One of the most pernicious computer viruses in history was called Nimda. Though it propagated in many ways, it specialized in spreading via an email attachment.

As 20 percent of malware attacks are launched via email attachments, the popularity of Nimda-like viruses will continue to rise. 

Starting in October of 2021, Avanan observed an attack in which the attacker attaches a phishing email to a traditional, clean email. In this attack brief, Avanan will analyze this company’s most recent discovery of a new malicious email attack, which has targeted thousands of users and has bypassed traditional scanners. 


In this attack, hackers are attaching a malicious .eml file to an otherwise clean email.

  • Vector: Email
  • Type: Credential Harvesting
  • Technique: Email to .eml
  • Payload: Malicious .eml file
  • Target:  Any end-user



In this email, hackers attach a malicious .eml file to a traditional, clean email. The email itself has no malicious links, and though it can be seen by some experienced users as what looks like an invoice fraud attack, it’s not instantly apparent. The content of the email bypasses most scanners.

Attached to the email is a .eml file. The file is a rendering of an email notification on a webpage. On the page is a link to a document. 

When you open that document, it leads the user to a credential harvesting page. 

Email Example
The first part of the attack starts with an email. The email text itself is clean. Though there are hallmarks of an invoice-based attack, it’s not inherently noticeable. Because of that, the text of the email doesn’t necessarily tip-off scanners into thinking something is off. However, below the text is the .eml file.

The email text is clean, but the .eml file is not. 


Email Example #2

When clicking on the .eml file, this webpage opens. It purports to be a notification for a PDF. End-users will think it’s the attachment referred to in the email. It instructs users to click on the link to view the document. 

Clicking on the .eml file leads to this page. 


Email Example #3
The last step of the scam is this credential harvesting page. This is meant to act as the final step before getting into the document. In reality, it’s just a way to steal the user’s credentials.

The final step of the attack is to have users enter their credentials.


This attack bypasses the existing email scanner because the text itself is clean; only the file is malicious. If the email security solution doesn’t scan for malware, or if it only does a cursory scan, then the credential harvesting page won’t get picked up. 

Best Practices: Guidance and Recommendations
In order to guard against these attacks, security professionals can do the following:

  • An email security solution must scan every message and file for malware to ensure that nothing slips through the cracks
  • End-users should be educated on what standard invoices will look like, in order not to click in the first place
  • Implement a multi-tiered security architecture that relies on more than one factor to block email

Subscribe to Our Attack Briefs for More Research