Scanners may seem like a relic of the old days–and certainly of the days of working consistently from an office.

But they do exist and they can still be used to transmit information.

Often, scanners get attached to emails–i.e., receive a notification that someone has sent a scanned document to you, as well as the actual document itself. This can be one way to send information.

It can also be used to send malicious files.

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers are using scanner notification emails to send malware to end-users.


In this attack, hackers are using spoofed scanner notifications to send malicious files:

  • Vector: Email
  • Type: Malware
  • Techniques: Social Engineering, Malicious attachments
  • Target: Any end-user

Email Example #1

This email spoofs a scanner notification email that would be sent to an end-user when they receive a scanned message. Think about when someone scans over their driver’s license. You may get an email directly from the scanner that allows you to download the file. Though much less common in the work-from-home era, it’s not unheard of. (You might find it more in a personal capacity, such as sending over an insurance card via your phone scanner.) Regardless, someone receiving this may think it’s legitimate, since it’s something that does happen. In this email, the subject line says “Commission Receipt”, an email of high interest that is likely to be clicked. This is where the social engineering component comes into play. End-users see something of high-value–i.e., their next paycheck–and might click without thinking twice. That is where the hackers are hoping they can get a quick win. Even if the user doesn’t expect to see an email from a scanner, they will look at the convincing subject and click.  The file, attached as a .htm file, is, in fact, malicious, as analyzed by Check Point Research. 

Email Example #2


This file, once analyzed by Check Point, is shown to be a malicious trojan. The confidence in that decision is high, especially since it’s a piece of well-known malware. As a Trojan, the file would attempt to take over the end-user’s computer. 


Scanners are not used like they once used to be.

But leveraging a compelling headline–in this case, “Commission receipt”--it might be enough to get the end-user to ignore the sender address and instead look at that receipt.

If the end-user does that and opens the .htm file, they’ll be in trouble. 

When clicking on the file, this piece of well-known malware is a Trojan, which will work in the background to take over the recipient’s computer.

Though the email appears benign, it underscores the importance of analyzing all files upon downloading. By scanning attachments for malicious content, users can feel more confident that the attachment is actually safe. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always look at the sender address
  • Be cautious when downloading .HTM files, as they can be used for malicious content
  • If ever unsure about an email, ask the original sender