Home Features How to Detect Suspicious Email Attachments During the COVID-19 Pandemic

How to Detect Suspicious Email Attachments During the COVID-19 Pandemic

How to Detect Suspicious Email Attachments During the COVID-19 Pandemic

Most organizations depend on e-mail correspondence as a primary means of communication when it comes to sharing confidential data like customer account numbers, employee credentials, and other classified information. Organizations may suffer data breaches inadvertently if one of their employees unintentionally open/download a weaponized email attachment or malicious link in the email.

By Rudra Srinivas, Feature Writer, CISO MAG

With cybercriminals taking advantage of the Coronavirus pandemic, we continue to see several phishing attacks tricking people into opening malicious links and attachments. Attackers use fake email attachments in disguise aiming to compromise targeted user devices or networks. The attachments might contain Trojans and viruses, which, if downloaded, cause enormous security issues.

We need to be constantly vigilant when it comes to downloading email attachments. Here we tell you how to spot a suspicious attachment:

1. Looking at the File Extension

The file name extensions help in determining the file type of the attachment. For example, if the file name ends with .jpg extension it is an image file and if it ends with .avi it is a video file. The extension that you should avoid is .exe, which, if downloaded, executes an installation of malware into the device. Attackers use these executable files to spread malicious e-mail attachments, fake setups, updates, or other types of fake programs with the malicious code built in. These file extensions are also programmed to skip antivirus detection and e-mail attachment protection software.

Threat actors also use some Microsoft office files like .Doc, .Docx, and .Docm to infect devices. These file extensions  use malicious macros, which is a series of instructions that will execute a task. If the file name ends with an m, it has macros, these include .docm. pptm, and .xlsm. Some other file extensions to avoid include .jar, .cpl, .com, .bat, .msi, .js, and, .wsf. The rule of thumb here is to avoid extensions that look odd or suspicious.

2. Crosschecking the Sender

Verify the email sender by hovering over the display name and email address. Attackers usually spoof display names to look like it is coming from a legitimate person, but it can be determined by checking the display name for authenticity. It is OK to open an email attachment if it is coming from someone you often communicate with. However, even someone you know could be compromised themselves, and the hacker will send you a malicious file under that person’s name to build trust. It is advisable to call and confirm, if you receive a macro file attachment or any suspicious attachment from someone you know.

 3. Email Content

Go through the email content before opening its attachment, read the subject line, check for typos and other errors. If the sender appears legitimate, but the contents in the email do not seem like something they would send, it could be suspicious.  Such emails are used in phishing attacks to trick people into clicking/downloading malicious attachments/links or asking them to enter personal details.

In a recent phishing attack, a hacker group targeted the World Health Organization (WHO) via a sophisticated phishing scam, which involved an email hosted on a phishing domain that tried to trick the employees into entering their credentials.

4. Is it an Encrypted Archive?

Archive files help in compressing multiple files into one folder. However, they can be used by hackers to avoid virus scans as they may hide malware in it. If you receive an email with an archive extension like .7z, .rar, or .zip, and it asks to enter a password to open, it may be suspicious. So, we never know whether the encrypted archive contains sensitive information or a hidden virus. Just make sure it comes from a trusted source before opening it. When users click/download the attachment, they will be prompted to “Enable Content” to view the protected document. This allows malicious macros to be executed by themselves to download a malware executable to the computer.


Just by looking at an email attachment, one should be able to estimate its authenticity and decide whether it is safe to download it or not. Generally, most email service providers allow previewing the attachments without downloading. Hence, it is better to go through the contents before downloading any attachments.

About the Author


Rudra Srinivas is part of the editorial team at CISO MAG and writes on cybersecurity trends and news features.