How to Reduce Malicious Attachments

How to Reduce Phishing Emails with Malicious Attachments Reaching User Inboxes

Why This Matters

You're here because someone opened an invoice that turned out to be ransomware, or a user downloaded a "document" that was actually a weaponized macro, or your finance team received what looked like a legitimate supplier document that installed remote access tools. Malicious attachments exploit trust. Users expect documents, invoices, and contracts via email.

The business impact is immediate compromise. Attackers use weaponized Office documents (macros, exploits), password-protected archives (to evade scanners), executable files disguised as PDFs, and increasingly, legitimate file types with embedded exploits (like SVG files with JavaScript or specially crafted PDF documents). When these bypass filters, you're looking at ransomware deployment, credential theft, or lateral movement across your environment.

Google Workspace's attachment scanning catches known threats but has critical gaps. Basic malware detection relies on signature matching. New or polymorphic malware bypasses it. Password-protected files can't be scanned until unpacked. Legitimate file types weaponized with zero-day exploits aren't caught until Google's threat database updates. Enterprise Plus adds Security Sandbox for virtual environment analysis, but it's not applied to all attachments, and detection depends on behavioral heuristics that sophisticated malware can evade. This guide shows you what works, where the gaps are, and what compensating controls you'll need.

Quick Assessment

Answer these questions to assess your current risk:

  1. Is basic attachment scanning enabled?

    • Where to check: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Attachments")
    • What to look for: "Protect against attachments with scripts from untrusted senders" should show "On" status
    • Why it matters: Without this, executable attachments and scripted files bypass all protections

  2. Are encrypted or password-protected attachments blocked from external senders?

    • Where to check: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Attachments")
    • What to look for: "Protect against encrypted attachments from untrusted senders" should be enabled
    • Why it matters: Password-protected ZIPs are the most common method to bypass attachment scanners. Attackers include the password in the email body

  3. Do you have Security Sandbox enabled (Enterprise Plus only)?

    • Where to check: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Enhanced malware and phishing protection")
    • What to look for: "Security Sandbox" should show "On" status for your license tier
    • Why it matters: This opens suspicious attachments in a virtual environment to detect malicious behavior before delivery. Without it, zero-day exploits pass through

  4. Are users reporting suspicious attachments or ransomware incidents?

    • Where to check: Admin Console → Security → Dashboard → Email (scroll to "Malware detections") and check IT helpdesk tickets
    • What to look for: Spikes in malware detections or user reports of "file won't open" followed by strange system behavior
    • Why it matters: User reports indicate attachments are bypassing filters or users are ignoring warnings

  5. What file types are commonly blocked by your current rules?

    • Where to check: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Attachments") → Review "Protect against attachments with scripts"
    • What to look for: Default protections block .exe, .com, .scr, .bat, .cmd, .vbs, and similar.but not all dangerous file types
    • Why it matters: Attackers use less-obvious file types like .iso, .img, .svg, .lnk, .hta, .jar to bypass default blocks

Available Controls

Google Workspace provides these native controls for attachment protection:

Control Business Starter Business Standard/Plus Enterprise Standard/Plus Notes
Basic attachment scanning Signature-based detection, does not catch zero-day or polymorphic malware
Block executable attachments Blocks .exe, .bat, .cmd, .scr, .vbs, .com, and similar.but not all dangerous types
Block encrypted attachments (external) Blocks password-protected files from unknown senders, reduces scanner evasion
Security Sandbox ✓ (Plus only) Opens attachments in virtual environment, analyzes behavior, adds 5-10 min delivery delay
Custom attachment rules Partial Can block specific file extensions or patterns (e.g., double extensions like .pdf.exe)
Attachment type allow/deny lists Block by MIME type or file extension, requires manual curation

Key Limitations:

  • Password-protected files with passwords in the email body cannot be automatically unpacked and scanned. If enabled, they're blocked entirely. You can't "scan then allow."
  • Zero-day exploits in legitimate file types (weaponized PDFs, Office documents, SVG files) bypass signature-based detection until added to Google's threat database.
  • Polymorphic malware (code that changes with each download) evades signature matching. Security Sandbox helps but isn't foolproof.
  • Macros in Office documents are not automatically disabled or sandboxed. Users can enable macros on download, bypassing protections.
  • Cloud-delivered malware (attachments linking to external downloads rather than embedding malicious code) bypass attachment scanning entirely. This is an increasingly common technique.
  • Archives with benign + malicious files (e.g., .zip containing a legitimate PDF and a hidden .exe) may pass scanning if the scanner only inspects the first file.

If you're on Business Starter, you're limited to basic signature-based scanning and executable blocking. No encrypted attachment protection or behavioral analysis. Upgrading to Business Standard/Plus unlocks encrypted attachment blocking. Enterprise Plus adds Security Sandbox, but it introduces delivery delays and isn't applied to all attachments (Google uses risk scoring to determine which to sandbox).

Implementation Guide

Phase 1: Quick Wins (< 1 hour)

These changes are safe, reversible, and provide immediate protection against common attachment-based attacks.

1. Enable protection against scripted attachments

  • Path: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Attachments")
  • Setting: "Protect against attachments with scripts from untrusted senders"
  • Recommended value: Enabled for all users
  • Impact: Blocks executable attachments (.exe, .bat, .cmd, .scr, .vbs, .com, .js, .jar, and similar scripted file types) from external senders
  • Rollback: Disable for specific OUs if legitimate vendors send scripted files (rare. This should stay enabled)
  • Testing: Send a test email with a .bat file from an external account.it should be quarantined with a "suspicious attachment" notification
  • What might break: Virtually nothing. Legitimate businesses don't send executable files via email. If a vendor does, they should use secure file-sharing links instead.

2. Enable protection against encrypted attachments from external senders

  • Path: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Attachments")
  • Setting: "Protect against encrypted attachments from untrusted senders"
  • Recommended value: Enabled (checkbox on)
  • Impact: Blocks password-protected ZIP files, encrypted RAR archives, and similar from external senders (including when the password is provided in the email body)
  • Rollback: Disable if false positives exceed 10% of quarantined messages (check email log search after 48 hours)
  • Testing: Send a test email with a password-protected ZIP from an external account.it should be quarantined
  • What might break: Vendors sending sensitive documents in encrypted archives will need to use secure file-sharing links (Google Drive, Dropbox, OneDrive)

3. Enable Security Sandbox (if available on Enterprise Plus)

  • Path: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Enhanced malware and phishing protection")
  • Setting: "Security Sandbox"
  • Recommended value: Enabled for all users or a pilot group first
  • Impact: Suspicious attachments are opened in a virtual environment to detect malicious behavior (e.g., attempting to download additional malware, creating scheduled tasks, modifying registry keys). Adds 5-10 minute delivery delay for sandboxed attachments.
  • Rollback: Disable for specific OUs if delivery delays are unacceptable (e.g., time-sensitive finance or legal workflows)
  • Testing: Send a test email with an EICAR test file (standard malware test sample) or a weaponized Office document from a phishing simulation tool.it should be quarantined after sandbox analysis
  • Constraints: Not all attachments are sandboxed.Google uses risk scoring (sender reputation, file type, content analysis) to decide. You can't force all attachments to be sandboxed.
  • Delivery delay impact: Finance teams expecting urgent wire transfer approvals or legal teams with time-sensitive contract reviews may escalate complaints if legitimate attachments are delayed.

4. Enable anomaly detection for attachments

  • Path: Admin Console → Apps → Google Workspace → Gmail → Safety (scroll to "Spoofing and authentication")
  • Setting: "Protect against inbound emails spoofing your domain" → Check "Apply future recommended settings automatically"
  • Recommended value: Enabled
  • Impact: Google applies machine learning models to detect unusual attachment patterns (e.g., first-time senders with executable attachments, domain impersonation with invoices)
  • Rollback: Disable to manually control detection rules
  • Testing: No immediate change. This is forward-looking and adaptive
  • Constraints: You lose control over when new detection heuristics are applied. If a new model causes false positives, you'll need to react instead of proactively testing.

Phase 2: Configuration Hardening (1-4 hours)

These changes require testing and may disrupt legitimate workflows. Pilot with a small group first.

5. Create custom rules to block high-risk attachment file types

  • Path: Admin Console → Apps → Google Workspace → Gmail → Compliance (or "Advanced settings" depending on interface version)
  • Setting: "Attachment compliance" → Add rule
  • Rule configuration:
    • Name: "Block high-risk attachment types"
    • Condition: "If ANY of the following match the message"
      • "Has attachments with these file types": Enter file extensions separated by commas:
        • .iso, .img, .vhd, .dmg (disk image files. Used to bypass executable blocks)
        • .lnk (Windows shortcut files. Can execute commands)
        • .hta (HTML application files. Execute as trusted)
        • .svg (scalable vector graphics.can contain JavaScript)
        • .chm (compiled HTML help files. Can execute code)
        • .scf (Windows Explorer command files)
        • .inf (Windows setup information files)
    • Action: "Quarantine message" and "Notify admin" (optional)
  • Impact: Blocks less-common file types attackers use to evade default executable protections
  • Rollback: Edit rule to remove file types causing false positives or disable entirely
  • Testing: Send test emails with each file type to verify rule triggers
  • What might break: Software vendors occasionally send .iso files for installation media. Graphic designers may send .svg files. Document a process for users to request allowlisting of specific senders.

6. Create custom rules to flag double-extension attachments

  • Path: Admin Console → Apps → Google Workspace → Gmail → Compliance
  • Setting: "Attachment compliance" → Add rule
  • Rule configuration:
    • Name: "Flag double-extension attachments"
    • Condition: "If ANY of the following match the message"
      • "Has attachments with these file types": .pdf.exe, .doc.exe, .xls.exe, .jpg.exe, .png.exe
    • Action: "Quarantine message" and "Notify admin"
  • Impact: Blocks common social engineering technique where attackers name files like invoice.pdf.exe to trick users (Windows hides .exe by default)
  • Rollback: Disable rule
  • Testing: Send a test email with a .pdf.exe file. It should be quarantined
  • What might break: Virtually nothing. Double extensions are almost exclusively used for malicious purposes

7. Create custom rules to warn on Office documents with macros from external senders

  • Path: Admin Console → Apps → Google Workspace → Gmail → Compliance
  • Setting: "Content compliance" → Add rule (Note: Google Workspace does not natively detect macros. This is a workaround)
  • Rule configuration:
    • Name: "Warn on Office macro files"
    • Condition: "If ALL of the following match the message"
      • "Sender is external"
      • "Has attachments with these file types": .docm, .xlsm, .pptm, .dotm, .xltm, .potm (macro-enabled Office formats)
    • Action: "Modify message" → "Add X-Gm-Spam header" (value: 1) → This flags the message as potential spam, adding a warning banner
  • Impact: Users see a warning when opening macro-enabled Office files from external senders
  • Rollback: Edit rule to change action to "Prepend custom subject" instead of spam header, or disable
  • Testing: Send a test email with a .docm file from an external account. It should display a warning banner
  • What might break: Vendors sending legitimate macro-enabled templates (e.g., Excel invoice templates) will trigger warnings. Finance and accounting teams may request allowlisting.

8. Restrict attachment types for specific high-risk groups (finance, HR, exec assistants)

  • Path: Admin Console → Apps → Google Workspace → Gmail → Compliance
  • Setting: "Attachment compliance" → Add rule with OU targeting
  • Rule configuration:
    • Name: "Finance team - block all executable types"
    • Organizational units: Finance OU only
    • Condition: "Has attachments with these file types": .exe, .bat, .cmd, .scr, .vbs, .com, .js, .jar, .iso, .img, .lnk, .hta, .svg, .chm, .docm, .xlsm, .pptm
    • Action: "Quarantine message" and "Notify user and admin"
  • Impact: Finance, HR, and exec teams are highest-value targets. Apply stricter attachment policies to reduce blast radius
  • Rollback: Adjust file type list or disable for specific users via exceptions
  • Testing: Send test emails with blocked file types to finance users. Should be quarantined with user notification
  • What might break: Finance teams receiving legitimate vendor files will need to request allowlisting or use alternate delivery methods

Phase 3: Ongoing Monitoring

9. Review quarantined attachments weekly

  • Path: Admin Console → Reports → Email log search
  • What to check: Search for messages quarantined with "malware" disposition. Review a sample for false positives (legitimate files incorrectly flagged).
  • Action: If false positive rate exceeds 5%, adjust custom rules or create sender allowlists.
  • Frequency: Weekly for first month, then monthly

10. Monitor Security Sandbox detections (Enterprise Plus only)

  • Path: Admin Console → Security → Dashboard → Email (scroll to "Malware detections" → Filter by "Security Sandbox")
  • What to check: Track how many attachments are being sandboxed and what percentage are detected as malicious
  • Action: If detection rate is <5%, sandbox may not be analyzing the file types you care about. Review quarantined messages to identify gaps.
  • Frequency: Weekly for first month, then monthly

11. Track user-reported suspicious attachments

  • Path: Admin Console → Security → Dashboard → Email (scroll to "User-reported spam")
  • What to check: Look for reports mentioning "attachment," "file won't open," "macro," or "invoice"
  • Action: If users are reporting attachments bypassing filters, document the file type and sender pattern. Update custom rules.
  • Frequency: Weekly

12. Test phishing simulations with weaponized attachments

  • Where: Use a phishing simulation tool (e.g., Gophish, KnowBe4, or similar)
  • What to test:
    • Send test emails with EICAR test files (standard malware test sample)
    • Send test emails with password-protected ZIPs (password in body)
    • Send test emails with macro-enabled Office documents
    • Send test emails with double-extension attachments (.pdf.exe)
  • Action: Measure what percentage reaches inboxes. If >20% bypass filters, escalate the gap to leadership and evaluate additional security investments.
  • Frequency: Quarterly

Tradeoffs & Constraints

False Positive Risk:

  • Blocking encrypted attachments will disrupt legitimate vendor communications. Suppliers sending contracts, invoices, or sensitive documents in password-protected files will need alternate delivery methods (secure file-sharing links). Expect pushback from finance, legal, and procurement teams.
  • Blocking high-risk file types (.iso, .svg, .lnk) may impact software vendors, graphic designers, or IT teams sending installation media or design files. Document a process for requesting sender allowlisting.
  • Macro-enabled Office file warnings will flag legitimate templates sent by accountants, consultants, or vendors. Finance and accounting teams will need training to differentiate benign from malicious macros.

User Experience Impact:

  • Security Sandbox delivery delays (5-10 minutes for analyzed attachments) will frustrate users expecting time-sensitive documents. Finance teams with wire transfer workflows and legal teams with contract deadlines will escalate complaints.
  • Quarantined attachment notifications create friction. Users may perceive security as "blocking everything" if false positives aren't quickly addressed. Set expectations: 3-5% false positive rate is normal and acceptable.

License Dependencies:

  • Business Starter users: You're limited to basic signature-based scanning and executable blocking. No encrypted attachment protection or behavioral analysis. Upgrade to Business Standard/Plus for encrypted attachment blocking.
  • Enterprise Plus only: Security Sandbox is critical for zero-day and polymorphic malware detection. Without it, you're relying entirely on signature matching, which fails against new or custom-built malware.

Maintenance Overhead:

  • Custom attachment rules require ongoing updates. Attackers rotate file types and naming conventions. Expect to spend 2-3 hours/month reviewing quarantined attachments and adjusting rules.
  • Allowlists for legitimate senders (vendors sending blocked file types) require manual curation. Finance and legal teams will submit requests weekly during the first month of implementation.
  • False positive triage is ongoing. Allocate time for helpdesk or security team to review user complaints and release quarantined messages within 2-4 hours.

Limitations of Native Controls:

  • Macros are not automatically disabled in downloaded Office documents. Users can enable macros after download, bypassing all protections. Google Workspace does not sandbox or block macro execution post-download.
  • Cloud-delivered malware (attachments linking to external downloads rather than embedding malicious code) bypass attachment scanning entirely. Example: Email says "Download your invoice here" with a link to a compromised website hosting malware.
  • Archive bombs (e.g., ZIP files containing nested archives that expand to terabytes) can crash scanners, allowing malicious payloads to pass through unscanned.
  • Steganography (malware hidden in image or audio files) is not detected by standard attachment scanning. This is a rare but sophisticated technique.
  • Fileless malware (exploits that run in memory without writing to disk) bypass attachment-based protections entirely. This requires endpoint detection and response (EDR) solutions, not email security controls.

Validation & Monitoring

Immediate Validation (First 24 Hours)

  1. Executable attachment blocking: Send a test email with a .bat file from an external account. It should be quarantined with a "suspicious attachment" notification.
  2. Encrypted attachment blocking: Send a test email with a password-protected ZIP from an external account. It should be quarantined.
  3. Security Sandbox (Enterprise Plus): Send a test email with an EICAR test file. It should be quarantined after sandbox analysis (expect 5-10 minute delay).
  4. Custom attachment rules: Send test emails matching your rule conditions (e.g., .iso file, .pdf.exe double extension). Verify the action triggers (quarantine or subject line modification).

Ongoing Monitoring

  • Weekly (first month): Check email log search for quarantined attachments. Review a sample for false positives. Document patterns.
  • Weekly (first month): Review Security Sandbox detections (Enterprise Plus only). Track detection rate and delivery delays.
  • Weekly (first month): Review user-reported suspicious attachments in Security Dashboard. Look for file types bypassing filters.
  • Quarterly (ongoing): Run phishing simulations with weaponized attachments. Measure bypass rate.

Success Metrics

After 30 days of full implementation, you should see:

  • Attachment scanning effectiveness: >80% of test malicious attachments caught by filters (check via simulation)
  • Security Sandbox detection rate (Enterprise Plus only): >50% of sandboxed attachments flagged as malicious (indicates proper risk scoring and analysis)
  • False positive rate: <5% of legitimate attachments incorrectly quarantined (check email log search and user complaints)
  • User-reported attachment incidents: Decreasing trend (indicates filters are working, users trust the system)
  • Average time to release quarantined false positives: <4 hours during business hours (indicates responsive helpdesk triage)

If your bypass rate for weaponized attachments is >20% after implementing all controls, native Google Workspace protections are insufficient. Document the gap, assess threat likelihood for your organization (are users receiving weaponized Office documents? Ransomware campaigns?), and evaluate whether additional security investments (third-party email security, endpoint detection and response) are warranted.

Related Resources