Remark on EML Attachments, (Sat, Nov 2nd)

This post was originally published on this site

Jan Kopriva’s interesting diary entry “EML attachments in O365 – a recipe for phishing” reminded me of another use of EML files for malicious purposes.

EML files are MIME files: Multipurpose Internet Mail Extensions. But this format is not only used for email messages. Microsoft Word also supports this file format to save Word documents (including VBA macros). In the SaveAs dialog box, these files are identified as “Single File Web Page”, with extension .mht or .mhtml.

And this is the content of a .mht file:

Malicious document authors have started to use this format in 2015, and soon after they started to use simple obfuscation techniques to evade detection.

I join Jan in advising caution with EML files, and by extension, MIME files.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.