The financial sector has long been a favourite target of cybercriminals. While financial institutions are aware of cyber threats such as phishing and ransomware, a growing attack vector is document-borne malware – malicious code embedded within seemingly harmless files.
James Neilson explains how financial firms are being targeted, what attackers are after and, most importantly, how organisations can defend against these attacks.
Why has document-borne malware become such a significant threat to financial institutions?
Most financial firms are no strangers to cyberattacks and have spent years strengthening their defences and response against cyber threats. However, organised cybercriminals are innovating their attack methods.
Document-borne malware is one such method. Attempting to hide malicious code inside a seemingly benign document is one of the oldest tricks in the book. However, a modern twist has made it an underestimated yet highly effective attack vector.
This is partly due to our growing reliance on cloud-based productivity tools such as Microsoft 365, Google Drive, and Dropbox. Employees routinely upload, combine, archive, share, and download files and documents through these platforms.
Although most firms have security systems to detect traditional malicious attachments, cloud-based files often evade detection. Attackers exploit these workflows, embedding harmful code within Word documents, Zip file archives, PDFs, and Excel spreadsheets.
Common techniques include malicious macros hidden in Office documents, which execute harmful scripts when opened, and JavaScript embedded in PDFs, capable of stealing credentials or downloading additional malware.
Attackers often disguise files using spoofed extensions and seemingly innocent names like “invoice.pdf.” Social engineering tactics further increase the chances of employees opening these disguised files, with attackers impersonating trusted contacts or senior personnel.
What are cybercriminals trying to achieve with these attacks?
Cybercriminals targeting financial institutions are typically motivated by monetary gain—it is rational to go where the money is. There is also a growing threat from state-sponsored actors working toward a political agenda, such as the recent breach of the US Treasury by actors believed to be working for China.
Attackers targeting the financial sector can use document-borne malware to achieve various malicious objectives. Data exfiltration is one of the most common, targeting the sector’s vast stores of sensitive customer data, including payment details, National Insurance numbers, and account credentials. Stolen data is highly valuable on the dark web and can be sold to other cybercriminals or used in identity fraud.
Some criminal groups also attempt to illicitly access internal banking systems directly, manipulating transactions or stealing login credentials that allow them to siphon money from customer accounts. While this is more difficult than simple data exfiltration, previous attacks on the SWIFT bank transfer system have netted criminals millions of dollars.
Attackers can also use document-borne malware to deploy ransomware—encrypting systems and exfiltrating data, which they can then sell on. Ransomware attacks continue to be one of the most pressing cybersecurity concerns for organisations, with 65% of financial services organisations hit by ransomware in 2024.
What are the biggest mistakes financial institutions make when it comes to document security?
Driven by the near-constant threat of cyberattacks and strict regulatory demands, most financial institutions have invested heavily in perimeter defences, endpoint security, and employee training. However, they often overlook the security risks posed by documents themselves.
Security tools and policies have struggled to keep up with cloud-based file-sharing practices. This blind spot allows attackers to exploit common file formats as a gateway to sensitive systems.
One of the most common errors is relying solely on traditional malware detection. Many organisations depend on signature-based antivirus tools, which can miss malware hidden within embedded objects in PDFs and Office files, as well as more sophisticated threats like zero-day exploits and script-enabled attacks.
Another common mistake is trusting files from familiar sources. Attackers often compromise legitimate accounts to distribute malware-laden documents. Just because a file comes from a trusted partner, supplier, or even an internal source doesn’t mean it’s safe.
Financial firms’ sheer volume of incoming files presents a critical security risk. Invoices, loan applications, and account statements arrive by the thousands every day. Without robust file scanning and sanitisation, malicious documents can slip through unnoticed.
Finally, while most organisations are aware of the harmful potential of malicious macros, they often overlook other document-based threats. These include ActiveX controls, OLE objects, and embedded JavaScript, which can execute harmful actions once a file is opened.
What proactive measures should financial firms take to protect themselves?
Catching malicious documents requires a multi-layered approach. Since most of these attacks are designed to act quickly, firms must be able to detect and neutralise them before they infiltrate networks.
Ideally, a combination of policies and technical solutions should be in place. Educating employees on document security risks is essential, as human error remains a significant vulnerability. Employees should be trained to identify common signs of suspicious file attachments, phishing attempts, and social engineering tactics. Security awareness training and a culture of shared security responsibility are key.
However, employees should not be the principal line of defence. Advanced email scanning tools should be configured to detect malicious attachments, embedded links, and spoofed sender addresses before they reach employees. Files don’t just enter via email, though. Consider files uploaded through web apps from customers, suppliers, business partners and affiliates, even across business unit boundaries.
Rather than relying on a single antivirus solution, firms should implement multi-engine malware scanning to detect threats that singular security tools might miss. Layer on advanced sandboxing to use behavioural detection to identify previously unknown threats by their actions before they cause damage.
Additionally, all incoming files should undergo sanitisation using Content Disarm and Reconstruction (CDR) technology. This process removes active threats by stripping out malicious macros, scripts, and embedded objects while preserving file usability. As a result, only safe, clean files reach users.
By taking these steps, firms can significantly reduce the risk of document-borne malware infiltrating their systems. A successful breach of the financial sector is a prime target for profit-driven gangs and state actors alike. All organisations must be prepared to defend against the latest attack tactics.
- Cybersecurity
- Fintech & Insurtech