Attachment disarm and reconstruction is a defensive pattern that strips or neutralises risky active content before delivering a file to users. It is used when organisations need to preserve business communication but do not want macros, embedded code, or hidden payloads reaching inboxes.
Expanded Definition
Attachment disarm and reconstruction, often shortened to CDR, is a file sanitisation pattern that removes or neutralises active content before a document reaches the recipient. It is used to preserve the business value of a file while stripping macros, embedded objects, scripts, and other executable elements that can carry malware.
For security teams, the key distinction is that CDR does not rely on spotting a known threat. Instead, it reconstructs a safe version of the file based on what the recipient needs to read, view, or print. That makes it especially useful in environments where email remains a primary delivery channel and attackers routinely hide payloads in common file formats. NIST SP 800-53 Rev 5 Security and Privacy Controls is useful here because file filtering, boundary defence, and malicious code protection controls all support the same defensive objective: prevent unsafe content from reaching users in a usable form.
Definitions vary across vendors on how much of a file may be preserved versus rebuilt, so implementation details should be checked carefully. The most common misapplication is treating CDR as a complete replacement for phishing defence, which occurs when organisations assume sanitised attachments alone can block credential theft, social engineering, and malicious links.
Examples and Use Cases
Implementing attachment disarm and reconstruction rigorously often introduces compatibility tradeoffs, requiring organisations to weigh user experience and document fidelity against stronger content safety.
- Email gateways that convert inbound Office files into safe renderings so staff can open reports without macro risk.
- Financial services teams that strip hidden scripts from customer-submitted spreadsheets before allowing internal review.
- Government or healthcare mailrooms that sanitise external PDFs and images before files enter high-trust networks.
- Security operations workflows that pair CDR with sandboxing when a file must still be delivered quickly, but the source is not yet trusted.
- NHI-heavy environments where shared inboxes, service accounts, or ticketing automations process inbound attachments that could otherwise trigger malicious actions inside downstream tools.
NHIMG research shows that Ultimate Guide to NHIs reports 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage. That matters because attachment-based delivery is often how secrets, invoices, credentials, and automation artefacts move through business workflows. If those files are opened by systems rather than people, a sanitised copy can reduce the chance that embedded payloads reach an autonomous process. NIST SP 800-53 Rev 5 Security and Privacy Controls supports the same operational logic through controls for malicious code protection and information system boundary defence.
Why It Matters for Security Teams
Attachment disarm and reconstruction matters because many intrusions begin with a file that looks routine until it is opened in the wrong context. Once malicious macros, hidden links, or embedded payloads reach an employee mailbox or a service workflow, containment becomes more expensive and more disruptive. In NHI-driven environments, that risk expands because automated mail processing, ticket triage, and document ingestion may expose API keys, certificates, or workflow tokens to unsafe content before a human ever reviews it.
NHIMG research also indicates that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, which increases the payoff for attacks that begin with a document. The same guide notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, making file safety a governance issue as much as an endpoint issue. For teams aligning controls, Ultimate Guide to NHIs is a useful lens for understanding how inbound documents can become an identity exposure point, while NIST guidance helps anchor the defensive control set.
Organisations typically encounter the need for attachment disarm and reconstruction only after a malicious attachment has already executed, at which point safe file delivery becomes operationally unavoidable to restore trust in the inbox and downstream workflows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS-1 | Data is protected at rest and in transit, supporting safe handling of inbound files. |
| NIST SP 800-53 Rev 5 | SI-3 | Malicious code protection covers inspection and blocking of harmful file content. |
| OWASP Non-Human Identity Top 10 | NHI guidance is relevant when files can expose secrets or trigger automated workflows. |
Sanitise attachments before delivery so unsafe content never reaches users or downstream systems.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org