The Major Threat Hiding in Ordinary Excel Files


Thought Leadership

The Major Threat Hiding in Ordinary Excel Files

Dena Bauckman

You probably haven’t heard of the .IQY file format ... unless you’ve been infected by it. Hackers have recently begun exploiting this variation of Excel file to successfully deliver malware. It’s a textbook case of the sophisticated tactics hackers rely on.
Here’s how the scam works: Users receive an email from what appears to be a vendor or business partner. The email mentions an unpaid invoice and seems entirely innocent as the attachment matches a file format plausible for an invoice. Anti-virus solutions raise no alarms and there are no other red flags, so the user opens the attachment. Once the attachment is opened, a remote-access trojan downloads to the computer and begins stealing data via remote servers.
This attack is successful for a few reasons. First, it uses social manipulation to get users to lower their guard. An innocuous email from a vendor or partner is not very suspicious. Second, the design of the attack is intended to bypass common security measures.
Because .IQY files are standard, they are rarely flagged as dangerous by anti-virus protections. And because these files contain no macros, they easily travel through filters designed to catch bad attachments. The bad code itself is just a few lines, but once the file is opened by Excel, it sparks a string of downloads that eventually infects the computer with malware called FlawedAmmyy. After it’s downloaded, it has free rein to steal data or corrupt the machine.
This is the first time .IQY have been weaponized, but it’s not likely to be the last time. By combining a few existing attacks with a novel delivery mechanism, hackers have put countless users at risk, even those that currently have cybersecurity measures in place.
Protecting against .IQY attacks and whatever comes next will take a smarter, stronger, and more certain approach to cybersecurity. Look no further than ZixProtect.

The Need for Dynamic Protection 

This attack may be successful and sophisticated, but it’s also relatively simple.
In order to protect against new and evolving threats, companies are upgrading to multi-layered defenses like ZixProtect. It includes technology specifically designed to spot malicious attachments. Rather than rely on strict definitions, ZixProtect identifies threatening/suspicious attachments based on a wide range of factors that are updated all the time. The defense is dynamic enough to stay ahead of evolving and unknown threats.
In fact, ZixProtect was able to block 100 percent of the malicious .IQY attachments the system encountered. That means even when this particular attack was brand-new and totally unfamiliar, ZixProtect knew to raise the red flag. Protection never had to catch up, because it was already ahead of the pack (hackers included).
Hackers will eventually find another file format to exploit. And when that option is exhausted, they will find new ways of disguising malicious attachments and attacking the email inbox. Rest assured: Zix is on the front lines of this fight, protecting against the attacks we know about and preparing for the ones that come next.