What is a Malicious Email Attachment?
Malicious email attachment attacks occur when attackers attach files to email that that can install malware capable of destroying data and stealing information. Some of these infections can allow the attacker to take control of the user’s computer, giving attackers access to the screen, capture keystrokes, and access other network systems.
Since many email systems automatically block obvious malicious attachments and programs, attackers conceal a piece of software called an exploit inside other types of commonly emailed files – Microsoft Word documents, a ZIP or RAR files, Adobe PDF documents, or even image and video files. The malicious email exploit takes advantage of software vulnerabilities and then downloads the intended malicious software, called a payload, to the computer. Attackers can also embed a malicious macro in the document and use social engineering to trick the user into clicking the “Enable Content” button that will allow the macro to run and infect the victim’s computer.
Attackers typically send these malicious email attachments and provide email content that is sufficiently convincing to get the user to believe it is legitimate communication.
How can I protect against malicious email attachments?
Start with user education, but back it up with email attachment security solutions.
Install endpoint and server-based antivirus scanners. Be aware though of a time lag between attackers creating new malware and those malware signatures appearing in anti-virus (AV) databases. Recent tests show only 10% of endpoint AV engines recognize a threat a full 24 hours after it was delivered; part of this is due to the polymorphic malware approached adopted by many attackers.
Implement an email gateway with a machine-learning function and real-time IP reputation scanning that can detect suspicious language and sender aspects. Ensure the gateway can unpack nested archive files (like .zip and .rar) and block executables to look for potentially malicious attachments and programs. It is also typically best practice to consider using a different gateway AV than what is used on the endpoint to provide diversity and increase likelihood of detection.
For optimal results, look for a security solution with malicious email attachment scanning, performed in the cloud via static and dynamic (sandbox) malware analysis, so malicious email attachments are checked for bad behaviour before they're delivered, and not just known bad reputation or known signatures which tend to miss zero-day and polymorphic malware attacks.