Password-Protected Attachment Evasion
Attackers password-protect malicious archives so email security can't scan contents; password provided in email body enables victim to open but defeats analysis.
MITRE ATT&CK: T1566.001Timeline: The Cat and Mouse
2015 β Attack emerges β 2019 β Defenses improve β 2022 β Still effective β Present
The Evolution
| Phase | Period | What Happened |
|---|---|---|
| ATTACK | 2015 | Password-protected archives defeat most gateway scanning |
| PEAK | 2017-2021 | QakBot, Emotet use extensively; simple passwords work |
| RESPONSE | 2019 | SEGs attempt common password cracking |
| Β | 2020 | Password extraction from email body |
| Β | 2021 | Organizations begin blocking encrypted attachments |
| ADAPTATION | 2022+ | Complex passwords, password in images, separate emails |
| CURRENT | Present | Still effective with unique passwords; cat-and-mouse continues |
Key Events with Sources
| Date | Event | Significance | Source |
|---|---|---|---|
| 2015 | Technique becomes common | Encrypted ZIPs bypass most security scanning | Proofpoint |
| 2018 | Emotet uses password ZIPs | Simple passwords: β123β, β1234β, βdocxβ | CISA |
| 2019 | SEG password cracking | Gateways try common passwords to scan contents | Mimecast |
| 2020 | Body password extraction | SEGs parse email for passwords, attempt decryption | Proofpoint |
| 2022 | Complex password adaptation | Attackers move to harder passwords, images, separate channels | Cofense |
Overview
Email security tools scan attachments for malware, but they canβt scan what they canβt open. Password-protected ZIP files, encrypted PDFs, and other protected archives hide their contents from inspection. Attackers include the password in the email body, giving victims access while blinding security tools.
The Attack
How It Works
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EMAIL β
β β
β Subject: Invoice #12345 β
β β
β Please find attached invoice. β
β Password: invoice2024 β
β β
β Attachment: invoice.zip (encrypted) β
β βββ invoice.exe (malware, hidden by encryption) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
EMAIL SECURITY:
Scanning: invoice.zip
Status: ENCRYPTED - CANNOT SCAN
Malware: UNKNOWN
Action: DELIVER (can't prove it's bad)
Common Patterns
ZIP with Password:
Attachment: document.zip
Body: "Password: 12345" or "Use code: secure"
Contents: malware.exe, malware.dll, malware.js
RAR Archives:
Attachment: files.rar
Body: "Archive password: confidential"
Contents: payload.exe
Encrypted PDF:
Attachment: invoice.pdf (encrypted)
Body: "PDF Password: 2024"
Contents: Malicious JavaScript or links
7z Archives:
Attachment: data.7z
Body: "Extraction password in subject line"
Contents: iso/img file containing malware
Why It Works
Encryption is Legitimate:
- Businesses send encrypted files for security
- Canβt block all encrypted attachments
- False positive risk is high
Scanning Limitations:
- Canβt decrypt without password
- Brute force is slow/impractical
- Encryption algorithms are strong
Social Engineering:
- Password in email feels like βsecurityβ
- Users follow instructions
- Creates sense of legitimacy
Real Campaigns
QakBot:
- ZIP + XLS with macros
- Password often in subject or body
- Thread hijacking + password protection
Emotet:
- Password-protected DOC files
- Simple passwords: β123β, β1234β, βdocxβ
- High volume, low sophistication passwords
IcedID:
- Password-protected ZIP with ISO
- More complex passwords
- Targeted distribution
Defenses
Password Extraction and Scanning
Advanced SEGs:
- Parse email body for password patterns
- Extract potential passwords
- Attempt to decrypt attachment
- Scan decrypted contents
Patterns searched:
- βPassword: Xβ
- βPass: Xβ
- βCode: Xβ
- βUse X to openβ
- Password in image (OCR)
Common Password Attempts
SEGs try common passwords:
1234,12345,123456password,infected,malware- Current year:
2024,2025 - File-related:
invoice,document
Policy-Based Blocking
Organizations may:
- Block all password-protected ZIPs
- Quarantine for manual review
- Require sender verification
- Whitelist specific senders
Sandboxing with Passwords
Advanced analysis:
- Extract password from email
- Pass to sandbox environment
- Sandbox opens and analyzes
- Full behavioral analysis possible
Attacker Adaptation
Complex Passwords
Move beyond simple passwords:
Password: xK9#mL2$nP5
Password: Invoice-2024-Confidential
Defeats dictionary attacks and common password lists.
Password in Image
βββββββββββββββββββββββ
β [IMAGE] β
β Password: abc123 β
βββββββββββββββββββββββ
Defeats text extraction; requires OCR.
Password in Separate Email
Email 1: "Attachment coming in next email"
Email 2: Attachment without password
Email 3: "Password for previous file: X"
Correlation required across messages.
Password via Different Channel
Email: "Password will be sent via SMS"
SMS: "Your document password: X"
Requires compromised phone or SIM swap.
Nested Encryption
outer.zip (password: "first")
βββ inner.zip (password: "second")
βββ malware.exe
Multiple layers of protection.
Current State
Status: Active
Password protection remains effective:
| Defensive Capability | Attacker Counter |
|---|---|
| Common password cracking | Use complex passwords |
| Body password extraction | Password in image |
| OCR for images | Password in separate email |
| Block encrypted files | Legitimate use complaints |
Detection Guidance
Email Indicators
Flag emails with:
- Encrypted attachment + password in body
- Known malicious archive types (.zip, .rar, .7z)
- Password patterns in text or images
- Urgency combined with encryption
User Behavior
Train users to:
- Question why file needs to be encrypted
- Verify sender via known contact method
- Report suspicious password-protected files
- Not open unexpected encrypted attachments
SIEM Queries
email.attachment.encrypted = true
AND email.body MATCHES (password|pass|code|pwd)
AND email.sender.domain NOT IN (trusted_domains)
Endpoint Monitoring
Watch for:
- Archive extraction tools spawning executables
- Recently extracted files being executed
- Extraction to temp directories followed by execution
What Killed It (or Weakened It)
| Defense | Introduced | Impact |
|---|---|---|
| Password Cracking at Gateway | 2019 | SEGs attempt common passwords to scan contents |
| Password Detection in Email Body | 2020 | Extract password from email, use to scan attachment |
| Encrypted Attachment Policies | 2021 | Block or quarantine password-protected files |