Trace Id is missing
Skip to main content
Microsoft Security

What is malware?

Learn more about malware, how it works, and how you can help protect yourself and your business from this type of cyberattack.

Malware defined

Malware describes malicious applications and code that damage or disrupt the normal use of endpoint devices. When a device becomes infected with malware, you may experience unauthorized access, compromised data, or being locked out of the device unless you pay a ransom.

People who distribute malware, known as cybercriminals, are motivated by money. They use infected devices to launch cyberattacks, such as to obtain banking credentials, collect personal information that can be sold, sell access to computing resources, or extort payment information from victims.

How does malware work?

Malware works by employing trickery to impede the normal use of a device. First a cybercriminal gains access to your device through one or more different techniques—such as a phishing email, infected file, system or software vulnerability, infected USB flash drive, or malicious website. Then they capitalize on the situation by launching additional cyberattacks, obtaining account credentials, collecting personal information to sell, selling access to computing resources, or extorting payment from victims.

Anyone can become a victim of a malware attack. Some people may know how to spot certain ways that cybercriminals try to target victims with malware, for example knowing how to identify a phishing email. But cybercriminals are sophisticated and constantly evolve their methods to keep pace with technology and security improvements. Malware attacks also look and act differently depending on the type of malware. Someone who’s a victim of a rootkit cyberattack, for example, may not even know it, because this type of malware is designed to lay low and remain unnoticed for as long as possible.

Here are a few of the ways cybercriminals attempt to deliver malware to devices.

Types of malware

Malware comes in many forms—here are a few common types.

Phishing

phishing attempt poses as a credible source to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. These cyberattacks provide a delivery mechanism for malware. Common scenarios steal usernames, passwords, credit card details, and banking information. These types of malware attacks may lead to identity theft or money stolen directly from someone’s personal bank account or credit card.

For example, a cybercriminal might pose as a well-known bank and send an email alerting someone that their account has been frozen because of suspicious activity, urging them to click a link in the email to address the issue. Once they clink the link, malware is installed.

Spyware

Spyware works by installing itself on a device without someone’s consent or providing adequate notice. Once installed, it can monitor online behavior, collect sensitive information, change device settings, and decrease device performance.

Adware

Like spyware, adware installs itself to a device without someone’s consent. But in the case of adware, the focus is on displaying aggressive advertising, often in popup form, to make money off clicks. These ads frequently slow a device’s performance. More dangerous types of adware can also install additional software, change browser settings, and leave a device vulnerable for other malware attacks.

Viruses

Viruses are designed to interfere with a device’s normal operation by recording, corrupting, or deleting its data. They often spread themselves to other devices by tricking people into opening malicious files.

Exploits and exploit kits

Exploits use vulnerabilities in software to bypass a computer’s security safeguards to infect a device. Malicious hackers scan for outdated systems that contain critical vulnerabilities, then exploit them by deploying malware. By including shellcode in an exploit, cybercriminals can download more malware that infects devices and infiltrates organizations.

Exploit kits contain a collection of exploits that scan for different types of software vulnerabilities. If any are detected, the kits deploy additional malware. Software that can be infected includes Adobe Flash Player, Adobe Reader, web browsers, Oracle Java, and Sun Java. Angler/Axpergle, Neutrino, and Nuclear are a few types of common exploit kits.

Exploits and exploit kits usually rely on malicious websites or email attachments to breach a network or device, but sometimes they also hide in ads on legitimate websites without the website even knowing.

Fileless malware

This type of cyberattack broadly describes malware that doesn’t rely on files—like an infected email attachment—to breach a network. For example, they may arrive through malicious network packets that exploit a vulnerability and then install malware that lives only in the kernel memory. Fileless cyberthreats are especially difficult to find and remove because most antivirus programs aren’t built to scan firmware.

Macro malware

You may already be familiar with macros—ways to quickly automate common tasks. Macro malware takes advantage of this functionality by infecting email attachments and ZIP files. To trick people into opening the files, cybercriminals often hide the malware in files disguised as invoices, receipts, and legal documents.

In the past, macro malware was more common because macros ran automatically when a document was opened. But in recent versions of Microsoft 365, macros are disabled by default, meaning that cybercriminals who infect devices in this way have to convince users to turn macros on.

Ransomware

Ransomware is a type of malware that threatens a victim by destroying or blocking access to critical data until a ransom is paid. Human-operated ransomware targets an organization through common system and security misconfigurations that infiltrate the organization, navigate its enterprise network, and adapt to the environment and any weaknesses. A common method of gaining access to an organization’s network to deliver ransomware is through credential theft, in which a cybercriminal could steal an actual employee’s credentials to pose as them and gain access to their accounts.

Cybercriminals using human-operated ransomware target large organizations because they can pay a higher ransom than the average individual—often many millions of dollars. Because of the high stakes involved with a breach of this scale, many organizations opt to pay the ransom rather than have their sensitive data leaked or risk further cyberattacks from the criminals, even though payment does not guarantee the prevention of either outcome.

As human-operated ransomware cyberthreats grow, the criminals behind the cyberattacks become more organized. In fact, many ransomware operations now use a ransomware-as-a-service model. This means that a set of criminal developers create the ransomware itself and then hire other cybercriminal affiliates to invade an organization’s network and install the ransomware, splitting the profits between the two groups at an agreed-on rate.

Rootkits

When a cybercriminal uses a rootkit, they hide malware on a device for as long as possible, sometimes even years, so that it steals information and resources on an ongoing basis. By intercepting and changing standard operating system processes, a rootkit may alter the information that your device reports about itself. For example, a device infected with a rootkit may not show an accurate list of programs that are running. Rootkits may also give administrative or elevated device privileges to cybercriminals, so they gain complete control of a device and can perform potentially malicious actions, such as steal data, spy on the victim, and install additional malware.

Supply chain attacks

This type of malware targets software developers and providers by accessing source codes, building processes, or updating mechanisms in legitimate apps. Once a cybercriminal has found an unsecured network protocol, unprotected server infrastructure, or unsafe coding practice, they break in, change source codes, and hide malware in build and update processes.

Tech support scams

An industry-wide issue, tech support scams use scare tactics to trick people into paying for unnecessary technical support services that may be advertised to fix a falsified problem relating to a device, platform, or software. With this type of malware, a cybercriminal may call someone directly and pretend to be an employee of a software company. Once they’ve gained someone’s trust, cybercriminals often urge potential victims to install applications or give remote access to their devices.

Trojans

Trojans rely on a user unknowingly downloading them because they appear to be legitimate files or apps. Once downloaded, they may:

  • Download and install additional malware, such as viruses or worms.
  • Use the infected device for click fraud.
  • Record the keystrokes and websites that you visit.
  • Send information (for example, passwords, login details, and browsing history) about the infected device to a malicious hacker.
  • Give a cybercriminal control over the infected device.

Unwanted software

When a device has unwanted software, the device owner may experience a modified web browsing experience, altered control of downloads and installations, misleading messages, and unauthorized changes to device settings. Some unwanted software is bundled with software that people intend to download.

Worms

Mostly found in email attachments, text messages, file-sharing programs, social networking sites, network shares, and removable drives, a worm spreads through a network by exploiting security vulnerabilities and copying itself. Depending on the type of worm, it might steal sensitive information, change your security settings, or stop you from accessing files.

Coin miners

With the rise in popularity of cryptocurrencies, mining coins has become a lucrative practice. Coin miners use a device’s computing resources to mine for cryptocurrencies. Infections of this type of malware often begin with an email attachment that attempts to install malware or a website that uses vulnerabilities in web browsers or takes advantage of computer processing power to add malware to devices.

Using complex mathematical calculations, coin miners maintain the blockchain ledger to steal computing resources that allow the miner to create new coins. Coin mining takes significant computer processing power, however, to steal relatively small amounts of cryptocurrencies. For this reason, cybercriminals often work in teams to maximize and split profits.

Not all coin miners are criminal, though—individuals and organizations sometimes purchase hardware and electronic power for legitimate coin mining. The act becomes criminal when a cybercriminal infiltrates a corporate network against its knowledge to use its computing power for mining.

Malware protection

Although anyone can become the victim of a malware attack, there are many ways to prevent a cyberattack from ever happening.

Install an antivirus program

The best form of protection is prevention. Organizations can block or detect many malware attacks with a trusted security solution or antimalware service, such as Microsoft Defender for Endpoint or Microsoft Defender Antivirus. When you use a program like these, your device first scans any files or links that you attempt to open to help ensure they’re safe. If a file or website is malicious, the program will alert you and suggest that you not open it. These programs can also remove malware from a device that’s already infected.

Implement advanced email and endpoint protections

Help prevent malware attacks with Microsoft Defender for Office 365, which scans links and attachments in emails and collaboration tools, like SharePoint, OneDrive, and Microsoft Teams. As part of Microsoft Defender XDR, Defender for Office 365 offers detection and response capabilities to eliminate the malware threats.

Also a part of Defender XDR, Microsoft Defender for Endpoint uses endpoint behavioral sensors, cloud security analytics, and threat intelligence to help organizations prevent, detect, investigate, and respond to advanced cyberthreats.

Hold regular trainings

Keep employees informed about how to spot the signs of phishing and other cyberattacks with regular trainings. This will not only teach them safer practices for work but also how to be safer when using their personal devices. Simulation and training tools, like the attack simulation training in Defender for Office 365, help simulate real-world cyberthreats in your environment and assign training to employees based on simulation results.

Take advantage of cloud backups

When you move your data to a cloud-based service, you’ll be able to easily back up data for safer keeping. If your data is ever compromised by malware, these services help ensure that recovery is both immediate and comprehensive.

Adopt a Zero Trust model

A Zero Trust model evaluates all devices and accounts for risk before permitting them to access applications, files, databases, and other devices, decreasing the likelihood that a malicious identity or device could access resources and install malware. As an example, implementing multifactor authentication, one component of a Zero Trust model, has been shown to reduce the effectiveness of identity cyberattacks by more than 99%. To evaluate your organization’s Zero Trust maturity stage, take the Zero Trust maturity assessment.

Join an information-sharing group

Information-sharing groups, frequently organized by industry or geographic location, encourage similarly structured organizations to work together toward cybersecurity solutions. The groups also offer organizations different benefits, such as incident response and digital forensics services, news about the latest cyberthreats, and monitoring of public IP ranges and domains.

Maintain offline backups

Because some malware will try to seek out and delete any online backups you may have, it’s a good idea to keep an updated offline backup of sensitive data that you regularly test to make sure it’s restorable if you’re ever hit by a malware attack.

Keep software up to date

In addition to keeping any antivirus solutions updated (consider choosing automatic updates), be sure to download and install any other system updates and software patches as soon as they’re available. This helps minimize any security vulnerabilities that a cybercriminal might exploit to gain access to your network or devices.

Create an incident response plan

Just like having an emergency plan in place for how to exit your home if there’s a fire keeps you safer and more prepared, creating an incident response plan for what to do if you’ve been hit with a malware attack will provide you with actionable steps to take in different cyberattack scenarios so that you can get back to operating normally and safely as soon as possible.

How to detect and remove malware

Malware isn’t always easily detectable, especially in the case of fileless malware. It’s a good idea for organizations and individuals alike to keep an eye out for an increase in popup ads, web browser redirects, suspicious posts on social media accounts, and messages about compromised accounts or device security. Changes to a device’s performance, such as it running much more slowly, may also be an indicator of concern.

If you’re worried that you’ve been affected by malware, fortunately, you have options for detection and removal. As a first step, take advantage of antivirus products, like the one offered natively in Windows, to scan for malware. Once you’ve installed an antivirus program, run a device scan to look for any malicious programs or code. If the program detects malware, it will list the type and provide recommendations for removal. After removal, be sure to keep the software updated and running to prevent future cyberattacks.

For more sophisticated cyberattacks against organizations that antivirus programs are unable to detect and block, security information and event management (SIEM) and extended detection and response (XDR) tools provide security professionals with cloud-powered endpoint security methods that help detect and respond to cyberattacks on endpoint devices. Because these types of cyberattacks are multifaceted, with cybercriminals targeting more than just control of devices, SIEM and XDR help organizations see a cyberattack’s bigger picture across all domains—including devices, emails, and applications.

Getting started with SIEM and XDR tools, such as Microsoft SentinelMicrosoft Defender XDR, and Microsoft Defender for Cloud, is a strong starting place for antivirus capabilities. Security professionals should ensure that device settings are always updated to match the latest recommendations to help prevent cyberthreats.

Learn more about Microsoft Security

Security Insider

Stay on top of the latest cyberthreats and learn how to help protect your organization.

Microsoft Sentinel

Uncover sophisticated cyberthreats across clouds and platforms and respond decisively with intelligent security analytics.

Microsoft Defender XDR

Identify and disrupt cross-domain cyberattacks with industry-leading XDR.

Microsoft Defender for Cloud

Strengthen cloud security and monitor and help protect workloads across multicloud environments.

Microsoft Defender for Office 365

Help safeguard your organization against threats posed by emails, links, and collaboration tools.

Microsoft Digital Defense Report

Familiarize yourself with the current cyberthreat landscape and how to build a digital defense.

Frequently asked questions

  • Unfortunately, anyone can be affected by a malware attack. Cybercriminals have become increasingly sophisticated at imitating emails and other forms of communication from organizations that you already do business with, like your bank. Other types of malware are even less conspicuous and may be hidden in software that you intend to download.

    Investing in proactive solutions, however, like threat protection solutions, is a viable way to prevent malware from ever infecting your network or devices. Therefore, individuals and organizations with antivirus programs and other security protocols in place before a cyberattack occurs, such as a Zero Trust model, are the least likely to become victims of a malware attack.

  • Malware attacks occur through many different means. You might click on a malicious link, open an infected email attachment, or do nothing at all—some cyberattacks prey on device security vulnerabilities when you haven’t taken any action.

  • Malware attacks can be devastating, such as having your identity and money stolen, or less serious but still intrusive, such as displaying unwanted ads on your device.

  • Antivirus programs are a type of software that actively help protect you from and remove malware on your device. When you have an antivirus service installed, you’ll receive a notification before accessing a compromised file or link warning you that it’s potentially unsafe.

  • Malware attacks are best prevented by downloading and installing an antivirus program, which will monitor your device activity and actions and flag any suspicious files, links, or programs before they become a problem.

Follow Microsoft Security