Question Is there a safe way to open a suspicious email attachment?

[Pimpom]

From time to time over the past few months, I've been receiving emails levelling ridiculous charges of cybercrime at me. The mails are purportedly from an anti- cybercrime center in my country (India) but the email address is from a server outside the country (.de). .The last two mails have attachments that are supposed to be court orders.

Of course I have not downloaded or opened the attachments. I'm wondering if there's a safe way to do so. Just being curious.

If there's no safe way, I'll just delete these last two mails like I did with the previous ones. Any suggestions?

 

[stuff and nonesense]

Use a junk pc? cyber cafe? Open them on something that doesn’t matter. Keep your main pc clean.

 

[punkncat]

Create a VM, use it to open and if what you expect occurs, delete it.

 

[USAFRet]

From time to time over the past few months, I've been receiving emails levelling ridiculous charges of cybercrime at me. The mails are purportedly from an anti- cybercrime center in my country (India) but the email address is from a server outside the country (.de). .The last two mails have attachments that are supposed to be court orders.

Of course I have not downloaded or opened the attachments. I'm wondering if there's a safe way to do so. Just being curious.

If there's no safe way, I'll just delete these last two mails like I did with the previous ones. Any suggestions?

Only way would be with a sacrificial PC.
One that you can easily wipe completely.

I'm not sure I would even trust a VM.

Yes, they are scam emails, laden with malware.

 

[USAFRet]

Create a VM, use it to open and if what you expect occurs, delete it.

Not sure I'd even trust a VM.
Crafty malware can detect if it is in a VM, and just shut itself down. Leading you to think there is no malicious payload involved.

 

[punkncat]

Not sure I'd even trust a VM.
Crafty malware can detect if it is in a VM, and just shut itself down. Leading you to think there is no malicious payload involved.

I can neither confirm nor deny that claim. I have been using VM for years now to deal with 'sketchy' things and it has never been able to jump outside the enviro because I don't have said set up in the VM (like local networking and so on). At the very least it would allow the user to see what those attachments are, if they will open, and either way just delete the machine when done and it is gone.

 

[USAFRet]

I can neither confirm nor deny that claim. I have been using VM for years now to deal with 'sketchy' things and it has never been able to jump outside the enviro because I don't have said set up in the VM (like local networking and so on). At the very least it would allow the user to see what those attachments are, if they will open, and either way just delete the machine when done and it is gone.

Oh, I do the same with VM's.

But software can detect its environment. Windows, Apple, and the typical VM environments....VMWare, VirtualBox, etc.

 

[COLGeek]

What about booting from Live Linux distro and accessing that way? Likely similar risk to VM, but nothing gets written to local storage.

Clearly scam messages, else someone would be knocking at your door.

 

[Pimpom]

Thanks for all the replies.
I have some old desktop hardware that I'm (slowly) setting up for use by my recently retired wife - for YouTube and typing documents related to her church activities. Maybe I'll use that with a temporary installation of Windows.

One more question: If the attachment is loaded with a particularly crafty malware, is there a chance that it will affect other computers on my home network?

 

[USAFRet]

One more question: If the attachment is loaded with a particularly crafty malware, is there a chance that it will affect other computers on my home network?

Unlikely, but nothing is guaranteed.

 

[stuff and nonesense]

A worm infection could look to infect other computers on your network. Depending on the devices connected to your router and your router type they may or may not be vulnerable.
It’s easy to become paranoid about this. If you try with a junk pc, then disconnect your main from the network, turn it off. Turn off the router WiFi, connect to it using a cable. Download, open the bad attachments look at them and then wipe/format the junk pc.

Alternatively, delete the original email and don’t worry. If there were court orders within the attachments then the local police would have been in touch with you by now.

 

[mmp09]

I personally use a VM, however a standalone machine that's not connected to any network is a safer bet. Alternatively physically disconnect all your drives, reinstall Windows & intended app on another spare drive, ensure secure boot is ON and check it out.

Then wipe clean the attached drive.

Also upload suspicious files on virustotal site to see if it reports anything.

 

[punkncat]

Absolutely could. Do not enable file and printer sharing. I also would not make that PC a part of your LAN Workgroup. Putting this on hardware could lead to bigger issues if it a particularly nasty bug.

 

[Ralston18]

Another way is to direct all "non-address book" emails into a specific "junk" folder.

Configure the junk folder to be in "Preview" mode and you will be able to see more about any given email without needing to open the email.

 

[stuff and nonesense]

Malware is continuously being hunted, identified, analysed and squashed. Windows defender used to be a joke of a system but it’s good at catching bugs and worms these days. (I use Sophos instead but that’s a choice). It has become much harder for the malware developers to break your machine though it does still happen.

Zero day vulnerabilities, weaknesses in the operating system or applications are harder to find, much more obscure. As soon as they are triggered white hats, anti-malware vendors etc. work like crazy to stop the bugs in their tracks and devs patch their vulnerable programs to remove the weakness.

Anti-malware software used to download signatures that identify the virus so that their programs could remove it from the infected hard drive, for the past decade? heuristic scanning (it looks like a known virus so I’ll ask if I should quarantine it) is used, also the antivirus programs can look to the anti-malware program’s site to see if there are updates.. they can do this on demand.

The one single thing you can and should do is to back up all your data to a second drive and take this drive out of the computer while you know your PC is clean and safe. Applications can easily be re-installed, windows, likewise.. lost data is gone.

 

[Grobe]

What about booting from Live Linux distro and accessing that way? Likely similar risk to VM, but nothing gets written to local storage.

I would not recommend running malware without disconnecting all physically storage devices first, because one can easily mount and then get full RW access to any physically storage device from a live desktop.

The probability for that specific malware being designed to run in that environment however can be debated.

Another thing to do after downloading a suspicious file could be to upload to virustotal.com - that will let you know things, like what ip addresses the package will try to communicate with among other things.

There is another danger in play for OP. Following any link for downloading anything may be a trap where the malicious sender gets a confirmation that the receiver (OP) is an actual email address that is in use, that will cause further attempts to spam it or hijack it.

 

[geofelt]

What do you hope to gain by opening such an attachment??
Curiosity killed the cat.

 

[Math Geek]

i can also say i have never had a bit of nasty "get out" of a vm. i've been doing it for many years now and never seen it happen. i regularly infect a vm with nasties from around the web for various purposes.

as others have stated it is true that many internet nasties know they are running in a vm and won't do everything they are intended to do. but this does not mean it has left the vm and moved onto the host system. it simply means you won't be able to observe the full intentions of the object in question.

this is what a separate machine is for so you can let it fully loose and see what it does. be sure it is not connected to your home network or other devices so it can't spread anything around. and be sure the system has nothing important on it as you will need to wipe it clean when you are done. i use vlans myself to keep traffic separate but there are other ways.

 

[USAFRet]

but this does not mean it has left the vm and moved onto the host system. it simply means you won't be able to observe the full intentions of the object in question.

Right.
But because you don't see its full effect, one may conclude that it is not as hazardous as it actually is.