What is a malicious attachment?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You get an email with an invoice attached. It looks real enough. But the moment you open that file, something runs in the background that you never asked for. That's a malicious attachment doing exactly what it was designed to do.

A malicious attachment is a file sent via email that carries or activates malware when opened. The file itself is the delivery mechanism. It doesn't have to look dangerous. That's the whole point.

Common file types attackers use include executable files (.exe, .scr), macro-enabled documents (.docm, .xlsm), compressed archives (.zip, .rar), and files that exploit vulnerabilities in PDF readers or Office software. The file extension often looks mundane on purpose.

The social engineering side is just as important as the file itself. Attackers disguise these attachments as invoices, shipping confirmations, resumes, or tax documents because those are things people actually open without thinking twice. Urgency helps them too. "Your account will be suspended" gets clicks that "Please review when convenient" never would.

On the protection side, a few layers matter most. Email security tools scan attachments before they reach the inbox. Organizations often block dangerous file types outright (especially .exe and .scr). Disabling macros by default in Office tools cuts off a huge class of attacks. And training people to pause before opening unexpected attachments is still one of the most effective defenses out there (even if it's the hardest to scale).

Attackers keep changing tactics precisely because defenders keep adapting. No single layer stops everything, which is why the layered approach exists in the first place.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me build our attachment policy

I manage email security for our organization/team and I'm thinking through our attachment policy. Based on our setup, which file types should we block outright, which ones are worth scanning more aggressively, and where are the biggest gaps most organizations miss when it comes to malicious attachments?

Edit the yellow boxes, then send to the AI of your choice.