Last reviewed:
Managed file transfer (MFT) software moves files between organisations with auditing and encryption. Internet-facing MFT appliances are frequent mass-breach entry points.
Managed file transfer (MFT) is enterprise software that moves files between organisations and systems with auditing, encryption and access control built in. Common products include Progress MOVEit, Fortra GoAnywhere and Cleo Harmony. Because MFT appliances sit on the public internet and hold large volumes of sensitive data, an unauthenticated flaw in one is a direct path to bulk data theft, which is why MFT zero-days have driven some of the largest breaches of recent years.
When an MFT product runs as a cloud appliance or behind a cloud load balancer, exploitation shows up in the surrounding cloud telemetry: unexpected outbound data volume, web requests to known exploit paths, and new IAM principals or access keys created shortly after a web exploit. The initial access maps to MITRE ATT&CK T1190 Exploit Public-Facing Application.
MFT incidents tend to follow a fixed pattern: exploit the public endpoint, drop a web shell or scheduled task, then stage and exfiltrate files. Detection coverage therefore needs both the application's own audit log and the cloud control plane around it, so a single appliance compromise does not become silent bulk exfiltration.
Widely deployed MFT products include Progress MOVEit Transfer, Fortra GoAnywhere MFT, Cleo Harmony and IBM Sterling. Each provides audited, encrypted file exchange between organisations. Several have been hit by unauthenticated vulnerabilities that let attackers read or steal transferred files at scale, which is why internet-facing MFT appliances are treated as high-value assets to monitor.
MFT appliances are internet-facing, hold large volumes of sensitive data, and are often run by many organisations on the same software version. A single unauthenticated flaw gives attackers a repeatable path to bulk data theft across many victims at once, which is the pattern seen in the MOVEit and GoAnywhere mass-exploitation campaigns.
Combine the appliance's own audit log with the cloud telemetry around it. Watch for unexpected outbound data volume, web requests to known exploit paths, new files or tasks created by the service account, and any new credentials or IAM principals that appear shortly after. The initial access maps to ATT&CK T1190 Exploit Public-Facing Application.