by The Computing Australia Group | Zero-Day Attacks
Explained
In today’s always-online world, cybercriminals don’t just target big global brands. Small and medium businesses, professional services firms, health practices and even not-for-profits are regular targets-often because they are seen as easier to breach.
Among the most dangerous threats you can face are zero-day attacks. They’re hard to detect, move quickly and can bypass even well-maintained defences if you’re not prepared.
This guide explains, in plain language:
- What zero-day vulnerabilities and zero-day attacks are
- How attackers typically exploit them
- Warning signs to look out for
- Practical steps to protect your organisation
- What to do if you suspect you’ve been hit
1. What Is a Zero-Day Vulnerability?
It’s a security flaw that exists right now, with no official patch available.
Zero-day vulnerabilities can exist in:
- Operating systems (Windows, macOS, Linux, mobile OSs)
- Web browsers (Chrome, Edge, Safari, Firefox, etc.)
- Office and productivity suites
- Email clients
- Open-source applications and libraries
- Cloud platforms and SaaS tools
- Network devices (routers, firewalls, VPN appliances)
- Internet of Things (IoT) devices and industrial systems
How Do Zero-Day Vulnerabilities Arise?
Most zero-day vulnerabilities are created unintentionally during development. Common causes include:
- Coding errors or logic flaws – rare conditions the developers didn’t anticipate
- Weak input validation – software trusts user input that should be treated as untrusted
- Misconfigurations – default settings that are too permissive or insecure
- Legacy code – older components that no one has properly reviewed in years
- Integration issues – secure systems interacting in insecure ways when combined
Because modern applications are large and complex, even well-resourced teams can miss critical edge cases-leaving a hidden “back door” for attackers.
2. What Is a Zero-Day Attack?
A zero-day attack is a cyberattack that takes advantage of a zero-day vulnerability before a patch or fix is available (or widely deployed).
Key characteristics:
- The vulnerability is unpatched (no official fix yet), or patches are so new that most organisations haven’t deployed them.
- The exploit is often unknown to traditional antivirus tools and signature-based security.
- Attackers frequently keep the details secret so they can use the vulnerability for as long as possible.
Typical Zero-Day Attack Lifecycle
Although every incident is unique, most zero-day attacks follow a similar pattern:
1. Discovery
Attackers (or researchers) find a new vulnerability in a widely used product.
2. Weaponisation
The attacker creates an exploit, usually in the form of a malicious document, script, website or executable that triggers the flaw.
3. Delivery
The exploit is delivered to victims via:
- Phishing emails with malicious attachments or links
- Compromised websites (drive-by downloads)
- Malicious browser extensions or plug-ins
- Infected software updates or installers
4. Exploitation
Once the victim opens the file or visits the website, the exploit runs and abuses the vulnerability to bypass security controls.
5. Installation and Persistence
Malware or a backdoor is installed on the system to maintain ongoing access.
6. Command & Control and Data Theft
The compromised system connects back to the attacker. From there, they can:
- Steal sensitive information
- Move laterally across the network
- Deploy ransomware or other malware
- Manipulate or destroy data
Because the vulnerability is new and unknown, traditional defences often won’t recognise the attack until it’s too late.
3. Why Zero-Day Attacks Are So Dangerous
Zero-day attacks are considered “high-impact, high-risk” for several reasons:
- No patch available (initially).
- Low detection by traditional tools.
Signature-based antivirus relies on knowing what malware looks like. A brand-new exploit often has no signature.
- High value for attackers.
Zero-day vulnerabilities can be sold on underground markets or used in targeted attacks against valuable organisations.
- Potential for widespread impact.
If a zero-day affects a popular product (e.g. a major OS, browser or VPN appliance), thousands of businesses may be exposed at once.
- Short reaction window.
Once a zero-day becomes public, attackers rush to exploit it before organisations can patch and harden their systems.
For these reasons, strong prevention, detection and response processes are critical.
4. How Zero-Day Attacks Typically Reach You
Zero-day attacks don’t usually appear out of nowhere-they arrive through familiar channels and social engineering tricks.
Common delivery methods include:
4.1 Phishing and Social Engineering
Attackers send realistic-looking emails that:
- Impersonate suppliers, colleagues or government agencies
- Include urgent language: “Overdue invoice”, “Important security update”, “Action required”
- Attach documents that exploit a vulnerability when opened
- Contain links to malicious websites
4.2 Malicious or Compromised Websites
Attackers set up or compromise websites that:
- Contain hidden scripts which exploit browser or plug-in vulnerabilities
- Prompt users to download fake updates or software
- Silently download malware when visited (drive-by downloads)
Staff may be infected just by visiting a site-even without downloading anything-if their browser or extensions are vulnerable.
4.3 Malicious Attachments and Documents
Common file types used in zero-day exploits include:
- Office documents (Word, Excel, PowerPoint)
- PDFs
- Compressed files (.zip, .rar)
- Installer packages (.exe, .msi, .pkg)
The document may appear legitimate (e.g. “new contract”, “candidate resume”, “delivery invoice”) while containing exploit code.
4.4 Compromised Software Updates and Supply Chain
Zero-day attacks increasingly target the software supply chain:
- Attackers compromise a vendor’s update server or development pipeline.
- Malicious code is inserted into a legitimate update.
- Customers install the “official” update, unknowingly importing malware.
This type of attack is especially dangerous because the malicious activity appears to come from a trusted, signed source.
4.5 IoT and Smart Devices
Internet-connected cameras, printers, phones, smart TVs and industrial controllers often:
- Run outdated firmware
- Use weak default credentials
- Don’t receive regular security updates
A zero-day in one of these devices can give attackers a foothold into your network, even if your PCs and servers are well protected.
5. How Can You Identify a Zero-Day Attack?
By definition, a zero-day exploit is new and unknown, which makes detection challenging. However, attacks still leave traces. The key is to look for suspicious behaviour, not just known signatures.
5.1 Watch for Unusual Network and System Activity
Indicators that may suggest a zero-day attack include:
- Sudden, unexplained spikes in outbound traffic
- Unusual connections to countries or IP addresses you don’t normally deal with
- Repeated failed login attempts or odd login times
- New or unexpected services running on servers or endpoints
- Systems slowing down or behaving inconsistently without a clear reason
5.2 Behaviour-Based Threat Detection
Because zero-day malware is new, it’s often detected using behavioural analysis rather than known signatures. Modern security tools may:
- Run suspicious files in a sandboxed environment to see what they do
- Monitor processes for unusual behaviour (e.g. trying to encrypt large numbers of files, modifying system registries, disabling security tools)
- Flag software that suddenly requests higher privileges or unusual network access
This approach looks at what a file or process is doing rather than what it is called.
5.3 Endpoint Detection and Response (EDR)
EDR solutions continuously monitor endpoints and can:
- Detect anomalies such as unusual process chains or registry changes
- Provide detailed timelines of what happened on an infected device
- Help security teams quickly isolate affected machines
This kind of visibility is crucial when dealing with fast-moving zero-day threats.
5.4 Threat Intelligence and Vulnerability Feeds
Subscribing to threat intelligence and security advisories helps you:
- Learn when new zero-day vulnerabilities are being exploited in the wild
- Understand which products and versions are affected
- Prioritise patching and mitigation efforts
Even if you can’t detect every attack, knowing where to focus your efforts significantly reduces your exposure window.
6. How to Protect Your Business Against Zero-Day Attacks
You can’t control when a zero-day vulnerability is discovered-but you can control how hard you are to breach and how fast you can respond.
6.1 Keep Software and Operating Systems Up-to-Date
This may sound basic, but it’s one of the most effective measures you can take.
- Enable automatic updates where practical.
- Maintain a central patch management process for servers, workstations and devices.
- Prioritise security patches flagged as critical or actively exploited.
- Don’t forget less-obvious systems: printers, network hardware, IoT devices, line-of-business apps.
While patching can’t stop a brand-new zero-day, it greatly reduces your attack surface and stops attackers from chaining older vulnerabilities with newer ones.
6.2 Harden Security Settings and Configurations
Improve your default security posture by:
- Disabling unnecessary services and ports on servers and endpoints.
- Enforcing strong password policies or, even better, password managers and passphrases.
- Turning on host-based firewalls.
- Limiting admin rights-most staff should not be local administrators of their machines.
- Implementing secure configurations based on recognised benchmarks (e.g. CIS benchmarks).
Well-configured systems are harder to exploit, even with a zero-day.
6.3 Use Modern Antivirus and Endpoint Protection
Traditional antivirus alone is no longer enough, but it’s still an important layer.
- Ensure built-in antivirus (e.g. Microsoft Defender) is enabled and updated.
- Consider a next-generation endpoint protection (EPP) or EDR solution that includes behaviour-based detection.
- Set policies to quarantine or automatically block suspicious files.
A good endpoint solution can detect unknown threats based on behaviour, making it more effective against zero-day exploits.
6.4 Strengthen Email and Web Security
Because many zero-day attacks use phishing and malicious websites, focus on:
- Email filtering to block phishing emails, malicious links and dangerous attachments.
- Attachment sandboxing to open and test suspicious files in a safe environment.
- DNS and web filtering to prevent access to known malicious domains and categories of risky sites.
These controls can stop many attacks before they ever reach user devices.
6.5 Implement Multi-Factor Authentication (MFA)
If attackers do gain a foothold, MFA can limit what they can do with stolen credentials.
- Enable MFA for email, VPN, remote access and cloud applications.
- Use app-based authenticators or hardware keys where possible, rather than SMS alone.
MFA isn’t perfect, but it dramatically raises the bar for attackers.
6.6 Segment Your Network and Limit Privileges
- Segment your network so that sensitive systems (finance, HR, servers) are separated from general user devices.
- Apply the principle of least privilege-users and applications should have the minimum access they need to do their job.
- Use role-based access control and regularly review permissions.
This limits the damage a single compromised device can cause.
6.7 Maintain Reliable Backups
Backups won’t stop an attack, but they are often the difference between a nasty incident and a business-ending disaster.
- Keep regular, automated backups of critical systems and data.
- Store backups offline or in immutable storage so attackers can’t encrypt or delete them.
- Test your restore process regularly-knowing how and how long recovery takes is vital.
If a zero-day leads to ransomware or data corruption, good backups can save you.
6.8 Educate and Train Your Staff
Human error is often the weakest link.
- Provide regular security awareness training focused on phishing, safe browsing and password hygiene.
- Use simulated phishing campaigns to test and improve staff responses.
- Make it easy and safe for employees to report suspicious emails or activity-without fear of being blamed.
An informed team is one of the best defences against social engineering-driven zero-day attacks.
7. What To Do If You Suspect a Zero-Day Attack
Here’s a high-level incident response checklist:
1. Stay calm and contain the issue
- Disconnect affected machines from the network (but leave them powered on to preserve evidence).
- Disable compromised user accounts or reset passwords.
- Block suspicious IP addresses, domains or URLs at your firewall and DNS level.
2. Engage your IT or cybersecurity team
- Notify your internal IT team or external IT support provider immediately.
- Provide as much information as possible (screenshots, error messages, suspicious emails).
3. Investigate and identify the scope
- Determine which systems are affected and when the activity began.
- Check logs on firewalls, servers, email gateways and endpoints.
- Look for signs of lateral movement or data exfiltration.
4. Eradicate and recover
- Remove malware and backdoors from infected systems.
- Apply any available patches or workarounds issued by the vendor.
- Restore clean data from backups if necessary.
5. Communicate appropriately
- Inform management and relevant stakeholders.
- If personal data may be involved, consider your legal and regulatory obligations (e.g. breach notifications, privacy requirements).
- Be transparent with affected customers or partners where appropriate.
6. Review and strengthen
- Conduct a post-incident review.
- Identify what worked, what didn’t, and where controls need improvement.
- Update policies, procedures and training accordingly.
8. When to Involve a Cybersecurity Partner
Zero-day attacks can quickly become too complex for a small internal IT team to handle alone. Consider getting specialist help if:
- Critical data or systems may have been accessed or altered
- You suspect lateral movement across the network
- You must meet regulatory requirements or notify regulators/customers
- You don’t have in-house expertise in forensics and incident response
A good cybersecurity partner can:
- Help you contain and remediate the immediate threat
- Provide forensic analysis and reporting
- Design and implement stronger controls and monitoring
- Train your staff and help you prepare for future incidents
9. Key Takeaways
- Zero-day vulnerabilities are newly discovered security flaws with no patch available.
- Zero-day attacks exploit these flaws-often using phishing, malicious websites or compromised updates.
- Detection is challenging, but unusual network and system behaviour can provide clues.
- Layered security-patching, modern endpoint protection, email/web filtering, MFA, segmentation, backups and staff training-significantly reduces your risk.
- A clear incident response plan and trusted cybersecurity partner help you react quickly when something goes wrong.
Being prepared doesn’t mean eliminating risk completely-no one can. It means making your organisation a harder, more resilient target.
Try to be as careful as possible when you browse online. Avoid saving your passwords and other sensitive data in your system. Use MFA wherever possible. Reply to unknown mails only after verifying they’re legit. Learn more about safe cybersecurity practices.
Zero-day attacks may be hard to combat due to their undetectable nature. However, through awareness and safe cybersecurity practices, you can protect yourself and your organisations from them. If you’re looking for a team to help you foolproof your cybersecurity systems, look no further. Contact us or email us at cybersecurity@computingaustralia.group. With over 20 years of experience in the field, our experts will guarantee you creative solutions for all your digital troubles.
Jargon Buster
Malware – Malware is malicious software intentionally designed to damage a computer, server, or network.IoT – The Internet of Things, or IoT, refers to the physical devices around the world that are connected to the internet.
MFA – Multi-factor authentication is an authentication method in which a user is granted access to a website or application only after successfully verifying two or more identity proofs.
