You got an email with an attachment and you're not sure if it's safe. Good instinct. Email attachments are still one of the most common ways malware gets onto computers. Here's how to evaluate what you're looking at and what to do when you're unsure.

The golden rule

If you weren't expecting the attachment, treat it as suspicious – even if it appears to come from someone you know. Attackers spoof sender addresses constantly, and compromised accounts send malware to everyone in the contact list. When a coworker randomly sends you a file you didn't ask for, verify with them through a separate channel (Slack, phone, in person) before opening it.

High-risk file types to never open

These file types can execute code on your computer the moment you open them. If you receive any of these unexpectedly, delete the email:

• .exe – A Windows program. There is almost no legitimate reason to email an .exe file
• .scr – Screensaver file, but actually just a disguised .exe
• .bat / .cmd – Windows batch scripts that run commands automatically
• .js / .vbs / .wsf – Script files that can download and install malware
• .msi – Windows installer package
• .ps1 – PowerShell script
• .iso / .img – Disk images that can contain anything, including malware
• .lnk – Windows shortcut files that can point to malicious commands

Many email providers block some of these file types automatically. If someone claims they need to send you one of these, ask them to use a file-sharing service instead or share the file through your organization's approved tools.

Medium-risk file types to handle carefully

These common file formats are normally safe but can be weaponized:

• .zip / .rar / .7z – Compressed archives. They're fine in principle, but attackers use them to hide dangerous file types. Before extracting, check what's inside. If the archive contains any high-risk file types, don't extract it. Password-protected zip files in unexpected emails are a major red flag – they're often password-protected specifically to bypass email scanning
• .pdf – Usually safe in modern PDF readers, but can contain embedded scripts. Keep your PDF reader updated. Open suspicious PDFs in your browser's built-in viewer rather than Adobe Acrobat for an extra layer of safety
• .docx / .xlsx / .pptx – Modern Office formats are generally safe. The risk comes when they contain macros (see below)
• .doc / .xls / .ppt – Older Office formats. These are higher risk than their modern counterparts because macros can be embedded more easily
• .html / .htm – Can redirect you to phishing sites or run scripts in your browser

Macros in Office documents

Macros are small programs embedded in Word, Excel, and PowerPoint files. Legitimate uses exist (automated reports, complex spreadsheets), but attackers love them because they can run code on your computer.

If a document asks you to "Enable Editing" and then "Enable Content" or "Enable Macros":

• Stop and think. Does this document genuinely need macros? A regular letter, invoice, or report does not
• Legitimate business documents almost never require you to enable macros to view them
• If the document claims you need to enable macros "to see the content" or "for security purposes," that's a social engineering trick. Close the file immediately
• Check with the sender if you're unsure

Microsoft now blocks macros by default in files downloaded from the internet. If you see a yellow bar saying macros have been blocked, leave it blocked unless you've verified the file is legitimate.

How to evaluate an attachment safely

1. Check the sender: Is this from someone you know? Does the email address (not just the display name) look right? Watch for slight misspellings in the domain
2. Check the context: Were you expecting this file? Does the email body make sense? Generic messages like "Please see attached" or "Here is the document you requested" with no other context are red flags
3. Check the file name: Look at the actual extension. Attackers use tricks like invoice.pdf.exe (appears to be a PDF but is actually an executable) or report.docx .exe (lots of spaces hiding the real extension). If your system hides file extensions, enable them – on Windows, open File Explorer > View > Show > File name extensions
4. Don't rely on the icon: Malware can use any icon, including PDF or Word icons, regardless of the actual file type
5. Scan before opening: Right-click the attachment and scan it with your antivirus. This catches known threats but won't catch everything
6. Open in a safe viewer: For documents, consider opening in Google Docs or your browser's built-in viewer rather than native apps. These strip out macros and scripts automatically

What to do when you're unsure

• Don't open it. When in doubt, don't
• Ask the sender through a different channel. Call them, message them on Slack, or ask in person. Don't reply to the email itself – if the account is compromised, the attacker will reply and tell you it's fine
• Forward to IT if your organization has a security team or helpdesk. They can evaluate the attachment in a sandboxed environment. Many organizations have a dedicated phishing report address
• Use an online scanner like VirusTotal (virustotal.com) to upload and scan suspicious files. Keep in mind that anything uploaded becomes accessible to security researchers, so don't upload confidential documents

What to do if you already opened a bad attachment

1. Disconnect from the internet – unplug your ethernet cable or turn off Wi-Fi. This can stop malware from downloading additional payloads or sending your data out
2. Don't turn off your computer – some malware detection works better while the system is still running
3. Run a full antivirus scan immediately
4. Change your passwords from a different, clean device – start with your email, then banking, then other important accounts
5. Tell IT if you're at work. Don't be embarrassed – reporting quickly limits the damage. IT would much rather know immediately than find out weeks later
6. Monitor your accounts for unusual activity over the following days