Malicious Attachments

By Ron Samson Jr

What is a malicious attachment?

Malicious attachments typically come along with phishing emails. They may come in the form of a fake invoice, or word doc and contain threats like ransomware, malware, keyloggers and other threats.

How do I identify a malicious email attachment?

Look at the file extension – extensions such as .exe should never be opened and are blocked automatically in most cases for that reason. The issue is there are dozens of file extension types and nearly all can be malicious, even .doc for Word documents, which can contain ransomware in macros. The best advice is to never open attachments you are not expecting, and if you must, make sure you have advanced email security in place which will sandbox them before you open them to ensure they are safe.

File archive – extensions such as .zip, .rar, or .7z are commonly used to hide malicious files from being scanned by email security and other systems. The file is often hidden in the attachment behind a password that is given to you in the email. The best advice here again is to never open these file types unless you are expecting them.

The Sender – if you don’t know them and weren’t expecting any attachments, don’t open it.

If it is from someone you know, it still may be a malicious attachment. Their email may have been compromised. Call them and ask them if they just sent an attachment and if so what does it contain.

Email Content – are there spelling errors, weird impersonal greetings, weird grammar etc. These are key indicators as bad actors are commonly from foreign countries where english is not their primary language

It feels suspicious – Were you not expecting the email?

How do I prevent infections from malicious attachments?

Advanced email security – The best defense is to have email security that opens unknown attachments before they enter your inboxes to see what they do. This process is called system emulation or sandboxing and is done to all emails that contain attachments that are unknown to the email security service.

Block dangerous file extensions – There is very little reason the following extensions should be in legitimate emails: .adp, .app, .asp, .bas, .bat, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .exe, .fxp, .gadget, .hlp, .hpj, .hta, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1m, .msh2m, .mshxmlm, .msh1xml, .msh2xml, .msi, .msp,.mst, .ops, .osd, .pcd, .pif, .plg, .prf, .prg, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vsmacros, .vsw, .ws, .wsc, .wsf, .wsh, .ade, .cla, .class, .grp, .jar, .mcf, .ocx, .pl, .xbap

Security Awareness Training – Create a user firewall by educating email users on how to identify threats. Proactively test them by sending them real looking phishing emails and see who falls for the bait.