Subscribe to the Non-Human & AI Identity Journal

GoToR Action

A GoToR action is a PDF instruction that tells a reader to jump to a remote destination or resource. It is security-sensitive because an attacker can abuse it to make the victim device contact an untrusted host, sometimes triggering credential negotiation or other unsafe network behaviour.

Expanded Definition

GoToR action describes a PDF instruction that redirects the reader to a remote destination rather than keeping the action inside the file. In practice, the action may point to a website, file share, or another network resource, and the security concern is not the redirect itself but the external request it can provoke. When a PDF viewer follows the action, the endpoint may contact an untrusted host, which can expose network metadata, trigger authentication prompts, or activate unsafe protocol handling. This behaviour is especially relevant in NHI and IAM environments because a malicious document can try to elicit credential negotiation from a device or service account that has ambient trust. Standards do not treat GoToR as an identity control by name, so usage in the industry is still evolving and often overlaps with document hardening and endpoint policy. NIST guidance on access control and boundary protection, including NIST SP 800-53 Rev 5 Security and Privacy Controls, is the closest formal anchor for the defensive posture around it. The most common misapplication is treating GoToR as a harmless navigation feature, which occurs when security teams allow remote actions in PDFs opened on trusted enterprise endpoints.

Examples and Use Cases

Implementing controls for GoToR rigorously often introduces usability friction, requiring organisations to weigh document convenience against the risk of outbound network interaction and credential exposure.

  • A supplier invoice PDF contains a GoToR action to a remote payment portal; the endpoint should not silently follow it if the destination is outside approved business domains.
  • A phishing attachment uses a remote PDF target to induce a workstation to contact an attacker-controlled host, similar to patterns discussed in the Schneider Electric credentials breach coverage.
  • A desktop PDF viewer resolves a remote link and triggers NTLM or other credential negotiation; this is why teams align file handling with NIST SP 800-53 Rev 5 Security and Privacy Controls for boundary enforcement.
  • An internal policy document uses remote content for convenience, but security review requires that the destination be trusted, logged, and proxied rather than contacted directly.
  • A malware analysis lab permits GoToR only in isolated environments so researchers can observe network callbacks without exposing production identities or secrets.

Remote action handling is best understood as a path from document trust to network trust. If the PDF reader or underlying OS can be induced to reach out to an arbitrary host, the document becomes a delivery mechanism for policy bypass, not just content rendering.

Why It Matters in NHI Security

GoToR action matters because it can turn a document open event into an identity event. When the destination is malicious, the endpoint may present cached credentials, negotiate with an attacker-controlled server, or reveal whether a host belongs to a privileged environment. That is especially dangerous in organisations where service accounts, automation agents, or other NHIs already have broad network reach. NHI Mgmt Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 96% of organisations still store secrets outside secrets managers in vulnerable locations. Together, those conditions make any untrusted outbound request more than a nuisance. Document controls, egress filtering, and least-privilege endpoint policy should therefore be treated as part of identity defense, not just content security. The strongest operational response is to block or sandbox remote PDF actions, inspect outbound destinations, and remove ambient credential exposure from endpoints that might render untrusted files. Organisations typically encounter the real impact only after a phishing document or supplier file causes an unexpected network call, at which point GoToR action becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Remote document actions can expose secrets and trigger unintended identity use.
NIST CSF 2.0 PR.AC-4 Least privilege limits what credentials a redirected connection can reveal or use.
NIST Zero Trust (SP 800-207) SC-7 Zero Trust requires controlling all network egress, including document-triggered requests.
NIST SP 800-63 Credential presentation to remote hosts can undermine assurance and phishing resistance.
OWASP Agentic AI Top 10 Autonomous or assisted workflows may open files and follow remote actions without review.

Block untrusted outbound document actions and reduce ambient credential exposure on endpoints.