Please note: For privacy reasons the identity of the hacked account in the example used for this blog has been changed.
As cybercriminals advance their techniques, you need to stay ahead of the game by taking proactive measures. In this blog, we look at dangerous email attachments and how you can identify them more easily.
Malicious email attachments pose a great threat to businesses as they are designed to get viruses, malware, Trojans, and more onto a victim’s computer—and ultimately into the company’s network. For a long time, cybercriminals have been using a range of different techniques to cloak malware in different types of file attachments with the express intention of tricking scanning technologies. With this in mind, you should always be cautious when you receive emails with attachment(s) you were not expecting.
Tips for identifying malicious attachments
Spam and phishing emails frequently contain malicious attachments in plain sight or covertly hidden in zip/rar archives (see screenshot 2 below) and Office documents as macros. To try and infect your computer, these malicious emails may include an executable file. These are often recognized by their file extension, such as: .exe, .bat, .com, .cmd, .cpl, .js, .jse, .msi, .msp, .mst, .paf, .wsh, .wsf, .vbs, .vbe, .psc1, .scr, and .lnk.
Most of the above extensions are usually hidden within zip archives to trick spam filters.
Let’s take a few of the examples presented above and analyze them:
- .exe—These are Windows executable files and some of the most dangerous attachments you can receive in an email. It is uncommon for people to send executable files in emails as attachments, so this should instantly raise a red flag to the recipient.
- .msi—This is another format for Microsoft Installer used on Windows, though applications can also be installed via a .exe file. It may carry malicious files bundled into another application, thereby giving the impression that it is installing a legitimate application.
- .jar—These files are executable Java applications that use the Java runtime environment to run on a specific machine. These usually leverage Java runtime vulnerabilities and download/install malware on the affected computer.
- .bat—This is a batch file that contains a simple list of commands that usually run in the Command Prompt and were originally used by the old MS-DOS.
- .cmd—The same thing as the .bat extension, but introduced in Windows NT. The effect is the same as the batch file.
- .vb/.vbs—A Visual Basic Script file that usually executes the script code embedded when run.
- .psc1—A PowerShell script executed on a Windows machine.
All these file extensions are constantly being used in spam and phishing campaigns, generating a lot of damage for unprotected computers. At a glance, the email body looks legitimate, as you can see in this example: