Malware in emails - Which attachments are dangerous?

In this article, you will learn how to detect malicious emails and protect yourself from having your home computer or corporate network attacked by malware such as viruses, Trojans or worms spread via email.

Most computer viruses are spread via email attachments. This is not surprising, as e-mails have become one of the most important means of communication in the last decades. Appointments can be made, documents sent and private or business matters handled almost in real time. Communication within seconds is practical. Unfortunately, it can also cause enormous damage just as quickly.

Important rules for handling e-mails and attachments

By following these three basic rules, you can communicate securely via email and protect yourself from malware.

1. Consultation: Verify by consultation that the attachment was actually sent by the person or institution indicated as the sender.
2. Virus protection: An antivirus program that updates itself automatically detects known viruses and reports problems. But pests that are not yet known to the antivirus program slip through the cracks and infect the computer anyway. We recommend using the antivirus programs that are already included in the Windows (Defender) and macOS (XProtect) operating systems. Due to the high quality of these, the usefulness of external antivirus programs is now controversial.
3. Basic Knowledge: It is helpful to be aware of which files, i.e. which file extensions, are more dangerous than others. More about this later.

Does the attachment actually come from the specified sender?

The most important thing when receiving email attachments is to always be aware that it is not enough to know the person or the institution from which the attachment was sent. Friends or companies may have become victims of data theft, which allows the perpetrators to misuse the scammed mail addresses for your purposes. Even this is not absolutely necessary. Cybercriminals can also simply forge the email sender and impersonate someone else - without having access to their contacts.

At best, you can recognize a spam email by its missing or incorrect salutation, clumsy wording or spelling mistakes. However, scammers are becoming more and more professional. Often, the difference between a potentially dangerous e-mail and an e-mail from a trustworthy sender is not clear. For this reason, if you receive an unsolicited attachment, you should check by mail, phone call or via chat whether the message really comes from the sender indicated.

As a rule, you rarely receive a document unexpectedly. Usually, the sending of an invoice immediately follows a purchase, or you agree in advance with colleagues that you will send something to each other.

If an email marked "Invoice" lands in your inbox even though no purchase has been made recently, it would be wiser not to open the attachment. Resist the curiosity to just click on it. Curiosity and fear - of reminders and financial damage - are probably the two key emotions to which cybercriminals owe their success.

Phishing in professional emails: Emotet

The Emotet malware has been appearing in waves of attacks since 2014. The aim of this software is to paralyze entire IT systems. In some cases, it leads to ransomware. Emotet is often spread through macros in Word files, which then reload further malware. There are also versions in which the attachments consist of a .zip file.

With each wave of attacks, the emails become more successful because their language is strongly oriented towards the target audience (companies and government agencies). To this end, the senders are spoofed so that the email gives the impression that it is internal communication.

Common file types in the security check

In addition to verifying the sender, you should be aware of which files are more dangerous than others. Below are a few common file extensions and their vulnerability to viruses, Trojans and worms. Some highly dangerous file types are now even blocked by most mail clients, including, for example, files with extensions .bat, .exe, .vbs, .com, .ade, .adp, .cpl, .wsc and many more.

Text files

.txt The file type with this extension is basically harmless. However, this false sense of security has been abused in the past, on a large scale with the I-Love-You worm, which spread rapidly in 2000 and caused an estimated $10 billion in damage. This worm had the .txt.vbs extension, and the .vbs extension was not displayed in many email programs. Users may have remembered that txt was not dangerous and clicked on the attachment. The .vbs script was executed; whether malware was included was not checked. Today, a file with .vbs cannot be sent as mail for this reason. However, this case shows how important it is that your email program displays all extensions.

.pdf PDF files are mostly harmless, but in the case of a security hole in Adobe Reader, it has been possible in the past to smuggle malware onto computers in PDFs. So even with this relatively safe file type, it is important that you verify the sender.

Opening .doc/.docx/.xls/xlsx/.ppt/.pptx Office documents in the mail attachment is problematic, as they may contain so-called macro viruses. To protect against these viruses, it is advisable, as mentioned above, to determine the correct identity of the sender. Since Office 2007, it is worth taking a close look at the file extension. Since then, files that contain macros are named with .docm. Files with the extension .docx do not contain macros and only with .doc extensions you cannot be sure whether macros are included.

Our tip: If you receive an e-mail with a .doc attachment, ask the sender to send the file again - for example as .pdf

Image files

.jpg The extension .jpg is often used as a camouflage for program files. Because of this, it is important for these files that your email program displays all file extensions.

Compressed files

.zip/.rar Compressed files may contain a virus that becomes active when unpacked. So the sender must definitely be trusted.

Audio files

.mp3 MP3 files are usually fine, but you should still be able to trust and verify the sender.

.wav Since in WAV format, unlike MP3, the audio data is not compressed, this file type is more dangerous. Malware can be hidden in the file more easily.

Video files

.mpg/.mpeg/.avi/.wmv/mov/.ram In case of video files, it is recommended not to launch them directly from HTML emails, as malware can easily be hidden in them.

Executing files

.exe The .exe file extension marks an executable file that can immediately become active on your PC and cause a lot of damage. Such a file should never be opened, but many email providers, for example, Gmail or Outlook, block attachments with this extension.

.html Worms or Trojans can easily be hidden in the format used to create web pages. For this reason, many companies do not allow html mails to be received in the first place.

Detect dangerous email attachments

An additional security level is the upload of the questionable data to the Virustotal service. Here, the file contents are checked for malware. However, this test is not suitable for files with secret or sensitive content, because the checked data is shared with the antivirus software manufacturers.

If you follow these basic rules, the risk of catching malware through the convenient, and nowadays almost unavoidable, form of communication email is greatly minimized. A good antivirus program that is always up-to-date, verification of the actual sender and a certain caution with problematic file formats makes it difficult for cybercriminals to spread malware via email.