Remark on EML Attachments
Last Updated: 2019-11-02 11:33:48 UTC
by Didier Stevens (Version: 1)
Jan Kopriva's interesting diary entry "EML attachments in O365 - a recipe for phishing" reminded me of another use of EML files for malicious purposes.
EML files are MIME files: Multipurpose Internet Mail Extensions. But this format is not only used for email messages. Microsoft Word also supports this file format to save Word documents (including VBA macros). In the SaveAs dialog box, these files are identified as "Single File Web Page", with extension .mht or .mhtml.
And this is the content of a .mht file:
Malicious document authors have started to use this format in 2015, and soon after they started to use simple obfuscation techniques to evade detection.
I join Jan in advising caution with EML files, and by extension, MIME files.