
The types of attachments we see in malware email - lelf
https://utcc.utoronto.ca/~cks/space/blog/spam/MalwareAttachmentTypes-2019-03
======
badrabbit
It really depends on your userbase and email security solutions in my
experince.

Two things that make me question this stat: after tens of thousands of manual
phishing email screening at multiple orgs I have never,not once witnessed a
phish that used a .txt attachment for payload delivery. Second,I see a _ton_
of phish delivered via pdf attachments. Are they considering malware delivery
phish the same category as credential theft phish (frauduent sites that social
engineer users for their logins)? If so,that's counting apples with oranges.

For malware delivery,if you have a good email security solution in place, word
documents should be #1.

You should block zip attachments that contain specific types of files.
Blocking zip or rar as a category makes little sense. Scripts of any
kind,executables,jar files and such in a zip file should result in a
quarantined email.

If you can't afford a decent email security appliance: setup a cuckoosandbox
instance,detonate attachments and quarantine (for human review) any
attachments that generate network activity or drops suspicious files. Also
quarantine word documents with macros (yara rule analysis).

I would also see a lot of value in blocking google drive,onedrive and dropbox.
A common phish in 2019 would be exploitation of compromised email accounts,the
attackers would reply-all to email threads with links to something like
onedrive. Instead of sending the file as an attachment,they host it on
Onedrive. This kills two birds with one stone:the file is hosted on a trusted
platform and they avoid attachment filtering.

Lastly,unpopular opinion: user education does not help much. Fix the tech,not
the user.

------
buzzert
Follow up about “good” attachments is worth a read too:
[https://utcc.utoronto.ca/~cks/space/blog/spam/GoodAttachment...](https://utcc.utoronto.ca/~cks/space/blog/spam/GoodAttachmentTypes-2019-03)

