A popular use of e-mail is to distribute computer files (i.e., text files, documents, spreadsheets, PDF’s).  This is accomplished by “attaching” a file to an e-mail message and then sending the file with the message, to a recipient.  Almost any type of data file can be attached to an e-mail message for transport.

Unfortunately, this functionality creates an opportunity for distribution of malware. Older e-mail programs often opened files attached to messages automatically, as a convenience to the user. This caused infections without any user intervention.

Newer e-mail programs don’t normally open attachments automatically, so other methods have been employed to entice (convince) the recipient to open attachments manually. This is called “social engineering”, an attack designed to make you take an action (in this case, to click on the attachment). Attackers are constantly coming up with new social engineering tactics to trick users into installing (opening the attachment) malicious programs!!!

Some recent social engineering tactics using e-mail are:

  • customized personal message text (“Dear John, …” or “please review the attached invoice for…”)
  • spoof (forge) the sender name so it appears to be from someone you know (“some-name@uiowa.edu“)
  • make the message threatening (“your account will be closed unless you …”)
  • make the message look official from (“support@microsoft.com“)
  • make the attachment look harmless (“my_vacation_pictures.php”)

How do we know if an attachment is “executable”?

File names are very important because that is how the computer knows what to do with the file. For example, documents are named with a three-letter extension of “.pdf”, which the computer knows to open using Adobe Reader. Other extensions, such as “.exe or .dmg” tell the computer the file is a program that will run automatically when it’s clicked. There are many file types and program associations on every computer. If your computer doesn’t know what to do with a file (it has no association), the computer will prompt you to select the correct program to open it.

Encrypted/Password Protected Attachments

If a file attachment is encrypted, or if it is password protected, and therefore cannot be examined for malicious code, the entire message included the attachment will be delivered. No warning will be given to the recipient that the file has not ben scanned. (Examples are encrypted .zip files, and password protected office productivity files.)

Options for Sharing Executable Programs: 

  • Place the file on a shared drive and send the person its location.
  • Place it on a web server and send the person a link to its location.
  • Place it on an email sender tool, like MailPipe, that will guarantee you a safe and secure delivery. Try it for free here.

Attachments are a good addition to plain-text cold emails. Yet, you should send emails with attachments with special care as they carry a list of pitfalls you might deal with as soon as you decide to make your email brighter or more informative.