Blog Main Image
May 14, 2026

Malicious Attachments Return: An Old Trick With New Payloads

The malicious email attachment is one of the oldest tricks in the book, old enough that many people assumed better filtering had retired it. It has not. Through 2026 attackers have leaned back into attachments with renewed enthusiasm, pairing a familiar delivery method with modern payloads and sharper evasion. The file that lands in an inbox looking like a routine invoice or CV can now carry an infostealer that empties a browser of saved logins in seconds.

What has changed is not the concept but the craft: better lures, cleverer packaging, and payloads built to slip past defences and cash out fast.

The gist: an attacker sends a believable email with a file attached, perhaps an invoice, a CV or a purchase order. Opening it runs a macro, script or bundled installer that quietly drops malware such as a keylogger or infostealer, which harvests saved passwords and session tokens. The message looks like ordinary business, so the defence has to combine technical filtering with people who know when a file feels wrong.

Why an old technique is working again

As email gateways became better at catching malicious links, attackers simply shifted weight back to attachments, and modernised them. Password-protected archives are a favourite, because the file cannot be scanned without the password, which is helpfully provided in the email body for the victim but not for the sandbox. Attackers also rotate through less-expected file types and container formats to dodge signatures, and lean on documents that ask the user to enable content or bypass a security warning.

The payloads have moved on too. Where an old attachment might have carried clumsy malware, today it often drops an infostealer that harvests browser credentials, cookies and session tokens, or a loader that pulls down ransomware later. These pay out immediately on criminal markets, which makes the humble attachment a genuinely profitable delivery method again. Generative AI has sharpened the covering emails, so the grammar mistakes that once gave them away are largely gone.

How the attachment attack works in 2026

Diagram of a modern attachment attack: a believable email, the lure to open, the payload running, and credentials stolen
An old technique with new payloads and better evasion.

The flow is familiar but polished. A convincing email arrives, framed around routine business so opening the file feels normal. Curiosity or habit does the rest. When the attachment is opened, a macro, script or bundled installer executes, often after coaxing the user past a warning. The payload then runs quietly, harvesting saved logins and tokens and sending them to the attacker, who may sell them on or use them to log in directly, sometimes bypassing multi-factor authentication with a stolen session.

The files and tricks to watch for

  • Password-protected archives where the password is helpfully included in the email, a classic way to defeat scanning.
  • Unexpected or unusual file types, or documents that immediately ask you to enable content, macros or editing.
  • A file that urges you to bypass a warning or click through a security prompt to see the content.
  • An attachment you did not expect, even from a known sender, particularly if it carries a sense of urgency.

How to defend

Filter and sandbox at the gateway

Use email security that detonates attachments in a sandbox and inspects inside archives, and be prepared to strip or hold risky file types by default.

Disable macros and restrict risky formats

Turn off Office macros from the internet by default, keep documents from untrusted sources in protected view, and block the container and script formats attackers favour where your business does not need them.

Keep endpoints current

Modern endpoint protection catches much attachment-borne malware as it tries to run, so keep it deployed and up to date, and patch promptly.

Blunt the payoff and train the people

Because the goal is often stolen credentials, phishing-resistant MFA limits what a successful infection is worth. Reinforce it with realistic simulations that include attachment lures, and make it easy to report suspicious emails before a file is ever opened.

The bottom line

The attachment attack never really went away, and in 2026 it is thriving on better disguises and more profitable payloads. The defence is layered rather than clever: filter and sandbox what arrives, switch off the macros and formats attackers rely on, keep endpoints patched, and give staff both the training to hesitate over an unexpected file and an easy way to report it. Treat every unexpected attachment as a question, not an instruction, and the oldest trick in the book loses most of its power.

Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.

Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Scroll To Top Arrow