the context, the sender, the recipient, and the means of communication. Integration with Active Directory or an LDAP service enables the solution to route simplified management tasks to the sender’s manager or any other nominated group or individual.
Summary
Organizations are under constant pressure from increasingly advanced malware and ransomware campaigns, making it clear that no single security control is sufficient. As attacks become more sophisticated, evasive, and targeted, defenses must also evolve. Rather than replacing existing tools, the focus is on strengthening and layering them.
Structural Sanitization helps reduce risk from information-borne threats by automatically removing embedded malware and preventing malicious payloads from being carried within files or data streams. Alongside this, Document Sanitization addresses data exposure risks by stripping out metadata, revision history, and other embedded identifiers that could otherwise be used to support reconnaissance and spear-phishing attacks.
Together, these sanitization techniques act as a complementary layer to existing security controls such as sandboxing, traditional and next-generation anti-virus, IP reputation services, and intrusion detection systems. By integrating these approaches, organizations can build a more resilient defense-in-depth architecture suited to modern threats.
This combined strategy is cost-effective and scalable, making it applicable across organizations of all sizes and industries to better protect against today’s evolving cyber risks.