Dangerous Attachments Module

Email attachments are one of the most common malware delivery mechanisms. Forensic-Email inspects each attachment's file extension and name for patterns associated with malicious payloads.

• Double Extension Trick
  The attachment uses two file extensions — for example, "invoice.pdf.exe." The true file type is determined by the final extension (.exe), which is an executable program, but the earlier extension (.pdf) is designed to make the file look harmless. Opening it runs the program.

• High-Risk File Type
  The attachment has a file extension associated with executable programs — such as .exe, .bat, .cmd, .vbs, .ps1, .scr, .hta, .jar, .msi, or .pif. Opening such a file could run arbitrary code on your computer. Legitimate organizations rarely send executable files via email.

• Macro-Enabled Document
  The attachment is a macro-enabled Office file — such as .docm, .xlsm, or .pptm. These files can contain embedded programs (macros) that run automatically when the file is opened. Ransomware and trojans are frequently distributed this way.

• Archive File
  The attachment is a compressed archive — such as .zip, .rar, .7z, or .tar. Forensic Email cannot inspect the contents of the archive. Archives are a common way to package and deliver malicious files while bypassing basic file-type filters.