Email attachments can contain malware. It is important to confirm who sent an attachment, why they sent it, and what it will do before opening or downloading it.
When are email attachments safe to open?
The ability to attach files to emails is useful, but it also introduces risk. Email attachments from malicious parties may contain malware, which can lead to a hack or data breach. There is no foolproof way to know if an email attachment is safe to open — but unexpected attachments from unknown persons are most likely to be dangerous.
Why are email attachments dangerous?
An email attachment is a file sent with an email — like a gift with a card. Almost any file can be attached to an email; usually, the only limitation is how large of a file or how many files an email client is willing to accept. But like any file sent over a network, email attachments can sometimes contain dangerous or malicious content that can infect a device with malware.
Attackers often attempt to distribute malware by attaching it to emails. Sometimes, they attach malware as an executable (EXE) file and trick the email recipient into downloading and opening the file, which runs the malware. Other times, they might bury a malicious script in a harmless-seeming file, like a Microsoft Word document (DOC, DOCX) or an archive file (ZIP, RAR, etc.). Once the script executes, it downloads and installs malware or performs other malicious actions. Finally, attackers may disguise malware or scripts inside files that seem unlikely to contain them, like images or video files.
Imagine an email attachment as a wrapped gift and the email it is attached to as a card that comes with it. Someone who receives the gift cannot tell what is inside it until they open it. Similarly, it is impossible to know what an email attachment contains. Unfortunately, because almost anyone can send emails to each other, all email attachments must be treated with suspicion. This is the case even if the accompanying email — the “card” in the analogy — seems to be from a trusted person.
Which email attachments are generally safe to open?
As with any security aspect, there is no way to guarantee that any given file is safe. However, answering the following questions can help determine if an email attachment should be trusted. If the answer to any of them is “no,” it is wise for users to contact the purported sender or their organization’s security team.
- Do you know the sender? Email attachments from a known source are more likely to be trustworthy than email attachments from an unknown source. Someone the recipient has never met is far less likely to have a legitimate reason for sending an email attachment — just as one is not likely to receive birthday presents from strangers.
- Can you confirm the sender sent the email? Sometimes, malicious parties will impersonate a known and trusted sender, even someone in the recipient’s contact list or organization. They can do this by faking or spoofing the sender’s email address or, breaking into the sender’s inbox and sending the email on their behalf.
- Did you expect the email? Unexpected emails are often an indicator of an attack attempt. Most malicious emails are not expected — no one wants to get hacked.
- Did you expect the email to have an attachment? An unexpected or irrelevant attachment could be malicious even if the email is expected.
- Is the attachment an expected file type? For example, if the sender says they have attached or will attach an image, but the file received is a PDF or an EXE, this may be a sign that the file should not be trusted.
If all of these questions can be answered in the affirmative, the email attachment is more likely to be safe, but still not guaranteed.
When are email attachments not safe to open?
The questions in the previous section are a good starting point for identifying potentially dangerous attachments. Additional indicators that a message may be unsafe to open include the following:
- Urgency: Attackers want the people who receive their emails to act quickly before they have time to question or investigate further. The email may demand that the recipient quickly downloads or opens the attachment.
- Email is sent to large groups or unknown recipients: Attackers sometimes cast as wide a net as possible to make it more likely that someone will download the malicious attachment. They do this by sending malicious emails to long lists of recipients or large group email aliases. They may try to conceal how many people the email is sent to by using BCC and leaving the “To” field blank.
- Unusual writing style in email: Spelling and grammar errors are a common sign that an email may be from a scammer. But sometimes, legitimate senders also ignore these conventions. Recipients should compare the email to the sender’s typical email writing style. In addition, if the email is about topics the sender does not usually address, the email may not be from the supposed sender.
- Lack of personalized greeting: Attackers do not always have time to target their victims individually. A generic or missing greeting could indicate that the email is not legitimate. (This is not always the case — particularly in spear phishing and business email compromise attacks; email threats are sometimes highly targeted and personalized.)
- The attached file contains malware: Many email providers will identify possible malware with anti-malware analysis and flag dangerous attachments — a clear sign that the email should not be opened.
What kinds of email attachments can contain malware?
Any file can contain malicious code. Many malware attacks have used archive files, PDFs, Microsoft Word documents, and Microsoft Excel spreadsheets. However, attackers are not limited to these file types. Anything from images to text files can be dangerous.
One of the most obviously dangerous file types is the executable file. Executable files are programming instructions a computer carries out when the files are opened. A legitimate sender rarely attaches executable code in an email — usually, a software program will be sent another way. Executable files have an EXE file extension (on Windows) or an APP file extension (on Mac).
What is a file extension?
A file extension is the text that follows the period (or full stop) at the end of a file name. For example, in the file name “quiche-recipe.doc,” the file extension is .doc or DOC. File extensions indicate the file type — a DOC file extension indicates that this is a Microsoft Word document.
File extensions can be faked or forged. Identifying the file extension is not a reliable way to determine whether a file is safe.
Other common file extensions to know include, but are not limited to:
- Microsoft Word: .doc, .docx (DOC, DOCX)
- Microsoft Excel: .xls, .xlsx (XLS, XLSX)
- Adobe Acrobat PDF: .pdf (PDF)
- Executable files: .exe, .app (EXE, APP)
- Archive files: .zip, .rar, .iso (ZIP, RAR, ISO)
- Image files: .jpeg, .png, .gif (JPEG, PNG, GIF)
- Audio files: .mp3, .wav (MP3, WAV)
- Web files: .html, .css, .js (HTML, CSS, JavaScript)
- Plain text files: .txt (TXT)
How do attackers embed macros, scripts, and other dangerous content in common files?
Office files
A macro is an executable script for Microsoft Office files such as Word and Excel. While macros have many legitimate uses, they have also been used in attacks. It may be malicious if an email attachment asks the recipient to enable macros.
PDFs
Attackers can embed malicious JavaScript within PDFs and links to dangerous websites or cloud-hosted files controlled by attackers.
Archive files
An archive file is a format for storing one or more files in a wrapper, along with metadata about the files. Archive files are often compressed as well to make them more portable. An archive file is just a wrapper for the file(s) within — anything could be inside. This makes them convenient for attackers, who can conceal a malicious file inside an archive and trick a user into downloading the file and opening its contents.
Other files
Unsafe scripts and links can be included in almost any type of file — either directly in the file or hidden in its metadata. In addition, attackers can fake a file extension so that a malicious file seems to be an image, an audio file, a video file, a TXT file, or some other type of file that a user might be more likely to trust.
What are some of the ransomware attacks that have used email attachments?
Many ransomware attacks over the years have entered an organization or reached the victim’s computer through an email attachment. Examples include:
- Petya ransomware often spread via emails to HR departments with fake job applications attached as PDFs.
- Early on, Maze ransomware spread to its victims via malicious email attachments. (This method may still be used, but Maze also spreads through RDP vulnerability exploits and other attack vectors.)
- The REvil ransomware group has been observed using malicious email attachments to spread ransomware.
Some ransomware attacks do not use email attachments directly but instead piggyback on top of previous attacks using email attachments. Ryuk ransomware often enters an organization through a TrickBot infection, which spreads via the Emotet botnet. (Such multi-layered attacks are common and demonstrate the variety of actions available to an attacker once they gain a foothold in an organization’s network.) Emotet has most commonly spread using malicious Word documents attached to emails.
What other attacks use email attachments?
Any script or malware can be hidden in an email attachment, allowing attackers to access networks, steal confidential data, and carry out other malicious actions. Once the email attachment has been opened by its recipient, it can be used to spread spyware, adware, worms, or even botnets.
Do secure email gateways block malicious email attachments?
Secure email gateways filter out unsafe email traffic, including spam, phishing emails, and dangerous email attachments. Many secure email gateways include anti-malware scanning capabilities, enabling them to identify malware inside attached files. They also maintain lists of known threats and block all emails from them.
But secure email gateways are not a guarantee against email attachment-based attacks. New types of malware may not be detected; emails sent from trusted or unknown sources may not be blocked; and even known malicious content can sometimes get through defenses.
Many organizations try to avoid using email attachments altogether instead of using secure file upload portals or sharing links to files in the cloud (which come with their risks). Additional strategies to reduce the threat posed by email attachments include:
- Email security services that proactively identify email attack infrastructure, including domains and servers, can block attacks before they begin.
- Secure web gateways, DNS filtering, and URL filtering can block requests from email attachments to the attackers’ servers, often a necessary step for downloading the actual malicious payload that the attacker wants to install.
- Zero Trust Network Architecture (ZTNA) quickly isolates the damage if an infection does enter via an email attachment, preventing lateral movement.
Even with the myriad communications apps available today, email remains the most-used communication method for many organizations, making email security crucial for attack protection.
