How to Spot Dangerous Email Attachments

20160414_Attachments 101

In the past few months our filters have noticed a considerable spike in spam and phishing campaigns using various techniques to cloak malware in email attachments. As always, taking proactive measures is one of the best ways to protect against such attacks that try to trick attachment scanning technologies.

For example, we have recently seen leveraging techniques that try to prevent virus scanners from checking the attachment by using corrupted MIME headers or corrupted archives.

Luckily, we have a dedicated team that works on writing and updating virus signatures, and also adds new scanning technologies.

Spam and phishing emails often contain malicious attachments in plain sight or covertly hidden in zip/rar archives and Office documents as macros.

To try and infect your computer, the email often includes an executable file. These can be often recognized by their file extension, such as:

'exe', 'bat', 'com', 'cmd', 'cpl', 'js','jse', 'msi', 'msp', 'mst', 'paf', 'wsh','wsf', 'vbs', 'vbe', 'psc1', ‘scr’, ‘lnk’.

Most of the above extensions are usually hidden within zip archives in an effort to trick spam filters.

Let’s take a few of the examples presented above and analyse them:

  • .EXE – These are Windows executable files and some of the most dangerous attachments you can receive in an email. It is uncommon for people to send executable files in emails as attachments, so such email should first raise a red flag.
  • .MSI – This is another format for Microsoft Installer used on Windows, though applications can also be installed via an .EXE file. It may carry malicious files bundled into another application, thus just giving the impression that it’s installing a legitimate application.
  • .JAR – JAR files are executable Java applications that use the Java runtime environment to run on a specific machine. These may usually leverage Java runtime vulnerabilities and download/install malware on the affected computer.
  • .BAT – This is a batch file that contains a simple list of commands run usually in the Command Prompt and originally used by the old MS-DOS.
  • .CMD – The same thing as the .BAT extension, but introduced in Windows NT. The effect is the same as the batch file.
  • .JS – A JavaScript file usually runs in Web Browsers. The main disadvantage for Windows users is that the OS runs JavaScript files by itself with no sandboxing.
  • .VB/.VBS – A Visual Basic Script file that usually executes the script code embedded when run.
  • .PSC1 – A PowerShell script executed on a Windows machine.

All these file extensions are constantly being used in spam and phishing campaigns, generating a lot of damage for unprotected computers.

How can you protect yourself with SpamExperts?

In the SpamExperts Control Panel we have a feature dubbed “Block Dangerous Attachments” from the Attachment Restrictions page of the default domain settings. On that specific page, all file extensions listed above are blocked by default when the feature is enabled and zip archives are being scanned three layers deep for malicious applications.

Want to know more on how we deal with email attachments? Check our article on how we stop email malware.

For more information on how to mitigate the risk of malicious attachments please check our knowledgebase article.

As always, remember not to open any attachments containing the above file extensions from unknown sources and always deploy an email security solution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s