How to Spot Dangerous Email Attachments

Recently, we have noticed a considerable spike in spam and phishing campaigns using various techniques to cloak malware in email attachments. To help keep your business protected, it’s important to understand how these attacks work and what you can do to help prevent them.

Taking proactive measures is one of the best ways to combat attacks attempting to trick attachment scanning technologies. As an example, we have recently seen leveraging techniques that work to prevent virus scanners from checking the attachment by using corrupted MIME headers or corrupted archives.

Spam and phishing emails often contain malicious attachments in plain sight, or covertly hidden in zip/rar archives, or in Office documents as macros. To infect your computer, the email often includes an executable file. Although it can be difficult to identify suspicious files at first glance—as they are commonly hidden within zip archives to trick spam filters—they can often be recognized by their file extension, such as: .exe, .bat, .com, .cmd, .cpl, .js, .jse, .msi, .msp, .mst, .paf, .wsh, .wsf, .vbs, .vbe, .psc1, .scr, and .ink.

Let’s take a look at some of the most common extensions presented above:

·  .EXE
These files are Windows-executable files and some of the most dangerous attachments you can receive in an email. It is uncommon for people to send executable files in emails as attachments, so such an email should immediately raise a red flag.

·  .MSI
This is another format for Microsoft Installer used on Windows, though applications can also be installed via an .EXE file. It may carry malicious files bundled into another application, thus giving the impression that it’s installing a legitimate application.

·  .JAR
These are executable Java applications that use the Java runtime environment to run on a specific machine. These usually leverage Java runtime vulnerabilities and download/install malware on the affected computer.

·  .BAT
This is a batch file that contains a simple list of commands usually run in the Command Prompt and originally used by the old MS-DOS.

·   .CMD
These are the same thing as the .BAT extension, but introduced in Windows NT. The effect is the same as the batch file.

·  .JS
This is a JavaScript file, which usually runs in web browsers. The main disadvantage for Windows users is that the OS runs JavaScript files by itself with no sandboxing.

·  .VB/.VBS
This is a Visual Basic Script file that usually executes the script code embedded when run.

· . PSC1

This is a PowerShell script, which is executed on a Windows machine.

All these file extensions are constantly being used in spam and phishing campaigns, generating a lot of damage for unprotected computers.

It is critical to check what type of files you receive and refrain from opening any attachments containing the above file extensions, especially if they come from unknown sources. To help ensure you and your business are protected from spam, phishing, and all email-borne threats, always deploy an email security solution as part of your security strategy.

How can you protect yourself using Mail Assure?

In the SolarWinds Mail Assure Control Panel, there is a feature called “Block Dangerous Attachments,” which is on the Attachment Restrictions page of the default domain settings. When this feature is enabled, all the file extensions listed above are blocked by default. On top of this, to help ensure there are no harmful files in the archive attachments, zip archives are being scanned for malicious applications.

To find out how SolarWinds Mail Assure can help you protect your systems, click here.

 

Sebastian Antonescu is the technical support team manager for the Mail Assure and SpamExperts brands.

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site