How to Inspect a ZIP File Before Opening It
Compressed files are a convenient way to send multiple documents in a single attachment. But they're also an attacker's favorite hiding spot for evading security filters and delivering malicious executables straight to your inbox.
Why do attackers use ZIP files?β
Compressed files offer several advantages for an attacker:
- They hide the real content: many email filters analyze attachments by their extension. A
.zippasses checks that an.exewouldn't. - Password protection: an encrypted ZIP prevents the mail server's security scanners from inspecting its contents. The attacker includes the password in the message body.
- False sense of security: the user assumes that if the email passed filters, the content must be safe.
- Disguised files: inside the ZIP, files can use double extensions (
invoice.pdf.exe) or other tricks.
What can hide inside a ZIP?β
- Disguised executables: files like
document.pdf.exethat look like documents but are programs - Malicious scripts:
.bat,.cmd,.ps1,.vbs, or.jsfiles that execute commands on your system - Documents with macros:
.docmor.xlsmfiles with malicious macros - Malicious shortcuts:
.lnkfiles that execute commands when opened - Disk images:
.isofiles that mount executable content
How to inspect a ZIP manuallyβ
On Windowsβ
- Right-click the ZIP file
- Select "Open with" > "Windows Explorer" (don't extract it yet)
- Review the names and extensions of all contained files
- Enable extension display: View > File name extensions
On Linuxβ
# List contents without extracting
unzip -l archive.zip
# For RAR files
unrar l archive.rar
On macOSβ
# List contents without extracting
zipinfo archive.zip
What to look forβ
- Files with double extensions (
name.pdf.exe) - Executable extensions (
.exe,.bat,.cmd,.scr,.ps1,.js,.vbs) .lnkfiles (shortcuts)- A single file inside the ZIP that's an executable (compression makes no sense for a single file, unless it's to evade filters)
How BrisaMail handles itβ
BrisaMail doesn't wait for you to download and manually review the file. When it detects a compressed attachment, it automatically:
- Inspects ZIP files: reads the compressed file's directory to get the list of contained files without needing to extract them.
- Inspects RAR files: uses RAR decoding to list the archive's contents.
- Analyzes each entry: checks every file inside the archive for disguised executables (double extension) and dangerous extensions.
- Flags threats: if it finds dangerous files inside the archive, it displays a red alert with the specific names of the problematic files.
- Detects uninspectable archives: if the file is password-protected or its format doesn't allow inspection, BrisaMail warns that it couldn't verify the contents and recommends extra caution.
All of this happens transparently when viewing the message, before you interact with the attachment.
The case of password-protected ZIPsβ
Password-protected ZIP files deserve special attention. It's such a common technique in malware campaigns that it's become a red flag on its own:
- The attacker sends an encrypted ZIP and the password in the message body
- The encryption prevents server scanners from analyzing the contents
- The user trusts that "if they gave me the password, it must be legitimate"
If you receive a password-protected ZIP from an unknown or unexpected sender, treat the file with maximum suspicion.
Conclusionβ
Reviewing the contents of a compressed file before extracting it is a fundamental security habit. But it's even better when your email client does that inspection for you automatically, alerting you to risks before you make a decision.