Freely subscribe to our NEWSLETTER

Attachments as an entry point for malware

Attachments often serve as a gateway for malware. If a cyber criminal is phishing, he or she will want to give the impression that the messages come from a trustworthy source. Depending on the type of phishing, the sender may pose as a supervisor, financial service provider or an insurance company. This increases the likelihood and danger that these attachments will be opened. Typically, these attachments are manipulated in such a way that they exploit security holes in an application – PDF viewer, for example, e-mail client or in the operating system – to infect the recipient’s computer. Once under the criminal’s control, the infected computer can go unnoticed and become part of a network of "bots" (interactive robotic systems) that send spam or participate in DDoS (Distributed Denial of Service) attacks. In this way, a criminal can also have access to all the data from the e-mail recipient’s computer. Due to these serious risks, e-mail service providers and spam filters check attachments very carefully. As a result, the deliverability of these e-mails may be adversely affected. E-mail clients also warn or partially prevent the loading and execution of attachments. The consequence is that recipients often do not receive these e-mails in the first place or do not read the attachments.

The absence of encryption means the absence of data protection

Not all mail servers on the internet support STARTTLS as transport encryption. This procedure to initiate the encryption of communication using Transport Layer Security is used to send, forward or securely receive encrypted e-mails. Without STARTTLS, the content of the e-mail and the corresponding attachments can be read by third parties.

Even with STARTTLS, there is always a risk of a man-in-the-middle (MITM) attack that can intercept e-mails. A higher level of security can only be achieved through additional protocols such as DANE and DNSSEC. However, these are not yet established in the market. In addition, there is the risk that the recipient may unknowingly retrieve unencrypted e-mails from the mailbox into an unsecured network. E-mails or attachments often contain sensitive information, such as payment information, insurance or health data that should not be read by unauthorized persons. As a sender, you should therefore think about the information to be sent by e-mail and the damage that can be caused if this information falls into the wrong hands. The sender will be held responsible if the personal data is publicly disclosed. In this case, the provisions of sections 32 et seq. of the GDPR apply. The supervisory authorities must be informed of the security breach. The authorities may then impose sanctions on the sender, see Article 58 of the GDPR.

According to experts from the Certified Senders Alliance (CSA), attachments should therefore be avoided in the commercial environment. A better alternative to attachments is a deep link to download them from the customer’s own portal. The customer can consult or download the documents assigned to him/her via a connection secured by TLS. It also allows the user to manage documents centrally without having to search for individual attachments in his or her overloaded e-mail client. A regular connection to the portal also creates additional customer loyalty and the possibility of advertising other offers.

The Certified Senders Alliance (CSA) is a joint project of the eco e-Commerce Association and the German Marketing Dialogue Association DDV (Deutsche Dialog Marketing Association). Up-to-date information on CSA’s work, CSA certification and current technical and legal aspects of e-mail marketing can be found at https://certified-senders.org/de/