Best Practices for E-Mail Attachments


A popular use of e-mail is to distribute computer files (i.e., text files, documents, spreadsheets, PDF's).  This is accomplished by "attaching" a file to an e-mail message and then sending the file with the message, to a recipient.  Almost any type of data file can be attached to an e-mail message for transport.

Unfortunately, this functionality creates an opportunity for distribution of malware. Older e-mail programs often opened files attached to messages automatically, as a convenience to the user. This caused infections without any user intervention. Newer e-mail programs don't normally open attachments automatically, so other methods have been employed to entice (convince) the recipient to open attachments manually. This is called "social engineering", an attack designed to make you take an action (in this case, to click on the attachment). Attackers are constantly coming up with new social engineering tactics to trick users into installing (opening the attachment) malicious programs!!!

Some recent social engineering tactics using e-mail are:

  • customized personal message text ("Dear John, ..." or "please review the attached invoice for...")
  • spoof (forge) the sender name so it appears to be from someone you know ("")
  • make the message threatening ("your account will be closed unless you ...")
  • make the message look official from ("")
  • make the attachment look harmless ("my_vacation_pictures.php")

How do we know if an attachment is "executable"?

File names are very important because that is how the computer knows what to do with the file. For example, documents are named with a three-letter extension of ".pdf", which the computer knows to open using Adobe Reader. Other extensions, such as ".exe or .dmg" tell the computer the file is a program that will run automatically when it's clicked. There are many file types and program associations on every computer. If your computer doesn't know what to do with a file (it has no association), the computer will prompt you to select the correct program to open it.

Computer Protection from Malicious Email

To help secure the University's computers, the following protections are being implemented: All in-coming messages are scanned for known Malware (viruses, worms, trojans, etc.). If malicious code is detected the entire message is discarded at the campus e-mail gateway. In addition, if a file attachment is encrypted, or if it is password protected, and therefore cannot be examined for malicious code, it will be discarded. Any message that is not a known problem, but has a "dangerous" (executable) attachment, will have the attachment deleted before the message is delivered. Text will be inserted into the message stating the attachment has been removed. You should also be aware that malware can be inserted into document files such as .docx or .pdf files, that can automatically execute (install malware) on your computer. Be especially careful not to open unexpected attachments. Verify the legitimacy of the file from the person that sent the file on to you.

ITS uses the following list of attachments that Outlook will automatically block due to their potential risk:

Encrypted/Password Protected Attachments

If a file attachment is encrypted, or if it is password protected, and therefore cannot be examined for malicious code, the entire message included the attachment will be delivered. No warning will be given to the recipient that the file has not ben scanned. (Examples are encrypted .zip files, and password protected office productivity files.)

Options for Sharing Executable Programs: 

  • Place the file on a shared drive, such as your department "L:" drive space, and send the person its location.
  • Place it on a web server and send the person a link to its location (this is what software vendors do).