How does it work?
Malicious email attachments are designed to launch an attack on a users computer. The attachments within these malicious emails can be disguised as documents, PDFs, e-files, and voicemails. Attackers attach these files to email that can install malware capable of destroying data and stealing information. Some of these infections can allow the attacker to take control of the user’s computer, giving attackers access to the screen, capture keystrokes, and access other network systems.
Since many email systems automatically block obvious malicious programs, attackers conceal a piece of software called an exploit inside other types of commonly emailed files – Microsoft Word documents, a ZIP or RAR files, Adobe PDF documents, or even image and video files. The exploit takes advantage of software vulnerabilities and then downloads the intended malicious software, called a payload, to the computer. Attackers can also embed a malicious macro in the document and use social engineering to trick the user into clicking the “Enable Content” button that will allow the macro to run and infect the victim’s computer.
Attackers typically send these email attachments and provide email content that is sufficiently convincing to get the user to believe it is legitimate communication.
How can I protect against it?
Start with user education, but back it up with email attachment security solutions.
Install endpoint and server-based antivirus scanners. Be aware though of a time lag between attackers creating new malware and those malware signatures appearing in anti-virus (AV) databases. Recent tests show only 10% of endpoint AV engines recognise a threat a full 24 hours after it was delivered; part of this is due to the polymorphic malware approached adopted by many attackers.
Implement an email gateway with a machine-learning function and real-time IP reputation scanning that can detect suspicious language and sender aspects. Ensure the gateway can unpack nested archive files (like .zip and .rar) and block executables to look for potentially malicious programs. It is also typically best practice to consider using a different gateway AV than what is used on the endpoint to provide diversity and increase likelihood of detection.
For optimal results, look for a security solution with email attachment scanning, performed in the cloud via static and dynamic (sandbox) malware analysis, so email attachments are checked for bad behaviour before they're delivered, and not just known bad reputation or known signatures which tend to miss zero-day and polymorphic malware attacks.