Password protected attachments scam

Modern email filters make it difficult for attackers to deliver malicious links and attachments. However, encrypting the email attachment carrying your malicious payload, be it a link to a credential harvesting site or macros waiting to drop malicious software onto your pc, will make it almost impossible for email filters to detect. This approach is also very easy, as encrypting an attachment file requires very little technical know-how.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

While most attackers using phishing choose quantity over quality, some hackers have opted for a more fine-tuned approach. Sending malicious files as email attachments and having malicious URLs in the email body is a risky endeavor, prone to getting caught by spam filters employed by email service providers and organizations. The solution? Hide your malicious payload in a password protected attachment.

Why go through the trouble?

Modern email filters make it difficult for attackers to deliver malicious links and attachments. However, encrypting the attachment carrying your malicious payload, be it a link to a credential harvesting site or macros waiting to drop malicious software onto your pc, will make it almost impossible for email filters to detect. This approach is also very easy, as encrypting an attachment file requires very little technical know-how.

Basic example of password protected attachment
A very basic example

From a social engineering perspective, having the attachment file be password protected adds a layer of credibility. The file is encrypted so it must contain confidential information for my eyes only, right? This added level of credibility is particularly effective when used as part of a spear-phishing email.

This approach also exploits our tendency to continue an endeavor once an investment of time, money or energy has been made - commonly known as the sunk-cost fallacy. When the user has already gone through the trouble of opening the password protected attachment, he is more likely to enter his company credentials when additional authentication is required. The human mind is full of these software bugs and hackers know to exploit them.

How it works

These days attackers know to use Microsoft Office documents and PDF files to fool users, as these are widely used across businesses on a daily basis. Their everyday nature can lull the unsuspecting user into a false sense of security and into opening the attachment. Compressed .zip archives are also commonly used by hackers using this approach. The file can be named using a string of randomly generated numbers, or a more elaborate name, sometimes even using the name of the recipient or their organization.

Example 1: Malicious .zip archive asking for a password
Example 1: Malicious .zip archive asking for a password

Example 1: Excel file in the .zip folder

Once the user opens the attachment file, it asks for the password that was revealed in the email body. Entering the password will open the attachment, and this is where the attacker has hidden the actual malicious payload or a link to a malicious site. If the attachment file is a Word or a PDF document, it might contain a message requesting additional authentication, and link to a credential harvesting site. In the case of an Excel file the user is usually asked to enable content, executing the macros hidden in the attachment and giving the attacker access to the user’s computer.

More sophisticated examples

Password protected attachment example 1: email body
Example 1: email body

Password protected attachment example 2: PDF attachment
Example 2: PDF attachment

Password protected attachment example 3: email body
Example 3: email body

Password protected attachment example 4: PDF attachment
Example 4: PDF attachment

Staying off the hook

  • Don’t trust attachments from unknown senders.
  • Be equally suspicious of Microsoft Office attachments, as you would be of executables.
  • Hovering over the links in text documents lets you see the url destination underneath. If the url does not look like it goes to a legitimate email service provider’s login page, it probably doesn’t.
  • Don’t enable editing in suspicious Excel or Word attachments.

This is your brain on trust: Learn how DocuSign helps avoid phishing attacks like those above. They made cybersecurity a habit by integrating Hoxhunt into their behavioral science-based approach to security training

Hoxhunt empowers your employees to shield your organization from threats. Our security awareness training is trusted by the world’s leading cybersecurity professionals - maximizing training outcomes by serving every user a personalized learning path that measurably changes behavior.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this