What are ZIP or ISO attachment attacks?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You get an email with a ZIP or ISO attachment. The subject line says "Invoice Q4" or "Shipping Confirmation." You open it, extract the file inside, and your machine is now running malware. That's the core of an archive attachment attack, and it works far more often than it should.

The reason attackers love archive files is simple. Security scanners at the email gateway have a harder time seeing what's inside them. A plain .exe file gets flagged immediately. The same malicious executable wrapped in a .zip has a much better chance of slipping through, especially if that archive is password-protected (the scanner literally can't open it without the key) or if it's a format the scanner doesn't handle well, like .7z, .rar, or deeply nested archives inside other archives.

ISO files add another layer of evasion. An ISO is a disk image, the kind used to install software from a virtual drive. When you mount one on Windows, it doesn't carry the "Mark of the Web" flag that normally triggers a warning when you open something downloaded from the internet. That warning is a small but meaningful safety net, and ISO files sidestep it entirely. The malware inside behaves as if it came from a trusted local source.

Password-protected archives are a particularly effective trick. The attacker sends the ZIP along with the password in the same email body or a follow-up message. A human reads it fine. The automated scanner never gets in. Once the recipient types the password and opens the file, there's nothing standing between them and the payload.

If your organisation handles a lot of invoices, shipping docs, or HR attachments by email, this is worth paying attention to. Train your team to treat unexpected archive files the same way they'd treat an unmarked box left on the doorstep. And if you want to understand how scanners actually handle these files, the next question on how compressed files evade filters goes deeper into the mechanics.

Not sure if your current email setup is catching these before they reach inboxes? Book a free SOS call and we'll take a look with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Tell me your setup and I'll help you spot the gaps

Tell me about my email security setup and I'll help you figure out how exposed you might be to archive-based attacks. Answer as many as you can: 1. What email platform does your organisation use (Google Workspace, Microsoft 365, something else)? 2. Do you have a dedicated email security gateway or rely on built-in filtering? 3. Does your current setup block or quarantine password-protected attachments? 4. Are ISO or disk image files blocked by policy, or do they reach user inboxes? 5. Have you had any recent incidents involving malicious attachments?

Edit the yellow boxes, then send to the AI of your choice.