A recent report by Cofense reveals that threat actors are utilizing various archive formats to bypass Secure Email Gateways (SEGs) and deliver malware effectively. Following a significant Windows update in late 2023, cybercriminals have expanded their arsenal beyond traditional .zip files to formats like .rar, .7z, and .tar, which now constitute a notable portion of malicious attachments. These archives often include password protection, making it challenging for automated tools to analyze their contents and aiding in evading detection.

Between May 2023 and May 2024, Cofense identified 15 archive formats used in malware campaigns, with newer formats gaining popularity post the Microsoft update. Certain malware families have preferences for specific archive types, with some, like StrelaStealer and NetSupport RAT, consistently distributed via .zip files, while others use a variety of formats depending on the attack strategy. Password-protected archives, though a small percentage, create additional difficulties for SEGs in detection due to the embedded passwords.

To combat the evolving threat posed by malware-laden archives, organizations are advised to implement multi-layered defense strategies. Employee awareness plays a crucial role in identifying suspicious files, especially those with unusual extensions or deceptive double endings. Restricting the use of archive formats without clear business purposes and equipping SEGs with advanced capabilities to analyze file formats and manage password-protected archives are also recommended. Strengthening defenses against these evolving tactics is vital to safeguarding against malware threats.