Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Remark on EML Attachments SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Remark on EML Attachments

Jan Kopriva's interesting diary entry "EML attachments in O365 - a recipe for phishing" reminded me of another use of EML files for malicious purposes.

EML files are MIME files: Multipurpose Internet Mail Extensions. But this format is not only used for email messages. Microsoft Word also supports this file format to save Word documents (including VBA macros). In the SaveAs dialog box, these files are identified as "Single File Web Page", with extension .mht or .mhtml.

And this is the content of a .mht file:

Malicious document authors have started to use this format in 2015, and soon after they started to use simple obfuscation techniques to evade detection.

I join Jan in advising caution with EML files, and by extension, MIME files.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

403 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!