Email attachments can contain malware. It is important to confirm who sent an attachment, why they sent it, and what it will do before opening or downloading it.
After reading this article you will be able to:
Copy article link
The ability to attach files to emails is useful, but it also introduces risk. Email attachments from malicious parties may contain malware, which can lead to a hack or data breach. There is no foolproof way to know if an email attachment is safe to open — but unexpected attachments from unknown persons are most likely to be dangerous.
An email attachment is a file sent with an email — like a gift that comes with a card. Almost any kind of file can be attached to an email; usually the only limitation is how large of a file, or how many files, an email client is willing to accept. But like any file that is sent over a network, email attachments can sometimes contain dangerous or malicious content that can infect a device with malware.
Attackers often attempt to distribute malware by attaching it to emails. Sometimes they attach malware as an executable (EXE) file and try to trick the email recipient into downloading and opening the file, which runs the malware. Other times they might bury a malicious script in a harmless-seeming file, like a Microsoft Word document (DOC, DOCX) or an archive file (ZIP, RAR, etc.). Once the script executes, it downloads and installs malware, or performs some other malicious action. Finally, attackers may disguise malware or scripts inside file types that seem unlikely to contain them, like images or video files.
Imagine an email attachment as a wrapped gift and the email it is attached to as a card that comes with it. Someone who receives the gift cannot tell what is inside it until they open it. Similarly, it is impossible to be sure of what an email attachment actually contains. And unfortunately, because almost anyone in the world can send emails to each other, this means all email attachments have to be treated with suspicion. This is the case even if the accompanying email — the "card" in the analogy — seems to be from a trusted person.
As with any aspect of security, there is no way to guarantee that any given file is safe. However, answering the following questions can help determine if an email attachment should be trusted. If the answer to any of them is "no," it is wise for users to contact the purported sender — or to contact their organization's security team.
If all of these questions can be answered in the affirmative, the email attachment is more likely, but still not guaranteed, to be safe.
The questions in the previous section are a good starting point for identifying potentially dangerous attachments. Additional indicators that a message may be unsafe to open include the following:
Any type of file can contain malicious code. Archive files, PDFs, Microsoft Word documents, and Microsoft Excel spreadsheets have been used in many malware attacks. However, attackers are not limited to these file types. Anything from images to text files can be dangerous.
One of the most obviously dangerous file types is the executable file. Executable files are programming instructions that a computer carries out when the files are opened. It is rare that a legitimate sender will attach executable code in an email — usually a software program will be sent some other way. Executable files have an EXE file extension (on Windows) or an APP file extension (on Mac).
A file extension is the text that follows the period (or full stop) at the end of a file name. For example, in the file name "quiche-recipe.doc", the file extension is .doc or DOC. File extensions indicate the file type — a DOC file extension indicates that this is a Microsoft Word document.
File extensions can be faked or forged. Identifying the file extension is not a reliable way to determine if a file is safe or not.
Other common file extensions to know include, but are not limited to:
A macro is an executable script for use within Microsoft Office files such as Word and Excel. While macros have many legitimate uses, they have also been used in attacks. If an email attachment asks the recipient to enable macros, it may be malicious.
An archive file is a file format for storing one or more files in a wrapper, along with metadata about the files. Archive files are often compressed as well to make them more portable. An archive file is just a wrapper for the file(s) within — anything could be inside. This makes them convenient for attackers, who can conceal a malicious file inside an archive file, then trick a user into downloading the file and opening its contents.
Unsafe scripts and links can be included in almost any type of file — either directly in the file or hidden in its metadata. In addition, attackers can fake a file extension so that a malicious file seems to be an image, an audio file, a video file, a TXT file, or some other type of file that a user might be more likely to trust.
Many ransomware attacks over the years have entered an organization or reached the victim's computer through an email attachment. Examples include:
Some ransomware attacks do not use email attachments directly, but instead piggyback on top of previous attacks that took place using email attachments. Ryuk ransomware often enters an organization through a TrickBot infection, which in turn often spreads via the Emotet botnet. (Such multi-layered attacks are common and demonstrate the variety of actions available to an attacker once they gain a foothold in an organization's network.) Emotet has most commonly spread using malicious Word documents attached to emails.
Any script or malware can be hidden in an email attachment, which then allows attackers to gain access to networks, steal confidential data, and carry out other malicious actions. Once the email attachment has been opened by its recipient, it can be used to spread spyware, adware, worms, or even botnets.
Secure email gateways filter out unsafe email traffic, including spam, phishing emails, and dangerous email attachments. Many secure email gateways include anti-malware scanning capabilities, enabling them to identify malware inside attached files. They also maintain lists of known threats and block all emails from them.
But secure email gateways are not a guarantee against email attachment-based attacks. New types of malware may not be detected; emails sent from trusted or unknown sources may not be blocked; and even known malicious content sometimes can get through defenses.
Many organizations try to avoid using email attachments altogether, and instead use secure file upload portals or share links to files in the cloud (which come with their own risks). Additional strategies to reduce the threat posed by email attachments include:
Even with the myriad communications apps available today, email remains the most-used communication method for many organizations, making email security crucial for protection from attacks. Learn more about email security.
Email security basics
Phishing and spam
Learning Center Navigation