Productivity Security

How to Spot Unsafe Email Attachments: 6 Red Flags

Dan Price Updated 15-08-2019

Email remains a prominent attack vector for hackers, cybercriminals, snoopers, and other online miscreants. As such, it’s vital that you know how to spot an unsafe email attachment.


If you’re not sure where to start, keep reading. We’re going to explain several red flags that’ll help you identify potentially dangerous files in your inbox.

1. Dangerous File Extensions

Unfortunately, there are several file extensions which could potentially run code on your computer and thus install malware.

As you’d expect, hackers don’t make them easy to spot. Often, dangerous file extensions are concealed in ZIP files and RAR archives. If you see either of those extensions in an attachment that doesn’t come from a recognized contact, you should treat it with suspicion.

The most dangerous file extension is EXE. They are Windows executable files which are particularly hazardous due to their ability to disable your antivirus app.

Other frequently used extensions to watch out for include:

  • JAR: They can take advantage of Java runtime insecurities.
  • BAT: Contains a list of commands that run in MS-DOS.
  • PSC1: A PowerShell script with commands.
  • VB and VBS: A Visual Basic script with embedded code.
  • MSI: Another type of Windows installer.
  • CMD: Similar to BAT files.
  • REG: Windows registry files.
  • WSF: A Windows Script File that permits mixed scripting languages.

You also need to keep an eye on Microsoft Office files with macros (such as DOCM, XLSM, and PPTM). Macros can be harmful but are also commonplace—especially in business documents. You’ll have to exercise your own judgment.

2. Encrypted Archive Files

As we just alluded to, archive files (such as ZIP, RAR, and 7Z) can conceal malware.

The problem is especially acute for encrypted archive files—i.e., those that require a password in order to extract their contents. Because they are encrypted, your email provider’s native antivirus scanner cannot see what they contain, and thus can’t flag it as malware.

The counterargument is that encrypted archive files are an excellent way to send sensitive data to a recipient; they are widely used for that purpose. Again, you’ll have to exercise your own judgment and make a decision about whether the file is safe.


3. Who Sent the Email?

It goes without saying that an email from a nonsensical address (for example, is almost certainly something you shouldn’t open. Instead, immediately flag it as spam and remove it from your inbox.

That part is easy, but the situation can quickly become more complex.

Malicious actors are experts in making email addresses look like they are from an official source when in practice, they are phishing attacks. For instance, perhaps your bank’s email address is; a hacker might send an email from instead. That’s easy to overlook when you’re scanning through your inbox in a hurry.

There’s also been an uptick in email spoofing What Is Email Spoofing? How Scammers Forge Fake Emails It looks like your email account has been hacked, but those weird messages you didn't send are actually due to email spoofing. Read More in recent years. When spoofing, an attacker tricks the email server into thinking the email came from the address being spoofed. You’ll even see the person’s real address and profile picture in the sender field.


In theory, you can spot spoofed emails by investigating the email’s source code, but it’s way beyond the abilities of most users. If you’re not expecting an email from the sender and the attached file ticks some of the other boxes we’re discussing, it’s probably malware.

Finally, remember that an attachment could be malicious even if you know the sender and the email is not spoofed. If the sender’s own machine is infected, it could send emails to their contact list without their knowledge.

4. Strange Filenames

In the same way that you should treat random email addresses with extreme distrust, so too should you be wary of attachments with filenames composed of random strings of characters.

People don’t save documents with a 20-character alphanumeric code as its name, and your computer would never prompt you to do so.


Similarly, names like “freemoney” or “greatopportunity” from an unknown sender are likely to contain malware and should immediately ring alarm bells.

5. Study the Contents of the Email

microsoft spam email

The text of the email can offer some clues about whether the message—and thus any attachment—is trustworthy.

Bots write many of the spam emails, spoofed emails, and phishing emails that you receive. They often have lousy formatting and spelling errors.

There are other little giveaways, too. For example, perhaps an email that’s purportedly from your best friend refers to you by your full name rather than your nickname. Or maybe it uses formal language and other syntax that you know the person in question would never use.

You should also be suspicious of an email that asks you to download and run its attachment. These emails are often made to appear as if they come from companies like FedEx and DHL; they claim that you can track your package via the download. Given that we live in an age where online shopping is routine, it’s easy to be duped, especially if you’re expecting deliveries.

6. Use Your Antivirus Suite

If you’re caught in two minds about the potential safety of an email attachment, make sure you always run it through your desktop antivirus app before running it on your machine.

Needless to say, if your antivirus program flags the file as suspicious, stop. Delete the file from your computer and don’t redownload it. The worst course of action would be to click through the various malware warnings and proceed regardless.

Remember, even though antivirus apps may not be perfect (they occasionally flag false positives), they are infinitely more trustworthy than a suspicious email which claims its attachment is safe even if it gets flagged by a scan.

(Note: We’ve explained how to test your antivirus app’s accuracy 5 Ways to Safely Test Your Antivirus Software Is your antivirus software secure and effective? Here's how to test it and see for yourself. Read More  if you would like more information.)

Always Keep a Healthy Suspicion With Emails

Unfortunately, there’s not a one-size-fits-all solution for spotting unsafe email attachments. Broadly speaking, however, the higher the number of red flags the attachment ticks, the more likely it is to be a hazardous file.

If you’re unsure, reach out to the sender and ask for clarification. Most businesses and individuals will be only too happy to inform you about an attachment’s veracity or otherwise. Ultimately, stick to the golden rule: if in doubt, don’t proceed until you’re confident that it’s safe to do so.

You should also consider using a secure and encrypted email client for extra security.

If you’d like to learn more about staying safe while using email, take a few moments to learn how to stop spam email in Gmail and how to spot spear phishing email scams What Is Spear Phishing? How to Spot and Avoid This Email Scam Received a fake email from your bank? Its part of a scamming technique called spear phishing. Here's how to stay safe. Read More .

Related topics: Email Tips, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Queazy Soporiphic
    February 18, 2014 at 12:54 am

    I just tried to download malware from a link on this page. Then I opened a new page and googled the malware removal tool to download from there. In both cases the download file is an .exe which we are told not to trust.

    Am I right in not downloading because it is an .exe?
    I am not well informed on these things but am trying to remedy that and I have spotted scams etc before and acted defensively or reported them to appropriate bodies.

  2. Alisha
    February 10, 2014 at 11:21 am

    Good Information. Thanks for sharing.

      June 29, 2016 at 10:52 pm

      Hi - who are the 'appropriate bodies' ? - I received a very questionable email from the "FBI" and I don't know who to send it to - thanks for sharing, monica

  3. Steph
    February 4, 2014 at 11:55 pm

    Rules I live by:

    If I don't know the sender - bin it.
    If I get an email from a sender that I am not expecting - e.g. flight confirmations when you haven't booked a flight recently - bin it.
    Always check the senders address in the header - emails purporting to be from 'QANTAS' but with a return address of @bigpond or an equally vague addresses get binned.
    Never ever ever ever open .zip type attachments without checking one way or the other. i.e. if you know the sender ring them, if you don't know the sender bin it.
    If there is poor spelling & or grammar in the subject, sender fields or body of the email (that can't be explained by simple typos) bin it.
    Habitually block senders that send malicious emails. I have found that with some virus & emails programs they learn as you go so if you block all those 'Hi. I'm in town would you like to meet for a coffee' emails they all eventually get rejected from your server.
    Just deleting an email doesn't make it go away. It will sit in your Deleted items folder, junk mail folder or similar. Empty these folders frequently to permanantly delete items.

    I know there have been a few times where I have bined stuff that I shouldn't have but people have now learnt that if they are going to send me a file they need to let me know first. As much as a pain this has been I have also only had about 2 virus or malware infections in the last 10 years.

  4. Carolyn B
    February 4, 2014 at 2:25 am


  5. Tatyana Istomina 0099 T,Th
    January 26, 2014 at 11:45 pm

    I am glad I read this article, I will be more careful when downloading files that somebody sent me and will make sure the name extension does not contain anything suspicious. Also I will look at the sender's name.

  6. Rakesh Mondal
    January 24, 2014 at 11:55 am

    Thank you very informative.

  7. GP
    January 22, 2014 at 10:31 am

    Not really in to this kind of thing. Rely on another. So would have liked a print version of this article to refer back to it later. This looks as if it will take several pages of paper. Off to go and find out how many.

    • BKL
      January 27, 2014 at 7:09 pm

      If you print as is, it will come to 5 pages. If you copy & paste it into Word, you can scaled it down to 3 or even 2, depending on the font size.

  8. susan
    January 22, 2014 at 3:12 am

    You can't trust any attachment, even if it is a .doc, a pdf or a .jpg because nowadays the attackers are changing the extension. So they send you something that LOOKS as if it is a PDF, when it is really a .exe.

  9. Tom W.
    January 21, 2014 at 10:15 pm

    Beware of this type of file:
    anyvideo.avi .exe

    I got a couple of these recently: supposedly safe file extension followed by about 50 spaces then .exe. Turned out to be a nasty virus. I should have notices that the small icon to the left of the filename was not a video icon supplied by my default video viewer TLC.

  10. Godel
    January 21, 2014 at 9:54 pm

    You can also download, open and test files in a sandbox using Sandboxie, making it less likely for noxious files to escape. If you don't need all the corporate level bells and whistles of Adobe Reader, one of the alternative PDF readers may be safer. I use the basic but effective Sumartra, but I used to use Foxit Reader with JavaScript etc turned off.

  11. dragonmouth
    January 21, 2014 at 7:57 pm

    Rule #1 with any email should be "Know your sender!" This is especially important to the social media addicts who "friend" everybody listed in the Manhattan and/or Los Angeles phone books.

    • John G
      January 26, 2014 at 7:24 pm

      You just said a cottonpickin' mouthful! I'd venture to say at least 50% of this problem would be eradicated if people would just think about who sent the darn thing before they blithely go about opening it. I make purchases from Amazon, etc., all the time but I know better than to just open something from "UPS" just because that's who it says it's from.

      People nowadays are so seldom "in the moment". They're always in a hurry and don't often think about what they're doing.

  12. Jenni
    January 21, 2014 at 7:26 pm

    Excellent article thank you. I'll be referring my students to this one.

  13. malcolm
    January 21, 2014 at 6:07 pm

    I use Mailwasher Pro to read and assess every unexpected incoming email while it is still on the server--and delete it before downloading the rest. The actual delete is delayed because the suspect email is put into quarantine on the server and is listed for a while in Mailwasher's "Recycle Bin." So you can recover rejected mail if you realize you made a mistake. It gets permanently deleted later. I also use Spybot and Malwarebytes and Windows Firewall. I uninstalled Zone Alarm when it wanted to run my life.

  14. kj
    January 21, 2014 at 5:27 pm

    Thank you for this article! Typically if I don't recognize a sender I don't bother regardless but sometimes something is questionable and I'm grateful for the information provided in this article as I'm not a mega-wiz with all this ... Very helpful thanks again!


  15. N Fiorito
    January 21, 2014 at 5:24 pm

    One item that I didn't see in your article was the issue of links contained in the email body. Sometimes the link looks to be for a legitimate site or other friendly titles when if fact they are not. If you run your mouse over the link the actually URL of the site will appear in the status bar. This will give you a clue on whether the email/link is legit or not. I would not count on this exclusively but this along with the other items in your article will help to determine if a email is legit or not.

    • Steve
      January 22, 2014 at 9:01 am

      Very good point to note, thanks. The displayed link can be easily disguised but the url in the status bar will tell you.

  16. wec
    January 21, 2014 at 5:18 pm

    The title should be changed: How To Spot A Dangerous Email Attachment on Windows

    • dragonmouth
      January 21, 2014 at 7:52 pm

      Since MUO is a Windows-centric site, whenever the O/S is not specified, you can safely assume that it is Windows. However, the advice in the article applies to ALL O/Ss. Just because you are running Linux or even BSD does not mean that you can open up emails and attachments willy-nilly.

    • Todd H
      January 23, 2014 at 1:08 am

      It would show a total lack of common sense and lack of technical know how to assume that only the Windows OS can get a virus from E-mail. Your cell phone isn't even safe from Viruses. Linux and iOS can get just as many infections as Windows if you lull yourself into a false (If not fantasy) sense of security just because is doesn't have Microsoft written on it.

  17. Concerned Person
    January 21, 2014 at 4:41 pm

    The statement "Your webmail client’s preview features can also help. You can preview PDF files, documents, images, and other types of files in your browser without actually downloading them to your computer" is incorrect. Everything you see on a browser screen has already been downloaded to your computer; that is why many email clients do not download images and attachments by default. Your browser and to the same extent email clients are not a window to content elsewhere on the internet; unless the item shown is a placeholder it is content already obtained from the internet or elsewhere on your local network.

  18. Steve Tanner
    January 21, 2014 at 3:55 pm

    Beware of the "Sender" field. Sometimes they look legit but your mail client can sometimes shoe the "Reply-To" which has been configured to fool you. If in doubt, check the HEADER and then you will see where it truly came from.

    • Leah Foley
      February 2, 2014 at 8:29 am

      Exactamente', Steve Tanner, and a rule that I now never, ever break. I started checking headers, just for fun (I'm one of those curious cat kind of creatures of the world) and was absolutely shocked by the amount of emails where the real senders were covered by some bogus address. I mean, "frequently" would be a huge understatement. I've also learned the value of right-clicking (I use Firefox) for further satisfying my urge to detect, exactly what the nature of that content is made of, and who made it and why. I have caught many a phishing scam and worse, and some that have been downright creepy in nature. Even if you're not a " love to snoop" person, like me, you might find yourself turning into one when you see the likes of what kind of "people" are sending you content and just how nasty that content can get, and often, sadly, is. Take a minute or two. It's worth it. Having my nice, new laptop given to me as a Mama's Day gift by my kids, fried to bits by sloppy habits I no longer have, was enough to make me not even consider opening mail without a thorough check -up, first. Easier, and safer, to toss, not loss. Ty to all, for your most excellent advisement.

  19. Rob H
    January 21, 2014 at 3:19 pm

    I read somewhere last year that one trick is to use backspace characters to hide the malicious filetype so the attachment may look like file.pdf but is actually file.pdf.exe**** where the **** is 4 backspace characters which have the effect of hiding .exe so you click expecting to get a PDF but actually you started a program file running.

    I don't think it's easy to do this in a normal email program and hopefully your email service provider, your email client program or your security software will spot the subterfuge.

    Neverthless it reinforces the advice - don't open unexpected attachments whoever they come from and regardless of how tempting they may seem.

  20. Bobby L
    January 20, 2014 at 9:32 pm

    also if you right click the attatchment you have the option to scan the document with your own anti virus software.and it should tell you if its safe

    • Laurel N
      January 20, 2014 at 10:16 pm

      Yes. I like to save ANY attachment, and scan not only w/ a/v, but also with anti-malware. (Spybot and malwarebytes both offer right-click malware scanning in their free versions.) Scan a zip file BEFORE unzipping, and also scan the individual files AFTER unzipping. Remember, scan twice; open once.