How to Detect an Attachment with a Double Extension
Receiving a file called invoice.pdf.exe should set off every alarm. The double extension technique is one of the oldest and most effective tricks attackers use to disguise executable files as harmless documents.
What is a double extension?β
A file with a double extension has two extensions separated by a dot, for example:
report.docx.exevacation_photo.jpg.scrmarch_invoice.pdf.bat
The operating system executes the file based on the last extension. So invoice.pdf.exe is not a PDF β it's an executable. But many systems hide known extensions by default, so the user only sees invoice.pdf and believes it's a safe document.
Why is it dangerous?β
When you open an .exe, .bat, .scr, or .cmd file, you're giving the program permission to run on your computer. That means it could:
- Install malware or ransomware
- Steal stored passwords
- Open a backdoor for the attacker
- Encrypt your files and demand a ransom
All of this happens with a single double-click on what appeared to be a simple document.
Dangerous extensions you should knowβ
These are some of the extensions that pose a real risk when they arrive as email attachments:
| Extension | Type |
|---|---|
.exe | Windows executable |
.bat, .cmd | Command-line scripts |
.scr | Screen saver (executable) |
.pif | Program information file |
.msi | Windows installer |
.ps1 | PowerShell script |
.js, .vbs | Scripts the system can execute |
.lnk | Shortcut (can point to any command) |
.iso | Disk image (can mount executable content) |
.jar | Java executable |
How to detect the trick manuallyβ
- Enable extension display in your operating system. On Windows: File Explorer > View > check "File name extensions."
- Read the full filename before opening it. If you see two dots in the name (e.g.,
file.pdf.exe), be suspicious. - Be wary of unexpected files, even from known contacts. Compromised accounts send malicious attachments.
How BrisaMail handles itβ
BrisaMail automatically analyzes every attachment when you open a message. When it detects a file with a double extension where the real extension is dangerous, it displays a clear alert:
- Identifies the apparent extension (the one the attacker wants you to see, like
.pdf) and the real extension (the one the system would execute, like.exe). - Classifies the threat as dangerous and displays a red banner in the message view.
- Blocks the download by default, requiring the user to make a conscious decision before accessing the file.
This analysis doesn't just apply to standalone files: BrisaMail also inspects the contents of ZIP and RAR files to detect disguised executables inside compressed archives.
Conclusionβ
Double extensions are a simple yet surprisingly effective technique. The best defense is a combination of user education and tools that automate detection. No matter how experienced you are, a good email client should warn you before you make a mistake.