Email remains the preferred pathway for attackers to compromise corporate networks. It makes sense; given the sheer number of messages sent and received by organizations every day, all it takes for malicious actors to succeed is for one staff member to make a mistake.
Maybe this means they're the victim of a phishing attack and inadvertently click on a link, or believe the email contains a legitimate attachment. Managers or C-suite members could also be the victims of spear-phishing attacks that see them targeted for their ability to access key data.
The prevalence and potential impact of email attacks brings up a worrisome question, however: Is it possible for emails to infect devices or compromise networks even if users take no action? Is simply opening an email enough to put businesses at risk?
We won't bury the lede here: The answer is no. Opening an email isn't enough to infect your device.
Understanding Email Viruses
According to the IBM Threat Intelligence Report 2024, attacks involving stolen credentials rose 71% in 2023 compared to 2024. And as noted by the Zscaler ThreatLabz 2024 Phishing Report, there were 745 million more phishing attacks in 2023 than 2022.
To reduce their total risk, companies need to understand what email viruses are, how they work, and what types are the most common.
What is an email virus?
An email virus is any type of malicious code sent with or downloaded by a message. If a link within the email is clicked, it takes users to a secondary site that automatically downloads malicious code such as malware droppers or ransomware tools.
How do email viruses spread?
There are two common pathways for email viruses to spread.
First is via compromise through malware. If a user downloads a malicious attachment, it may contain code that allows it to connect with a command and control (C&C) server and download additional malicious code, which in turn allows the virus to spread.
Email viruses may also spread by taking control of user accounts. If staff click through to fake "account reset" pages and provide their username and login data, attackers can leverage this data to take control of their accounts. From there, they can send malicious emails to all internal users - and since these messages come from within local firewalls, they're not deemed suspicious by email security tools.
In addition, users may be more likely to click links or download attachments since messages appear to come from a known source.
Common types of email viruses
While there's no limit on the type of viruses that attackers can create and distribute, they often stick to several common types, including:
- Direct action: Direct action viruses immediately activate. They may steal and exfiltrate data, deploy ransomware, or take over user accounts.
- Boot sector: Boot sector viruses infect device boot processes. When devices are turned off and on again, these viruses activate.
- Resident: Resident viruses infect networks but remain in the background. They may be used to conduct reconnaissance or wait until users take a specific action to activate.
- Keylogger: Keylogger viruses record keystrokes made by users. This allows attackers to obtain key information such as usernames and passwords.
Risks Associated with Opening Emails
While email security continues to improve, there are still potential risks associated with opening an email.
Can you get a virus from opening an email without clicking or downloading?
Thankfully, no.
During the early days of tools such as Microsoft Outlook, however, this was possible. The email program allowed incoming messages to run JavaScript, which meant that simply opening an email was enough to put users at risk.
Now, email programs natively display HTML code. This prevents code from running without users taking action.
How do email viruses exploit vulnerabilities?
The primary pathway for viruses to exploit vulnerabilities is via the human instinct to respond.
In the case of phishing emails that demand immediate action, users are often worried that their passwords have been inadvertently exposed or that they've already taken action that puts corporate resources at risk. When it comes to more targeted attacks, meanwhile, cybercriminals take the time to build rapport, which in turn convinces users that attachments or links are legitimate.
In many cases, attackers combine human nature with existing software vulnerabilities. For example, if malicious actors are aware of zero-day exploits that affect popular collaboration or productivity tools, they can leverage human helpfulness to gain access, and then download malicious code that targets specific vulnerabilities.
The dangers of opening suspicious emails
Simply opening suspicious emails isn't enough to infect devices.
The act of opening these emails, however, puts users one step closer to compromise. Consider the rise of picture-based attacks. These attacks don't bother with lengthy explanations or urgent warnings. Instead, they display images that appear to be from well-known companies and tell users they could win a prize or get a great deal if they simply click on the image. Once clicked, the image either redirects to a compromised webpage or downloads a malicious attachment.
When users take this step, attackers effectively have free reign. They can download code in the background, take over user accounts, or simply leave code lying in wait for an opportune moment. Depending on the nature and severity of an email virus, companies may experience network performance problems, discover that data has been exfiltrated, or end up with critical data encrypted and held for ransom.
Protecting Yourself from Email Viruses
When it comes to email viruses, multi-layered protection is paramount.
Importance of antivirus software
Antivirus software is the firm line of defense for email security. These software tools scan all incoming emails for potential risks and prevent suspicious emails from ever reaching user inboxes.
Consider a phishing campaign that warns users that their corporate accounts have been compromised and tells them they must take action immediately to solve the issue. Attackers have taken their time on the campaign, creating a sender address that looks almost identical to the company's actual IT provider.
Antivirus tools can help detect red flags in these emails and delete them before users see them, in turn removing the risk of accidental clicks or intentional actions.
Best practices for email security
There are two best practices for email security.
First, never trust - always verify. Instead of assuming that emails are legitimate, assume the opposite until trust is proven and verified. This best practice helps eliminate the vast majority of email viruses. For example, if a C-suite member gets an email from someone they supposedly met at a business conference, never trusting means either not responding or looking at all email messages as a potential threat.
The second best practice is reporting. Why? Because more data helps IT security teams and security tools improve the efficacy of their response. Implementing this best practice requires effort from both C-suites and IT teams to create a culture where security is prioritized over speed. Put simply, users should be encouraged to report any suspicious emails, even if their suspicion is limited in scope.
Even if emails turn out to be legitimate, the only loss is a small amount of time. If, however, emails are malicious, reporting can stop a virus in its tracks.
How to identify and handle suspicious emails
There are several key indicators that an email is not what it seems. For example, a user might receive an email from what appears to be their bank.
The message contains familiar details such as the bank's name, logo, and color scheme. It also claims the user needs to take urgent action by clicking on a link to reset their password.
Trust your gut and report the email.
Email Security Measures
Taking proactive security measures can help reduce email risk.
Scanning email attachments for viruses
Implementing email scanning tools lets IT teams catch the vast majority of email viruses. Options for scanning include whitelisting specific domains or scanning every email that arrives on business servers, regardless of origin. Teams can specify key characteristics to identify and use threat intelligence tools to prioritize emerging risks.
Preventing email viruses in corporate environments
Defending corporate environments means encouraging communication. In much the same way that humans are naturally predisposed to be helpful, we're also inclined to keep quiet if we think we've made a mistake. When it comes to email viruses, however, not speaking up gives attackers the advantage.
To limit this risk, businesses need to create a policy that clearly lays out what users need to report, how they need to report it, and where these reports go. In addition, they need to ensure they carry out regular email training to give employees the best chance at spotting emails that make it past security tools.
Email encryption and secure communication
It's also possible to reduce email risk using encryption and secure communication.
Email encryption prevents malicious actors from "eavesdropping" on messages in transit and stealing critical details which they could use to create phishing attacks. Wherever possible, emails should be encrypted at rest, in transit, and in use.
Businesses should also deploy secure communication tools that naturally offer encryption and ensure that if users are sending emails from outside corporate networks, they are protected with solutions such as virtual private networks (VPNs) which obfuscate user locations and actions.
LastPass Email Security Features
With LastPass, companies can reduce the risk of virus infection.
How LastPass protects against email viruses
With LastPass, companies are better prepared to defend against email viruses. For example, users can set up secondary security alert addresses. This means that if primary addresses are compromised, staff will still receive security alerts about potential compromise, allowing security teams to take action.
Email security features and benefits
With LastPass, all user passwords are stored in a secure vault. Only users know their vault password - not even LastPass can access the master password vault. This means that email account compromise won't lead to daisy-chained attacks that infect multiple accounts.
Integrating LastPass with email clients for enhanced security
LastPass also integrates with popular email servers such as Google G Suite and Office 365. This makes it possible for users to leverage single-sign-on (SSO) for trusted sites. If emails contain compromised links and users click through, LastPass won't autofill passwords, in turn keeping credentials safe.
Getting the Message: The Importance of Email Security
Email viruses represent a significant threat vector. If malicious actors can convince users to take action by clicking on links or downloading infected files, the results can be disastrous: Companies may find their networks compromised, their data stolen, or their critical assets encrypted.
To reduce this risk, effective email security is critical. This starts with a recognition of potential virus types and threat vectors, followed by the creation of protective policy and educational efforts. Email security tools such as virus scanners and password protection round out these efforts to mitigate message issues and keep data safe.
Keep communications safe and reduce the risk of email compromise - start your LastPass trial today.
FAQ
What happens if I accidentally open a spam email on my iPhone?
If you accidentally open a spam email on your iPhone, you aren’t at risk of compromising your data – unless you click on a link or attachment. Clicking on suspicious links may expose your device to a malware infection.
If the link redirects you to a phishing site and you interact with it, you could also potentially expose your data to cybercriminals. However, it must be noted that simply opening a spam email – without any further interaction – generally presents no immediate danger.
To hide your IP address and prevent scammers from seeing if you’ve opened their email, turn on Mail Privacy Protection on your iPhone.
What should you do if you open an email and accidentally click an unknown or spam email attachment?
If you open an email and accidentally download an unknown attachment, it’s important to act quickly to protect yourself from a malware infection that could compromise your data:
- First, disconnect from the internet. This stops any malware from spreading to other devices on the network. It also prevents data exfiltration if the link you clicked triggered the installation of a RAT (remote access trojan) on your device.
- Complete an anti-virus or anti-malware scan.
- Using a non-compromised device, immediately change all passwords to your accounts. Use a Secure by Design password manager like LastPass to create and store your new login credentials.
- Back up all important files and photos to a USB drive in case you need to perform a factory reset on your device.
- Enable advanced MFA options to add an extra layer of security during account logins.
- Implement a fraud alert with all three consumer credit bureaus and consider signing up for identity theft protection.
Is it safe to open an email in Outlook?
Yes, it’s generally safe to open an email in Outlook. The danger lies in clicking any links or attachments after you open the email -- which could infect your device with trojans or keyloggers.
