Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can I Get Malware From Opening an Email?

It used to be scary easy, but not any more.

It used to be that simply viewing a malformed email could allow a virus to spread. Thankfully, that's no longer the case.
The Best of Ask Leo!

Opening a Virus?

As long as you’re using a relatively up-to-date email program or online email interface, you cannot get malware just by opening and looking at an email. For the record, most programs and interfaces are up-to-date. I’d be hard-pressed to find one that isn’t these days.

In the beginning, the very concept was laughable. It just wasn’t a way you’d get malware.

Then came Outlook. Not only could opening an email infect your machine, but for a while, you didn’t even have to be around to have it happen!

Fortunately, today things are very different and very safe.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Malware from opening an email

It used to be that email programs would automatically run programs embedded in email messages when displayed, and occasionally those could be malicious. This is no longer the case, and you will not get malware from simply opening an email. It remains important to be skeptical with links and attachments and to keep all software as up-to-date as possible.

Of HTML, DHTML, and JavaScript

HTML is the “language” of the web. It’s the way webpages like this one are written so your browser can display them as the designer intended.

DHTML, for Dynamic HTML, and JavaScript, a programming language, added something HTML didn’t have by itself: the ability to do things. By “things,” I mean actions like turning this text red when you move your mouse over it and games you can play in your browser.

Your browser, and the HTML displayed in it, became a platform for computer programs.

Then came email.

HTML email

Email used to be plain-text only, and some of it still is.

But email began to be encoded using the same language as webpages: HTML. In HTML email, words can be bold or underlined, we can insert images, and more. Now email could be as “pretty” and complex as a magazine page.

Since many email programs simply used the web browser to display HTML, email messages could now also do things.

Then came malware.

Malware in email

Since email could “do things” like run small programs within their display window, it didn’t take long for hackers to write malware not only taking advantage of that but exploiting vulnerabilities those programs could reach. Those vulnerabilities allowed them to infect your machine with more malware.

All because you opened your email and looked at it.

Before it got better, it got worse: then came Outlook.

The Preview Pane

I say “Outlook,” but any email program offering what we now call a “preview pane” could be vulnerable. Outlook was one of the earliest and most popular.

It worked like this:

  • You left your email program open with the preview pane showing.
  • You had your most recent email message displayed in the preview pane.
  • You walked away.
  • You got a new message. Outlook, keeping the selection at “most recent”, selected the newly arrived message1 and updated the preview pane with its contents.
  • If the new message contained DHTML/JavaScript malware, it was possible it would run and infect your machine.

Your email program “looked” at a message and your machine was infected. You weren’t even there.

Fortunately, this didn’t last long.

Modern email programs and sites don’t do that

That possibility was quickly fixed.

The most dramatic fix was that JavaScript — and most other coding that used to allow an email message to “do something” — no longer works within email. Email is no longer treated like a fully capable webpage. Even when displayed in a web interface like Gmail, the message is scrubbed of any scripting that could cause problems before it is displayed.

Along the way, vulnerabilities related to email-based exploits2 have also been fixed regularly and quickly.

Additionally, images aren’t even displayed by default by most email programs. This is done for reasons related to spam, but it also increases your malware-related security.

Today, things are very different.

No, you cannot get infected by just looking

Opening an email is a safe thing to do.

Looking at an email is a safe thing to do.

Having your preview pane open is a safe thing to do, even if you’re not around.

Email programs and email services no longer allow the things that once upon a time made looking at an email risky.

However…

You can still get infected if…

The one thing missing from the discussion above is attachments.

The ability to attach an arbitrary file to an email message predates HTML-formatted email. It’s a convenient way to transfer a file from one place to another.

Unfortunately, the word “arbitrary” is appropriate. Any file can be attached to an email, including programs that would infect your machine with malware.

That’s why one of the admonitions you hear over and over is to never open an attachment you’re not expecting and that you don’t know for certain is safe.

You can get infected by just looking at the contents of an attachment.

Do this

Observe email safety rules.

  • Keep Windows, your browser, your applications, and your email program up to date. If a vulnerability is discovered, you want it to be fixed as soon as possible to be as safe as possible.
  • Run anti-malware software.
  • Never open an attachment unless you expect it, you’re positive you know what it is, and you trust the sender.
  • Never click on a link in an email message unless you’re positive you know where it’s going and you trust the sender.

Something else that’s safe? Subscribing to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: This behavior has also changed. I believe Outlook no longer changes which message is selected.

2: One example: at one point, there were exploits in the software used to display images such that malware could be in maliciously crafted image files. Not only have those exploits been resolved, but most email programs no longer display images from untrusted senders by default.

13 comments on “Can I Get Malware From Opening an Email?”

  1. I’m not a technical person. I get emails/messages notifications I have viruses. Run apps that say no threats/viruses. What do I do?? Battery effected I think. Will factory reset help? Help!!! Please!!!

    Reply
  2. At times I find it necessary to attach documents or images to my email, with a person, or some firm, government agency, or service. I have read that PDF is a safe way to do so, and, thankfully, on my laptop, it’s easy to arrange. You convert documents and even images to PDF by hitting Control+P, choosing to save in PDF format, and downloading.

    I’m wondering however if my information is correct that PDF is safe and if so, whether in general people are aware of that and not put off by receiving and opening a PDF attachment as they might be by an attached image.

    Reply
  3. Thanks Leo. I had one other question about attachments. Is there any difference between opening an attachment of an email downloaded to your computer, eg, by Outlook, versus opening an email attachment if you don’t download your emails to your computer, eg, you view gmail on mail.google.com? Is the latter safe to do?

    Reply
  4. Hej Leo.
    I use webmail and don’t download files to pc and open them. Am I not more secure in that way?
    Regards John from Denmark

    Reply
  5. Leo – Suppose a photo displayed in an email has a “web beacon”. Maybe it’s a spammy email that I originally though was legitimate. Will the sender know I opened the email or do modern email programs scrub this action from happening?

    Reply
  6. I use Network Solutions for some simple web sites and a few email accounts. I got an email from (I thought) ‘Network Solutions’ that said I needed to “Validate my email”. It was a PERFECTLY prepared email, even the senders Domain appeared correct, so I opened the email and did click the big link that said “Validate my email”. As soon as I clicked it, I closed the email and cursed myself. I did not see anything happen, no programs loading or anything… but did I infect myself? I called the real Network Solutions and they confirmed it was a phishing email. I’m running Thunderbird email with Win7 Pro. Now I’m worried……. Thanks for all your tips & tricks!!

    Reply
  7. Dave Fraser,

    Run a full system scan with your anti-malware suite. If anything got in, hopefully it will be recognized and removed. I say ‘hopefully’ because the possibility exists that some new (as yet unknown) malware got into your system when you pressed that button. That possibility is remote, but I feel obligated to include it here for accuracy’s sake. I suggest that you run a full anti-malware scan weekly for the next two or three weeks.

    Ernie

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.