Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Hackers Use Malicious Attachments to Give You Malware

Combined with unpatched software, it’s a recipe for disaster.

Malware for You
Another day, another report of hackers exploiting vulnerabilities. Here's how you stay safe.

I ran across this quote in a news article earlier today:

They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug . . .

It’s about a specific bug and a specific exploit, but honestly, it’s just an example of the #1 way hackers try to invade our systems.

It’s worth understanding exactly what it means.

Become a Patron of Ask Leo! and go ad-free!


Malicious attachments and you

Hackers use fake emails to fool you into opening attachments containing malware. The malware often targets unpatched vulnerabilities or bugs in the operating system or other software on your machine. It’s important to remain skeptical and cautious before opening any attachments, and always keep your system and other software as up to date as possible.

The specifics

The quote is from a BleepingComputer article, “Hackers exploit Microsoft MSHTML bug to steal Google, Instagram creds“.

BleepingComputer Quote quote. Click for larger image. (Screenshot:

The targeting is apparently a little more specific than that:

A newly discovered Iranian threat actor is stealing Google and Instagram credentials belonging to Farsi-speaking targets worldwide . . .

By the time you read this, the vulnerability will likely have been patched.

This is a great example, however, of what I see happening every day.

Here’s how you protect yourself.

Attachments: the hacker’s way in

The first phrase catching my attention was “malicious Winword attachments”. (Winword refers to Microsoft Office’s Word for Windows.)

Combined with a well-crafted phishing email message, attachments are the easiest way to get malware onto your computer. If the attacker can convince you to open the attachment, all bets are off.

The most common scenarios include urgent-sounding messages that urge you to open an attached document to learn more about a package delivery. It’s not limited to messages purporting to be about unexpected deliveries, however.

These types of messages typically (but not always) share these characteristics:

  • They claim to be from a company you recognize.
  • They’re unexpected.
  • They claim there is an issue that requires your urgent attention.
  • They claim you need to view or otherwise download and open an attachment to deal with the urgent issue.

Don’t. Just … don’t.

Resist the urgency. Take the time to examine the message carefully before doing anything. Make sure it really is from who it says it is from.

If you’re unsure, ignore the message and contact the company that supposedly sent the message in some other way.

Attachments are only half the battle, however.

Unpatched vulnerabilities: the hackers’ goal

The second phrase that got my attention was “exploit a . . . bug”.

Malware generally attempts to take advantage of “vulnerabilities”.  Vulnerabilities are nothing more than software bugs that are exploited to allow the malware to do something it shouldn’t. The most common example is called “privilege escalation”, which allows the malware to silently act as administrator on your machine even if you’re an admin yourself.

Naturally, these types of bugs are fixed relatively quickly,1 and the fixes are made available via Windows Update.

This is why it’s important to keep your machine — all your software, really — as up to date as possible. This means letting Windows Update run automatically and taking updates as they’re offered. Unless you’re willing and able to track individual vulnerabilities and their fixes (and I’m not), staying as up to date as possible is the wisest thing to do to stay safe.

And yet, there’s a hole in the safety net: zero-day.

“Zero-day”: the hacker’s jackpot

A “zero-day” vulnerability is a software issue that:

  • Is being actively exploited “in the wild” to infect or otherwise compromise systems.
  • Has no available fix yet.

“Zero-day” means that the software vendor has zero days to fix it before it’s a problem — it’s already a problem. (If a vulnerability is discovered before hackers learn about it, then there’s time to fix it before they use it “for real”.)

Do this

For you as a user, all this implies several important steps you need to take.

  1. Always be on your guard for things like malicious attachments, discussed above.
  2. Keep your security software as up to date as possible. It’s not uncommon for your anti-malware tool to detect malware exploiting a vulnerability before the vulnerability is repaired.
  3. Keep your system as up to date as possible so that when the vulnerability is repaired, you’ll no longer be at risk for that particular issue.

And subscribe to Confident Computing! — my weekly newsletter with more information every week to help you stay safe. Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio


Footnotes & References

1: I have to say relatively because the speed of a repair, and the speed of it being made available via Windows Update, varies depending on the severity of the issue. Repairs themselves also add risk, so it’s not always a simple decision to fix everything as fast as possible.

19 comments on “How Hackers Use Malicious Attachments to Give You Malware”

  1. Yet another thing to stay vigilant about.

    Is it just Microsoft Word or is a program like LibreOffice Writer likely to be used also?

    Would PC Matic stop this download as presumably the malware would not be on their white list?

    I just try to be careful about opening emails, for a long while I have been receiving messages with just a link in them from family friends, some of whom just do not care about it unfortunately.

    • It’s basically any program — or no program at all. The attachment could BE the program. And while a whitelist approach would stop many, there’s no solution that stops absolutely everything. As you say, vigilance is neccessary.

    • Just say no to any attachment in an email “from a person you know” with no description or a generic subject like “I thought you would like this”. It could be sent to anyone.
      Now if the attachment is unexpected but has a subject that shows the connection to the sender “albino deer I told you about last week”, it becomes a lot more trustworthy. Not really useful to target only people who had been talking about albino deer the previous week.

    • re: ‘been receiving messages with just a link in them from family friends’
      When I get these, providing the email address is correct, I return it to sender saying ‘Did you send this? Because this is the type of message sent from scammers so I dont open any links unless I am sure they are genuine.’

  2. I must nitpick on your use of the term, “fake E-Mail.” It’s too close to “fake news” for comfort, and suggests — like the term “fake news” itself — that the E-Mail in question is meaningless and unimportant… a very dangerous interpretation.

    Yes, I know what you’re trying to say, but the E-Mail itself isn’t fake, and neither is any attachment — if anything, it’s the sender that’s “fake.” If the E-Mail is from no-one you recognize, perhaps it’s better to call it “suspicious.” If it IS (seemingly) from someone you recognize (e.g., your bank) but isn’t, then the E-Mail is clearly “forged.”

    • TheGrandRascal, I refer to this type of email as malmail, because it is potentially malicious in nature. Not ALL unexpected email is malmail, but it is all POTENTIALLY malmail. I hope the use of this term will help to subdue your nitpick alarm.


  3. “The most common hidden format is likely to be an .exe file that masquerades as some other format, like pdf. This is often due to a default setting in Windows File Explorer that hides the extension of known file types.” I can’t believe Microsoft hasn’t changed this default after so many exploits of this vulnerability and so many articles warning to change the default. Don’t Microsoft software designers read the trade publications?

    • What you’re observing is a continuing Microsoft design philosophy (for some warped reason). You may have noticed that ever since Windows XP, every subsequent version of Windows omits, restricts or hides information and control access to OS features. So much so, in Windows 10 and 11 there are features for which you have no menus, links or buttons. You have to wildly move the mouse cursor around in the hope of finding an invisible Easter egg control point. For example, the venerable Control Panel is on the chopping block and in Windows 11 you have to search for it, or whatever is left of it.

      • To find the control panel in Windows 11:
        Press the Windows Key and start typing “Control” without quotes. Click on “Control Panel” when it comes up.
        Right click on the Control Panel icon in the Taskbar.
        Click “Pin to Taskbar”.

        You’ll, then, have the Control Panel one click away.

  4. I have been using the Internet almost since it was called the ARPAnet, or more accurately since a bit before the advent of the World Wide Web. I started using email about the same time I started connecting to the Internet. Over the years, I have developed a ‘system’ (or routine if you prefer) for dealing with the email I receive. I have never contracted any malware from email, although I did get a virus (in a file I downloaded) from a BBS site I used when I first started using a modem (96 baud) to connect to such sites – that was back in my MS-DOS days.

    Note: I keep my computers as current as I can with security patches, and I keep Windows Defender on each of them as current as possible.

    1. I subscribe to quite a few newsletters. I know their format. I know their sender address (the content of the “From:” line). I know generally when they will arrive (approximate time of day, day of week / month, etc.), and I know their schedule frequency, so unless a newsletter arrives significantly outside the expected schedule, I generally trust them and their content.

    2. I receive a lot of email form stores, businesses, and Government sources. This type of email is typically unexpected, so I am much less trusting of it, and I initially classify it as potentially malmail.

    2-a. I check to verify that the message contains my (correctly spelled) name in the greeting (these sources know who I am). If the name is wrong, I close the message and move it to my spam/junk folder. It is malmail/spam.

    2-b. If the name is correct, I look to see if there is an attachment. If there is an attachment, and the message is from a store or other business that I deal with, I assume that it is malmail and move it to my spam/hunk folder. In my experience, no stores or businesses I have dealt with have sent me email with any attachment(s), so why would I risk opening the attachment or click a link in such a suspicious email?

    If there is an attachment and the message purports to be from a government source, I go to the source’s web site to look for some form of notification or alert telling me that I need to complete some form or task, etc. If there is, I get the form or complete the required task at the web site, then move the email to the sender’s folder for storage. If there is no such notification or alert, I notify the purported sender (their potential spam contact or the named sender) about the email to learn if it was indeed sent from them. If I am informed that they sent the email, I open the attachment and do whatever I am required to do to meet their requirements. If, after about a week, I do not get a response regarding the email, I move it to my spam/junk folder. If the email was valid after all, the sender will follow up with a phone call or via U.S.P.S.

    2-c. I no longer work. I am retired. When I did work, I occasionally received email from companies whom I had contacted for employment. If the message contained an attachment, I called the sender to confirm that they did indeed send the message, and that it did indeed contain an attachment. I have never been rebuked for doing this check, and quite honestly, if I was ever rebuked for checking, I would have reconsidered seeking employment with that company.

    2-d. Across my working life I have used job search web sites. I have received email from them when there was a potential job that I may qualify for. I do not ever remember receiving an email form a Job Search Website that contained an attachment. If I had received such a message (with an attachment), I would have gone to the Job Search website to see if there was an alert or a notification of a potential job match for me. If there was, I’d follow it up from the Job Search website and move the email to the sender’s folder. If there was no matching notification or alert, I would have moved the email to my spam/junk folder.

    3. If I receive an email form a friend (or someone I know/knew/worked with), I call/text my friend/associate to confirm that they sent the email. If the email contains an attachment, I also confirm they included the attachment. Messages/emails from people I know are the easiest for me because I can contact the purported sender directly to confirm legitimacy.

    In every case, when I receive an unexpected (or suspicious) email I follow these general steps:

    I check that the email is being sent to me specifically (is my name in the greeting and spelled correctly?).

    Is it a newsletter I subscribe to? Is it arriving on schedule (generally speaking)? If so, does it look right (the “From:” line, format, etc.)? If not, I can usually go to the site to view the newsletter online, otherwise I feel safe to click any links that interest me (such as in my Ask Leo Newsletter).

    Do I know the sender (friend, associate, etc.)? If I do, I contact them directly to confirm the legitimacy of the message.

    Is the message from a store or other business I deal with and am I expecting it? If it is, but I am not expecting the message, is there anything in it that I need to deal with? If so, I go to the store/business’s website to follow up. If not, I delete it. If I am expecting it, it is usually from a store where I placed an order. In that case, does the information in the message match up with what I ordered? If not, I delete the message, then go to the store’s website to check on the status of my order – just in case.

    There may be more things I do that I am not aware of, but these steps have kept me safe from email threats so far. The main thing is that I DO NOT open any attachments – period – unless I can confirm the legitimacy of the source to my satisfaction. I NEVER make ANY assumptions about incoming emails other than to distrust them until I can confirm they are legitimate.

    These steps have kept me safe regarding email for a lot of years. Perhaps they can help to keep you safe too,


  5. My company IT department is training all of us very well. They frequently send out testing emails. It announces to the effect of “HaHaHa you are busted!” All of us are learning to review closely. The review has saved me at home several times. Articles like yours reinforce the training/learning. Thank you so much for these. Barb

  6. First of all set File Explorer to display file endings, than turn off macros in every Office app you are using (word, excel, PowerPoint, publisher and Access)
    Never login to Windows with an admin account unless you have to. Its very rare that you have to be logged on with an admin account (I only needed that once and that was when I installed a printer driver)
    Create a standard user account for every day use. Whenever admin privileges are required Windows will prompt for a admin password and you should never enter such a password unless you know what is happening (if you started installation of software form a safe source it’s OK otherwise it’s strongly recommended you hit Cancel.
    Simple basic safety measures everyone ought to follow.

  7. What I cannot understand is the reasoning (if applicable) in the hacker’s mind.

    My question is, “Why do this? What do you gain for each (temporarily) defunct computer?”

    • Most hacking nowadays isn’t to disable computers. It’s all about making money. Ransomware to make people pay to get their data back, botnets to send out spam, keyloggers and phishing to steal passwords or redirect your searches to unwanted websites for ad revenue etc. Not much malware is for sport any more.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.