What is a malicious attachment?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email with an invoice attached. It looks real enough. But the moment you open that file, something runs in the background that you never asked for. That's a malicious attachment doing exactly what it was designed to do.
A malicious attachment is a file sent via email that carries or activates malware when opened. The file itself is the delivery mechanism. It doesn't have to look dangerous. That's the whole point.
Common file types attackers use include executable files (.exe, .scr), macro-enabled documents (.docm, .xlsm), compressed archives (.zip, .rar), and files that exploit vulnerabilities in PDF readers or Office software. The file extension often looks mundane on purpose.
The social engineering side is just as important as the file itself. Attackers disguise these attachments as invoices, shipping confirmations, resumes, or tax documents because those are things people actually open without thinking twice. Urgency helps them too. "Your account will be suspended" gets clicks that "Please review when convenient" never would.
On the protection side, a few layers matter most. Email security tools scan attachments before they reach the inbox. Organizations often block dangerous file types outright (especially .exe and .scr). Disabling macros by default in Office tools cuts off a huge class of attacks. And training people to pause before opening unexpected attachments is still one of the most effective defenses out there (even if it's the hardest to scale).
Attackers keep changing tactics precisely because defenders keep adapting. No single layer stops everything, which is why the layered approach exists in the first place.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.