How do attackers use compressed files to evade filters?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've probably seen a message like this before: "Please find the attached report. Password is: 1234." It sounds almost routine. But that exact pattern is one of the most common ways attackers sneak malware past email filters.
Here's why it works. Most email filters scan attachments by reading their contents. An uncompressed file like a Word document or a PDF is readable in plain text to the scanner. It can check for known malware signatures, suspicious macros, or dangerous code. A compressed archive like a ZIP or RAR is different because the scanner has to extract it first before it can read anything inside.
That extraction step is where things get complicated.
Attackers use a few techniques to make that extraction step fail or get skipped entirely.
- Password-protected archives. If a ZIP file has a password, the scanner can't unpack it without the password. The attacker includes the password in plain text in the email body. The filter can't connect those two pieces of information. The recipient can. So the file sails through, and the human extracts it by hand.
- Nested archives. A ZIP inside a ZIP inside another ZIP. Some scanners only unpack one level deep. Anything buried deeper than that gets a free pass.
- Obscure formats. ZIP and RAR are well-supported. But 7z, ACE, LZH, CAB, and others are less common. Some scanning engines don't handle them fully, or skip them. Attackers rotate through formats specifically to find the ones a target's filter doesn't unpack well.
- Split archives. A single archive split across multiple files (like archive.part1.rar, archive.part2.rar) that only reassemble into something dangerous once the recipient puts them back together. No individual part looks malicious on its own.
The frustrating truth is that compressed files have completely legitimate uses. Developers zip codebases. Finance teams send password-protected spreadsheets. Vendors deliver large file bundles in archives. You can't just block all compressed attachments without creating real problems for real people. (Well, you could, but you'd hear about it very quickly.)
So what does a sensible defense actually look like? A few layers help more than any single rule.
- Block password-protected archives from external senders specifically. Internal use is one thing. An unknown contact sending you a locked ZIP with a password in the body is a different situation entirely.
- Use a gateway that unpacks archives recursively, not just one level deep. If it only reads the outer layer, it's easy to defeat.
- Filter by archive format. There's rarely a legitimate reason an external supplier needs to send you a .ACE or .ARJ file in 2024.
- Train your team on the pattern. The "here's a ZIP, password is in the email" combo is now a well-known red flag. If people recognize it, they'll pause before extracting.
Compression evasion is tightly connected to how antivirus engines scan email attachments in the first place. The better you understand the scanning process, the easier it is to see why these tricks work, and where the real gaps are in your setup.
If you're dealing with a suspicious attachment right now and want a second opinion, our SOS hotline is free. No pitch, just help.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.