Blog

Archive for November 2nd, 2019

Remark on EML Attachments, (Sat, Nov 2nd)

Jan Kopriva’s interesting diary entry “EML attachments in O365 – a recipe for phishing” reminded me of another use of EML files for malicious purposes.

EML files are MIME files: Multipurpose Internet Mail Extensions. But this format is not only used for email messages. Microsoft Word also supports this file format to save Word documents (including VBA macros). In the SaveAs dialog box, these files are identified as “Single File Web Page”, with extension .mht or .mhtml.

And this is the content of a .mht file:

Malicious document authors have started to use this format in 2015, and soon after they started to use simple obfuscation techniques to evade detection.

I join Jan in advising caution with EML files, and by extension, MIME files.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →