Managing File Attachments: Best Practices for Cloud Security

File attachments are a routine element of business operations, but they can pose serious security risks to any business, ranging from extraction of sensitive data to an organization-wide account takeover. When you allow users to upload files to any of your servers – whether it’s an external or internal system – you have to carefully consider the security measures you have in place. File attachments can be used to escalate attacks, infect devices with malware and ransomware, gain remote access and retrieve data from buckets.

According to Cisco Talos’ 2024 Year in Review report, 25% of their phishing incident response cases involved malicious attachments. The rising popularity of cloud-based web applications – including contact forms, chats and file repositories – that process file attachments has only increased the threat of attachment-based cyberattacks and the risk of their escalation.

That’s why it’s essential that companies ensure that file attachments are safely handled, stored and accessed in their cloud-based environments. Read this article to learn more about the risks posed by file attachments and explore best practices that can help you reduce these threats.

Risks associated with processing file attachments

It’s best to look at the dangers posed by file attachments from different perspectives. On the one hand, malicious actors can exploit user-facing functionalities that enable the upload of files to your server by transferring infected files. But you also need to ensure that your internal shared resources are correctly configured and secured so that, for example, attachments aren’t accessible to anyone on the internet. Here are a few common ways malicious actors can use attachments to compromise your systems.

Malware and ransomware

File attachments might contain malicious software, or malware (any software designed to exploit devices, networks and data), and ransomware (software that encrypts data on an infected device for ransom). Ransomware, in particular, has become the most common type of cyberattack nowadays as data encryption followed by a ransom demand can serve as a fast financial gain for organized cybercrime groups. According to The State of Cybersecurity: 2024 Trends report, 45% of surveyed businesses confirmed they were attacked by ransomware within the previous 12 months.

As an example, an attacker can send a doctored PDF file that will launch the installation of malware after a user interacts with the file. They can also plant a PDF file prepared specifically to take advantage of a vulnerability in PDF reader software (e.g., in 2024, the CVE-2024-41869 vulnerability was often exploited in attacks on Adobe Reader) and execute malicious code on a targeted device.

Other attacks can involve the lateral movement technique in which they compromise one entry point (e.g., a service, instance or account) to gain further access within your network. For example, if your S3 bucket is incorrectly configured (e.g., it allows public access or contains authentication data), an attacker could break into your S3 resources to access the connected Lambda and, from there, move to the Relational Database Service (RDS).

In another example, malicious actors could access your Amazon Web Services (AWS) EC2 instance and use identity access management (IAM) tokens and roles assigned to this instance to perform actions in other AWS services as well as enter databases and access a subnet (a set of IP addresses in your Amazon Virtual Private Cloud).

Ransomware attacks can result not only in significant security breaches like data theft, but also financial damage. According to The Arctic Wolf 2025 Threat Report, the median initial ransom demand across all surveyed industries amounts to $600,000 USD.

Server-Side Request Forgery (SSRF)

In SSRF, attackers force applications to respond to Hypertext Transfer Protocol (HTTP) requests made to internal services to gain unauthorized access to data, such as EC2 metadata or Google Cloud Platform (GCP) and Azure endpoints. SSRF can be used to view and download files as well as exfiltrate data from internal resources that shouldn’t be otherwise accessed. Attackers can also use the XML external entity injection technique to achieve a similar effect. In this case, a malicious XML file attachment can send a request to an internal resource, which, if processed due to insufficient security measures, will grant attackers access to internal data.

Data exfiltration

Data exfiltration is a method employed by threat actors to illegitimately extract sensitive information from a compromised environment and extract it to an external destination. The MITRE ATT&CK framework categorizes this tactic into nine distinct techniques, detailing the various methods adversaries use to exfiltrate data to outside locations.

Impersonating a trusted source

In this technique, file attachments are made to look like they come from a reputable source or someone a user knows. A very common example is business email compromise (BEC) where attackers target a company’s employees by posing as someone the employee is familiar with and expects communication from (e.g., getting an invoice from a vendor). The State of Cybersecurity: 2024 Trends report found that 70% of surveyed companies were targets of BEC attack attempts within the previous year.

Often, attackers will first try to access the account of the person or company they want to impersonate, either by infecting their device or acquiring access through spam mechanisms. These phishing emails are usually personalized and carefully crafted to look as legitimate as possible.

Examples of cyberattacks using file attachments

Here are a few scenarios that illustrate how file attachments can be exploited by malicious actors to gain unauthorized access to your data and resources.

1. SSRF that exploits an incorrectly configurated web application firewall (WAF)

As explained earlier, attackers can upload an infected file that enables them to access AWS EC2 metadata. As a result, they can download sensitive data from an S3 bucket. This attack is bound to succeed when compromised resources don’t have SSRF defense mechanisms and lack appropriate restrictions for processing HTTP requests.

A real-world example of this attack can be seen in the 2022 flight data breach suffered by Pegasus Airlines due to an unprotected AWS S3 bucket. Lack of password protection for this bucket resulted in 6.5 data, including crew and navigation information, becoming publicly accessible. Another instance of a SSRF vulnerability was disclosed in 2024 in the Security Assertion Markup Language (SAML) component of Ivanti Connect Secure devices, which enabled attackers “to access certain restricted resources without authentication.”

2. Malware in repositories 

Attackers can plant malware in repositories or ready-made libraries to exploit your resources at a later time. Malware found in code repositories – especially on platforms like GitHub – often becomes significant threat vectors in attacks on the software supply chain. Threat actors take advantage of these platforms’ trustworthiness and openness to distribute malicious code and attack both individual developers and organizations.

Some examples of malware campaign types include:

• Repo Confusion Campaign – over 100,000 malicious repositories were transferred to GitHub through obfuscation and social engineering in February 2024.
• Banana Squad – the group infected more than 67 Python repositories by imitating hacking tools in 2023.
• GitVenom – the campaign conducted in February 2025 resulted in 200+ false repositories containing malware.

This problem can also affect an organization’s internal repositories.

3. Ransomware in invoices

Departments like accounting that handle many data-heavy documents critical for a company’s operations are often targeted in ransomware attacks. Attackers can create fake documents to exploit routine attachments, such as invoices. An employee might unknowingly open an infected file or upload it to an internal network share. A triggered ransomware will encrypt a user’s device, but it could also escalate and spread through cloud-based resources to the entire organization, causing significant financial and reputational damage.

4. Business email compromise

Invoices are often similarly used in BEC attacks. These attachments can be sent from accounts employees normally communicate with (for example, vendors or other employees) and include malware or false data. This could lead to a company’s network being compromised or an employee transferring money to an attacker’s account that was entered into the falsified invoice. For example, in 2024, a manufacturing company lost $60 million in a BEC attack that misled an employee into transferring money to third-party accounts.

Dedicated security mechanisms in AWS, Microsoft Azure and GCP

The top cloud providers – AWS, Microsoft Azure and Google Cloud Platform (GCP) – offer dedicated security solutions that can be implemented in your cloud environment to mitigate risks and eliminate threats. In this context, it’s important to remember that it’s the cloud tenant – not the cloud provider – who’s responsible for implementing and configuring the right security mechanisms for their cloud resources.

Below you’ll find some recommended options that will improve the safety of your cloud-based systems, especially in enterprise or complex environments. Along with some provider-specific features, most of these solutions generally have the same goal: to secure your solutions and help you stay compliant. Keep in mind that it’s a good idea not to rely on only one mechanism. Instead, they should overlap to strengthen your software security at all levels.

AWS

Amazon GuardDuty Malware Protection automatically scans Elastic Block Store (EBS) and S3 to detect malware in file attachments. It integrates with Amazon Security Hub, which further strengthens verification processes. AWS also offers a dedicated WAF and the Lambda@Edge functionality, which can help you better control file attachments and detect dangers at the edge.

Microsoft Azure

For an Azure environment, you might want to implement Microsoft Defender for Storage, which examines files transferred to Azure Blob Storage for malicious code. It also integrates with Defender for Cloud. Another recommended combination of mechanisms for Azure is Azure Front Door and Azure Firewall, which enable you to filter commands and ensure the safety of different application layers. Microsoft also offers Safe Attachments in Microsoft Defender for Office 365 – an additional security layer for email attachments that have been previously scanned by anti-malware mechanisms in Exchange Online Protection (EOP). This technology uses a virtual environment to check attachments for threats, including malware, ransomware and phishing, before the email is delivered to the addressee.

GCP

Google Security Operations can be integrated with VirusTotal to analyze files, domains and IP addresses. This integration makes it possible to analyze files in the cloud rather than on user devices, and it gives you access to VirusTotal’s large library of file signatures. Threat detection is based on external results that can be applied to detection rules and alerts. Additionally, Cloud Storage Object Lifecycle Management can perform specific actions on object classes (e.g., automatically deleting older items), while the Identity and Access Management functions help you control access. Meanwhile, Cloud Functions and Cloud Armor enhance the security of custom file processing.

Best practices for safe file attachment management

When processing file attachments, it’s recommended to implement mechanisms that verify these files, including their extension and size. Multipurpose Internet Mail Extensions (MIME) validation can help analyze if a file’s content is aligned with its format. When implementing forms where users can upload files, remember to exclude unwanted file extensions and enable the form to verify file formats and sizes and reject files that don’t meet your security criteria.

To protect your company against BEC attacks, you can apply cloud-native solutions (e.g., Microsoft Defender for Office 365) and implement Data Loss Prevention policies. It’s also important to deploy such email authentication mechanisms as Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication Reporting and Conformance. These methods protect a sender’s domain from phishing and impersonation attempts, verify sources, ensure integrity and provide policies for responding to unauthorized messages.

File attachments should also be scanned by antivirus software for any anomalies or suspicious content before they’re processed and transferred to their target repository. While security mechanisms like the dedicated solutions described earlier might seem like a significant investment, there are some cost-effective alternatives you could adopt, depending on our needs. For example, you can combine AWS Lambda with the open-source antivirus toolkit ClamAV for basic protection.

Moreover, it’s a good idea to store file attachments in an isolated environment. For example, you could set up a separate bucket with tighter restrictions to limit potential spread of malware and control access to files.

Make sure to log and monitor activity in your systems. Top cloud providers already offer dedicated solutions for security monitoring – AWS has CloudTrail, GCP Audit Logs, and Azure Security Center. This essential practice enables you to more effectively detect anomalies and understand incidents, as part of security information and event management (SIEM).

A complex digital landscape requires a comprehensive approach to cybersecurity

The risks associated with processing file attachments can turn into serious consequences for companies, ranging from data leaks from a single device to compromised organization-wide infrastructure. While cloud environments provide you with a variety of safety mechanisms to prevent file-based attacks, these solutions require correct configuration.

It’s essential that businesses approach cybersecurity in a holistic way, including adopting a defense-in-depth strategy and implementing layered security to ensure comprehensive system safety at all levels.

If you want to find out how Software Mind’s cybersecurity experts can help secure your applications, reach out via this contact form.