Razor Insights

Don't open that attachment!

Written by Razor
Published on
All email service providers block some file types being attached to emails but there is a large variation in the exact ones that are blocked, leaving plenty of scope for attackers send malicious files via email. Combine this with a general lack of awareness of the dangers posed by spear phishing and it's easy to see why this kind of attack is so popular.

All email service providers block some file types being attached to emails but there is a large variation in the exact ones that are blocked, leaving plenty of scope for attackers send malicious files via email.

Combine this with a general lack of awareness of the dangers posed by spear phishing and it's easy to see why this kind of attack is so popular. The "good guys" stop an attack working and then the "bad guys" find a different way to attack. Attackers change to use new file types when others are blocked, but blocking certain file types still makes it more difficult for attackers which can only be a good thing.

A Tale of Two Attachments

According to Verizon's 2017 Data Breach Investigations Report, two-thirds of all malware was installed via email attachments. In 2016, 60% of email malware was packaged in JavaScript attachments, however, with Gmail and Outlook now blocking these kind of file attachments, this percentage has plummeted. As with most things in cyber security, this is a game of cat-and-mouse, so other file types have become much more popular. Macros, on the other hand, continue to be a popular choice for phishing email attachments. Macros are a straightforward and very useful way of automating repetitive tasks in Microsoft Office products and that's why Microsoft has not removed them (and probably never will), but they can also be used for malicious purposes. Over the years, Microsoft have added several security features such as disabling macros by default yet still 26% of malware installed via email attachments utilised malicious macros embedded in Microsoft Office documents.

Compression == Camouflage?

Large files are often compressed as zip files when they need to be sent via email so receiving an email with one attached is not something that would be particularly out of place. There are an endless number of genuine reasons to explain the presence of a zip file attached to an email, and this provides a vast scope for spear phishing attacks. They might pretend it's the marketing department asking you to run through the photos taken at the last company event before they are placed on the company website (No one wants a bad photo of themselves to be immortalised on the company website!). The user downloads the file 'christmas-party-2017.zip', extracts it and then tries to open the file and it's game over. Why? That zip didn't contain photos, it contained a malicious file (let's say an .exe file for simplicity) and when the user tried to open it, they executed the malware.

This highlights a major advantage of using Gmail in terms of security; as it also blocks the compressed versions of potentially dangerous files whereas services from many other providers (such as outlook) don't. Incidents like the example above would be prevented, as that malicious zip file would never make it to the employee's inbox if they were using Gmail.

So what's the solution?

When it comes to the major email providers, Gmail might provide the greatest protection against malicious email attachments but before you rush to change email provider, remember, there are still many potentially malicious file types that it allows (and don't forget the other types of spear phishing emails that it can't protect you from). Unfortunately, this means that there's no silver bullet for preventing spear phishing attacks, whichever email provider you use. However, there are plenty of ways to help significantly reduce the risk (as I hinted at in my previous post) but if you're wondering what the most effective method is, well... that will be revealed in the near future so watch this space.