Skip to main content

TH17108

Detected presence of files containing URLs that link to deceptive file formats.

priorityCI/CD statusseverityeffortRL levelRL assessment
passmediumhighNoneNone

About the issueโ€‹

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. Attackers often try to obfuscate URLs with the aim to avoid detection by security solutions. One common obfuscation technique attackers use is crafting deceptive links to externally hosted files. Users are more likely to click the links they deem to be trustworthy. Having two or more file extensions in a URL increases the odds of a deceptive link being perceived as trustworthy, especially if the first extension is commonly encountered by the user (such as a file extension of a popular document format). The reason why these links are considered deceptive is because the operating system will download the linked file and execute it with the last extension it detects, not the first. Attackers abuse this file naming quirk to trick users to run their malicious code. While presence of deceptive file format references does not imply malicious intent, all of its uses in a software package should be documented and approved. It is recommended to avoid double file format extensions altogether.

How to resolve the issueโ€‹

  • Investigate reported detections.
  • If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
  • You should delay the software release until the investigation is completed, or until the issue is risk accepted.
  • Consider changing the file extension for self-hosted files.