Is it safe to open an email attachment?

It is safe only when three conditions are met together: you expected the file, you trust and have verified the real sender (not just the display name), and the file type is low risk. An image, a plain-text file, or a macro-free PDF or .docx from a colleague you are mid-conversation with is low risk to open. An unexpected file from someone you do not know, a file type that can run code (.exe, .scr, .js, .bat, .vbs, .jar, .lnk), a macro-enabled Office file (.docm, .xlsm, .pptm), or an archive (.zip, .iso) you did not ask for is not safe to open until you have verified it. The single most useful instinct is surprise: an attachment you were not expecting should always make you stop and verify before you double-click, even if it appears to come from someone you know, because a contact's account can be hijacked to send malware.

Which email attachment file types are dangerous?

The most dangerous are files that can run code or scripts: executables and their relatives (.exe, .msi, .scr, .com, .pif), script files (.bat, .cmd, .ps1, .js, .vbs, .wsf, .hta), and Java archives (.jar). These execute the moment you open them and are almost never legitimate to receive by email. Also high risk are macro-enabled Office files (.docm, .xlsm, .pptm) because their macros can download malware, and archives or disk images (.zip, .rar, .7z, .iso, .img) because they hide what is inside from scanners. Windows shortcut files (.lnk) and web files (.html, .htm, .svg) round out the danger list — HTML attachments in particular have become heavily weaponized, since they can open a fake login page locally. The rule of thumb: if a file can run code, or hides files that can, treat it as dangerous and do not open it unless you expected it and have verified the sender.

Should I open an attachment if I know the sender?

Knowing the sender lowers the risk but does not make a file safe on its own, and this is one of the most important things to understand about attachments. If a contact's email account has been compromised, attackers use it to send malware to everyone in their address book — so the message genuinely comes from your friend's or colleague's account, which is exactly what makes it convincing. That is why the test is not just "do I know this person" but also "did I expect this file, and does it fit our conversation?" If an attachment from a known contact is unexpected, out of character, or paired with an urgent or odd message, verify it through a separate channel before opening — a quick "did you just send me this file?" by call or chat. Trust plus expectation is safe; trust alone, with surprise, is not.

Why should I never enable macros in an attachment?

Because enabling macros on a malicious document is one of the most direct ways to get infected with ransomware. Macros are small programs embedded in Word or Excel files, and a malicious one downloads and installs malware the moment it runs. Office disables macros from internet-sourced documents by default precisely because they are dangerous, so attackers design documents that appear blurred or locked with an instruction to "enable content" or "enable editing" to view them — reframing your security barrier as a step toward reading the file. Clicking it runs their code for them. The rule is absolute: never enable content, editing, or macros on a document you received by email, especially an unexpected one. No legitimate invoice, receipt, or report requires you to switch off a security control to be read. If you believe the document is real, verify with the sender and ask for it as a plain PDF or a cloud link instead.

Can opening an email attachment give you a virus or ransomware?

Yes. Opening a malicious attachment is one of the classic ways devices get infected with viruses, ransomware, keyloggers, and remote-access tools. The infection happens in one of a few ways: the file is itself a program that runs on open (an .exe or script), it is a document whose macro downloads malware when you enable content, or it exploits a vulnerability in the program that opens it. Ransomware in particular has long been delivered through email attachments — often a macro-enabled Office document or a program hidden inside a password-protected archive. The defense is to not open files you did not expect, to never enable macros, to read the real file extension so a disguised program does not fool you, and to keep your software and security tools updated so known exploits are patched. An email client that scans attachments and treats mail as untrusted adds an automatic layer on top of those habits.

Are password-protected zip attachments safe?

Be suspicious of them, especially when the password is written in the same email. It sounds like a security measure, but attackers use password-protected archives specifically to evade detection: most antivirus and email scanners cannot open a protected archive to inspect what is inside, so the malware passes through the defenses that would normally catch it, and you unlock it yourself by typing the password and extracting the file. Security researchers have documented this technique widely, including variants that nest archives several layers deep or send the password through a separate channel like a text message. Legitimate senders rarely password-protect files this way, and when they do, they share the password through a channel you already trust rather than announcing it in the delivery email. So a protected archive whose password is in the same message is a strong sign of malware — do not open it unless you genuinely expected it and have verified the sender.

How can I check if an email attachment is safe before opening it?

Run a short sequence from easiest to most thorough. First, make sure your system shows file extensions, then read the real file name — watch for double extensions like Invoice.pdf.exe and for any extension that can run code. Second, expose the actual sender address and, if the file is unexpected, verify through a separate channel that the sender really sent it. Third, treat urgency, a password supplied in the same email, or a prompt to enable macros as red flags. Fourth, rely on your email client's attachment scanning and view the file in preview rather than downloading it. Fifth, if you must download it, scan it with up-to-date antivirus or a free multi-engine online scanner. Sixth, for a file you truly cannot verify, open it in a sandbox — an isolated virtual environment or online malware sandbox — where you can watch its behavior without risking your real device. If you are still unsure after all that, do not open it.

Is it safe to open an attachment in preview mode?

Previewing is meaningfully safer than downloading and opening, which is why it is the recommended way to view a file you reasonably trust. A browser-based preview in your email client renders the document at a distance and does not save an executable file to your machine, where a stray double-click could later run it. It defuses the most direct danger — a program that executes when opened — and reduces the surface for many document-based attacks. It is not absolute zero risk: a preview can still display a malicious link you might click, and in rare cases a rendering engine itself can have a vulnerability, which is why keeping your software updated still matters. But as a habit, "preview, don't download" is a strong default. Reserve downloading for files you have fully verified and actually need to keep.

What is the double-extension trick in email attachments?

It is a way attackers disguise a dangerous file as a safe one by exploiting the fact that Windows often hides file extensions. They name a malicious program something like Invoice.pdf.exe or Photo.jpg.scr. With extensions hidden, you see only Invoice.pdf or Photo.jpg and a generic icon, so you assume it is a document or image and open it — but the real, final extension is .exe or .scr, and the file is a program that runs immediately. A file with two extensions like this is almost always malicious; there is essentially no legitimate reason to name a real document that way. Protect yourself by turning on the option to show file extensions in your operating system, so you always see the true ending, and by treating any filename that appears to have two extensions — especially when the last one can run code — as an attack.

What should I do if I already opened a malicious attachment?

Act fast, in this order. Disconnect the device from the internet immediately — turn off Wi-Fi and unplug the network cable — since many threats, ransomware especially, need to phone home to finish their work or spread. Do not pay any ransom and do not type passwords into anything that has popped up. Run a full scan with up-to-date security software. If it is a work device or account, tell your IT or security team right away rather than cleaning it up yourself. From a separate, clean device, change your important passwords, email first, and turn on two-factor authentication. If financial information was exposed, contact your bank and, in the United States, report to the FBI's IC3 at ic3.gov and the FTC at ReportFraud.ftc.gov. If files were encrypted or the malware cannot be removed, wipe the device and restore from a clean backup. Quick, honest action limits the damage; hoping it was nothing does not.

How does AI Emaily protect me from dangerous attachments?

AI Emaily is built on the principle that email is untrusted input, so it does not assume a polished message or a familiar-looking sender is safe. It runs its own AI detection over incoming mail and flags suspicious senders and attachments, so a message carrying the markers of an attachment-based attack arrives with a clear warning instead of a blank invitation to open it. When messages contain links, it sandboxes and neutralizes them, defusing the fake-login-page and malware-download path before it can reach you. It also blocks tracking pixels by default, keeping you off the lists that draw more attacks, and it works across Gmail, Outlook, and every provider you connect. It is private by default — it never trains on your mail and does not sell your data. It is a safety net, not a guarantee: keep running your own checks, never enable macros, and when in doubt, do not open the file. You can start free at app.aiemaily.com/signup, with Pro at $17.99/mo on annual billing.

Blog/ Email security & privacy

Email security & privacy

Is It Safe to Open That Email Attachment? A File-by-File Guide

AI Emaily Team·January 16, 2026· 42 min read

The short answer

Opening an email attachment is safe only when you expected the file, you trust and have verified the real sender, and the file type is low risk. Treat executables (.exe, .scr, .js), archives (.zip, .iso), HTML files, and any "enable macros" prompt as dangerous, and watch for disguised double extensions. Verify the sender through a second channel, let your inbox scan it, preview before you download, and never enable macros. When in doubt, do not open it.

Is it safe to open that email attachment? A file-by-file guide to dangerous file types, the tricks attackers use, and exactly how to check before you open.

On this page

01How do malicious email attachments actually work?
02Which email attachment file types are the most dangerous?
03Which attachments are safe to open and which are risky?
04What tricks do attackers use to disguise dangerous attachments?
05When is it actually safe to open an email attachment?
06How do you check an attachment before opening it?
07Why should you never enable macros in an email attachment?
08What should you do if you opened a malicious attachment?
09How does AI Emaily protect you from dangerous attachments?
10Putting it all together

One double-click is all ransomware needs. You open what looks like an invoice, a delivery slip, or a resume; a file runs in the background; and minutes later your documents are encrypted and a ransom note is on your screen — or a keylogger is quietly recording every password you type. Email attachments are one of the oldest delivery methods for malware, and they are still one of the most effective, precisely because opening a file feels routine. You do it dozens of times a day without a second thought. Attackers count on exactly that reflex.

So the honest answer to "is it safe to open this email attachment?" is: it depends, and the factors that decide it are knowable. Safety is not a property of the file alone — it is the combination of three things. Did you expect this file? Do you genuinely trust who sent it? And is the file type one that can do damage when opened? Get clear answers to those three and you can judge almost any attachment in under a minute. Get them wrong and a single click can hand an attacker your machine. This guide is about getting them right, file type by file type, without turning you into someone who is afraid to open a PDF from a colleague.

The reason this matters more in 2026, not less, is that the lures wrapped around malicious attachments have gotten dramatically better. The classic tell — a clumsy, misspelled email begging you to open the attached "document" — is gone. Attackers now write fluent, professional, perfectly formatted messages, often with the help of the same AI writing tools everyone else uses, and they personalize them: the right company name, the right tone, a believable reason the file is attached. The email around the attachment is more convincing than ever. The good news is that the attachment itself has not changed. An executable still executes. A macro still runs code. An archive still hides what is inside. The danger lives in the file and in your interaction with it, and those are things you can check no matter how slick the surrounding message is.

Here is how this guide is built. We start with how malicious attachments actually work, so the rest makes sense rather than being rules to memorize. Then the heart of it: a table of the most dangerous file types and a table of which types are relatively safe versus risky, so you can calibrate suspicion instead of fearing everything. Next, the specific tricks attackers use to beat both your filters and your instincts — double extensions, password-protected archives, and the macro lure — because once you have seen these, you stop falling for them. After that, a decision checklist for when an attachment is genuinely safe to open, a step-by-step for checking a file before opening it, and a focused section on why you must never enable macros. We cover what to do if you have already opened something bad, then an honest look at how AI Emaily reduces this risk. A FAQ and a short conclusion close it out.

Two orientations before we begin. First, terms, kept simple. Malware is the umbrella word for malicious software — anything built to harm or exploit your device. Ransomware is the variety that encrypts your files and demands payment to unlock them, and it is the one most associated with attachments. A macro is a small program embedded in an Office document (Word, Excel, PowerPoint) that can run automatically and, in the wrong hands, download and install malware. Second, the mindset underneath everything here, the same one that protects you from phishing generally: treat email as untrusted input. An attachment is a claim — that it is the file it appears to be, from the person it appears to be from, for the reason the message gives. Verifying that claim before you open it is the entire skill, and it pairs naturally with learning how to spot a phishing email, since malicious attachments almost always arrive inside one.

How do malicious email attachments actually work?

To judge attachments well, it helps to know what a malicious file is really doing, because the danger is not magic — it is a small number of mechanisms, and each one is a place you can intervene. An attachment harms you in essentially one of three ways: it runs code directly, it tricks a program into running code, or it sends you somewhere dangerous. Almost every malicious attachment is a variation on one of those, and knowing which one a given file represents tells you how worried to be.

The most direct mechanism is a file that is itself a program. An executable — a .exe on Windows, and its relatives like .scr, .bat, .cmd, .com, and script files like .js or .vbs — is code that runs the moment you open it. There is no document to read inside; the file is the instructions, and opening it tells your computer to follow them. This is why receiving a raw program by email is almost never legitimate: businesses do not email you software to run, and a stranger sending you an .exe is, with rare and obvious exceptions, sending you malware. Security guidance from vendors and government agencies alike puts executables at the top of the danger list for exactly this reason.

The second mechanism is more subtle and, in practice, more common today: a file that looks like a harmless document but tricks a program into running code on its behalf. The classic example is an Office document with a malicious macro. Word and Excel can run small embedded programs, and attackers write a macro that, when enabled, reaches out to the internet and downloads the real malware — often using a built-in tool like PowerShell so the activity looks less suspicious. The document you see is bait; the macro is the trigger. A related version exploits a bug in the program that opens the file — a flaw in a PDF reader or image viewer — so merely opening a malformed file runs code. These exploits are rarer and usually patched quickly, which is why keeping software updated is a real defense, but they are why no file type is ever guaranteed harmless.

The third mechanism does not infect your device at all — it uses the attachment as a doorway to a malicious website. An HTML attachment can open a fake login page stored right on your own computer, so convincing and so local that it sidesteps the link checks you would normally run, then captures whatever you type. A document or PDF can contain a link that takes you to a credential-harvesting site or a malware download. Here the file is just the delivery vehicle for a phishing page, which is why the skills for telling if an email is fake and for spotting phishing links apply directly to attachments too.

Underneath all three is a layer of social engineering, because a file sitting in an email does nothing until you open it — the attacker's real work is convincing you to do that. So the message wraps the attachment in a reason that feels urgent and ordinary at once: an overdue invoice, a package that needs confirming, a receipt for a purchase you do not remember making (designed to make you open it to investigate), a resume for a job you posted, a document awaiting your review. The more an attachment arrives with pressure to open it now, or with a story engineered to make you curious or anxious, the more it deserves suspicion. The file is the weapon; the email is the trick that gets you to pull the trigger. Understanding both halves lets you stop the attack at the only point that matters — before you open the file.

The attachment is harmless until you open it

A malicious file sitting in your inbox cannot do anything on its own. The entire attack depends on getting you to open it — and usually to do so quickly, before you think. That means the most powerful defense is also the simplest: when a file is unexpected, or the message pressures you to open it fast, stop and verify before you double-click. The moment of caution before opening is worth more than any cleanup after.

Which email attachment file types are the most dangerous?

Some file types are far more dangerous than others, and learning the tiers is what lets you stop treating every attachment as equally scary. The riskiest files share one trait: they can run code or scripts on your machine, either directly or by tricking a program into doing it for them. Below is the danger list — the file extensions that security teams and email gateways routinely block outright, and that you should be extremely cautious about ever opening from email. Read the extension carefully, because, as the next section shows, attackers work hard to disguise it.

File type(s)	What it is	Why it is dangerous
.exe .msi .com .scr .pif	Windows programs and installers (.scr is a screensaver, also a program)	These are code. Opening one runs it immediately. Almost never legitimate to receive by email — treat as malware by default.
.bat .cmd .ps1 .vbs .js .wsf .hta	Batch files, PowerShell, VBScript, JavaScript, and HTML application scripts	Scripts that execute commands on your computer when opened. A common, lightweight way to download and install the real malware.
.jar	Java archive that runs as a program	Runs Java code on open if a Java runtime is installed. Frequently used to deliver cross-platform malware; rarely a legitimate email attachment.
.docm .xlsm .pptm	Office files that can contain macros (the trailing "m" means macro-enabled)	Macros are embedded programs. A malicious macro downloads malware when you click "enable content." A top historic ransomware delivery method.
.zip .rar .7z	Compressed archives that bundle one or more files	Hide their contents — including the executables above — until opened, helping malware slip past scanners. Often password-protected to block scanning.
.iso .img .vhd	Disk-image files that mount as a virtual drive	Conceal executables inside a container that some security tools and the operating system handle loosely. A rising technique for smuggling malware.
.html .htm .svg	Web pages and scalable vector images that can carry scripts	Can open a fake login page locally or run scripts in your browser. In 2025 analysis, a large share of malicious attachments were HTML files.
.lnk	A Windows shortcut file	Looks like a harmless link but can be crafted to launch a hidden command or download. Increasingly used as a stealthy delivery method.

A few points make that list more useful than a wall of extensions. First, the headline pattern: if a file can run code, it is dangerous — and that includes things people do not think of as programs, like a screensaver (.scr), a Windows shortcut (.lnk), or a Java archive (.jar), all of which execute on open just as surely as a .exe does. Second, archives and disk images (.zip, .rar, .iso, .img) are dangerous not because the container harms you, but because of what it hides: scanners often cannot see inside, especially when the archive is password-protected, so attackers use them to carry the executables and scripts above past your filters. Third, and most surprising to many people, HTML attachments have become one of the most weaponized formats — 2025 security analysis found a striking proportion of HTML email attachments were malicious, because an HTML file can carry a complete fake login page that opens locally and dodges the link checks you would run on a normal web address.

The practical takeaway is not to memorize every extension, but to recognize the categories: executables and scripts, macro-enabled Office files, archives and disk images, and script-bearing web files. If an unexpected attachment falls into any of those, do not open it until you have verified it through the steps later in this guide. And keep one rule above the rest: you should essentially never receive a raw program (.exe and its relatives) as an email attachment from a legitimate source. If you do, that single fact is usually enough to identify the message as an attack.

A program in your inbox is almost always an attack

Legitimate companies and colleagues do not email you software to run. So an attachment ending in .exe, .scr, .msi, .bat, .cmd, .js, .vbs, .jar, or .lnk — arriving unexpectedly — should be treated as malware on sight, even if the message around it looks professional. The same goes for an archive (.zip, .rar, .iso) you did not ask for, since its job is often to hide one of those programs inside. Do not open it; verify or delete.

Which attachments are safe to open and which are risky?

If the danger list tells you what to avoid, the next question is the everyday one: of the files you actually receive, which can you open with reasonable confidence and which deserve caution? Risk runs on a spectrum, not a binary. No file type is guaranteed harmless — even formats people consider perfectly safe can occasionally carry an exploit or a malicious link — but some are vastly lower risk in practice. The table below sorts the common attachments you will meet into rough tiers, so you can match your caution to the actual threat rather than treating a vacation photo and a macro-enabled spreadsheet as equal hazards.

Relative risk	File types	How to treat them
Lower risk	.jpg .png .gif .txt .mp3 .mp4	Images, plain text, and media rarely carry malware. Still verify you expected them, but these are the least likely to harm you on open.
Generally safe to view	.pdf .docx .xlsx .pptx	Modern documents without macros. Usually safe to read, especially in a browser preview — but can embed malicious links and, rarely, exploits. Never act on links inside blindly.
Risky — verify first	.zip .rar .7z .iso	Archives and disk images. Safe only if you expected them and trust the sender; otherwise treat as a wrapper hiding something worse. Never open one whose password came in the same email.
High risk — do not open unexpectedly	.docm .xlsm .pptm and any "enable macros" prompt	Macro-enabled Office files. The "enable content" button is a classic malware trigger. Never enable macros on a file you did not expect.
Dangerous — essentially never open by email	.exe .scr .msi .bat .cmd .js .vbs .jar .lnk .hta	Programs and scripts that execute on open. Almost never a legitimate attachment. Verify out of band if you somehow expected one; otherwise delete.

Two clarifications keep this table from being misread. The first concerns PDFs, because "is it safe to open a PDF from email?" is one of the most common questions about attachments. A PDF is generally safer than a macro-enabled document and far safer than an executable — for the vast majority of PDFs you receive, opening one to read it, especially inside your provider's built-in preview, is low risk. But "low risk" is not "no risk." PDFs can contain clickable links to phishing or malware sites (a very common trick — the PDF is clean, but it is a billboard for a malicious link), and in rarer cases a malformed PDF can exploit a vulnerability in an outdated reader to run code. So the right posture for a PDF: usually fine to view if you expected it and trust the sender, view it in preview rather than downloading when you can, keep your reader updated, and never click a link or button inside a PDF without the same scrutiny you would give a link in the email body.

The second clarification is about the regular Office formats — .docx, .xlsx, .pptx — versus their macro-enabled cousins ending in "m," and this single letter is one of the most useful things you can learn about attachments. The standard formats cannot run macros at all, which makes them substantially safer; the macro-enabled formats (.docm, .xlsm, .pptm) can, and the trailing "m" is your warning. If a Word or Excel file ends in "m," it can — and an unexpected one very likely does — contain a macro, so do not open it without verifying the sender first, and never click "enable content" on it. Attackers also use the old pre-2007 formats (.doc, .xls) precisely because they can carry macros in a way that looks more innocuous. The clean rule: regular Office documents are usually fine to read; anything that can run a macro, or asks you to enable one, jumps to the high-risk tier no matter how ordinary the email looks.

What tricks do attackers use to disguise dangerous attachments?

Knowing the dangerous file types only helps if you can tell what type a file actually is — and attackers spend most of their effort making sure you can't. Their techniques fool two audiences at once: you, the human reading the email, and the automated scanner trying to inspect the file before it reaches you. Three tricks come up again and again, and once you have seen each one explained, it loses most of its power: the double extension, the password-protected archive, and the macro lure.

The first is the double extension, which exploits a default Windows setting: file extensions are often hidden. Attackers name a file something like Invoice.pdf.exe. With extensions hidden, you see Invoice.pdf and a generic icon, and you double-click without realizing the real extension is .exe and the file is a program. The same trick uses Invoice.docx.scr, Photo.jpg.exe, and endless variations: a trustworthy-looking extension in the middle, the real dangerous one at the end. A file with two extensions like this is almost always malicious; there is virtually no legitimate reason to name a real document that way. The defense is twofold: turn on the option to show file extensions in your operating system so you always see the true ending, and be deeply suspicious of any filename that appears to have two extensions, especially when the last one can run code.

The example below shows what the double-extension trick looks like with extensions hidden versus shown — the same file, two very different impressions.

The double-extension trick (same file, extensions hidden vs. shown)

What you see (extensions hidden)Invoice_April.pdf

The actual filename (extensions shown)Invoice_April.pdf.exe

What it really isA Windows program, not a PDF — the .pdf is fake reassurance, the .exe is the real, executable extension

The fixEnable "show file extensions" in your OS, and distrust any file that appears to have two extensions

The second trick is the password-protected archive, aimed squarely at your security software rather than at you. The attacker puts malware inside a .zip or .rar file, protects the archive with a password, and writes that password in the body of the email ("the file is password-protected for your security; the password is 1234"). The framing sounds responsible, which is the point. But the real purpose is evasion: most antivirus and email scanners cannot open a password-protected archive to inspect it, because they do not have the password. The malware sails through the defenses that would normally catch it, and you — by typing the password and extracting the file — do the one thing the scanner could not, and unlock the malware yourself. Security researchers have documented this widely, including variants that nest the archive several layers deep or send the password through a separate channel like a text message to defeat scanning further. The rule that defeats all of it: a password-protected attachment whose password arrives in the same email is a strong sign of malware, not security. Legitimate senders rarely password-protect files this way, and when they do, they share the password through a channel you already trust, not in the delivery email.

The password-protected zip lure (why the "helpful" password is the trap)

AttachmentPayment_Remittance.zip (password-protected)

Email body"For your security, the file is encrypted. Password: Invoice2026"

What your scanner seesNothing — it cannot open a password-protected archive, so the malware inside is invisible to it

What you doType the password and extract the file — unlocking the malware the scanner was blocked from catching

The tellA password supplied in the same email is for evasion, not protection; legitimate senders share passwords through a trusted channel

A password in the email is a red flag, not a courtesy

When an attachment is password-protected and the password is written in the same email, be suspicious rather than reassured. The password is usually there so your antivirus and email scanner — which cannot open a protected archive — are blinded, while you unlock the malware by hand. Legitimate senders almost never share a file password this way. If you did not expect a protected archive, do not open it, whatever the email claims the password is for.

The third trick is the macro lure, the most successful of the three because it turns your own software against you and recruits you into the attack. The attacker sends a normal-looking Word or Excel document. When you open it, the content appears blurred or replaced by an official-looking notice: "This document is protected. Enable editing and enable content to view it," sometimes dressed up with a fake company or Microsoft logo to look like a required step. Clicking "enable content" runs the macro hidden in the document — and that macro downloads and installs the real malware, frequently ransomware. The genius of the lure is that a security barrier (macros are disabled by default precisely because they are dangerous) is reframed as an obstacle to reading the file, so you switch off your own protection believing you are just opening a document. The defense is simple and absolute: never click "enable content" or "enable macros" on a document you were not expecting. No legitimate invoice, report, or shared file requires you to disable a security control to read it. That single rule neutralizes one of the most common ransomware delivery methods in existence — which is why it gets its own section later.

When is it actually safe to open an email attachment?

After all the warnings, here is the constructive version — a clear test for when an attachment is genuinely safe enough to open. You do not need to be paralyzed; you need a quick mental checklist, and an attachment that passes all of it is low risk, while one that fails any item should give you pause. The three foundations are expectation, trust, and file type, and the checklist below turns them into specific questions you can run in under a minute before you double-click anything.

Did you expect this file? An attachment you requested, or one that fits an ongoing conversation, is far safer than one that arrives out of nowhere. Surprise is the single strongest risk signal — "I wasn't expecting this" should slow you down every time.
Do you genuinely know and trust the sender? Not just the display name — the real email address. A trusted sender lowers risk, but does not eliminate it, because a contact's account can be compromised and used to mail malware to everyone they know.
Is the file type low risk? An image, a plain-text file, or a macro-free PDF or .docx is far safer than a .zip, an .iso, a macro-enabled .docm, or anything that can run code. Read the real extension, not the icon.
Does the message avoid pressure and odd requests? Urgency ("open immediately"), secrecy, a password for the attachment supplied in the same email, or a prompt to "enable content" all push the file toward unsafe regardless of who it appears to be from.
Does the file name look honest? No double extension (Invoice.pdf.exe), no mismatch between what the email describes and what the file actually is, no generic name on a supposedly important document.
Did your inbox flag anything? A modern email client that scans attachments and warns about suspicious senders or files is giving you real information — if it raised a flag, treat the attachment as unsafe until you have verified it independently.

The way to use that checklist is as a set of gates, not a points system. An attachment that clears every gate — expected, from a trusted and verified sender, a low-risk file type, no pressure, an honest filename, no warnings — is reasonably safe to open, and you can proceed, ideally still viewing it in preview rather than downloading. An attachment that fails even one important gate — you didn't expect it, you don't really know the sender, it's an executable or macro-enabled file, the email is pressuring you, the filename has two extensions — should not be opened until you have verified it through the steps in the next section. And there is one combination that should stop you cold no matter what else is true: an unexpected file that can run code (an executable, a script, a macro-enabled document, or an archive likely hiding one). That pairing is the signature of an attachment attack, and the correct response is to verify out of band or simply delete, never to open and "see what it is." Curiosity is exactly the impulse these attacks are built to exploit.

How do you check an attachment before opening it?

When an attachment does not clearly pass the safe-to-open test but you cannot just ignore it — it might be a real invoice, a genuine document from a client, a file you half-expected — you do not have to gamble. There is a short, reliable sequence for vetting a file before you open it, moving from the easiest checks to the most thorough. Run them in order and stop as soon as something tells you the file is dangerous. Each step adds a layer of distance between you and a potential payload.

1
Read the real file name and extension
Set your operating system to show file extensions, then look at the file's true ending. Watch for double extensions (Invoice.pdf.exe), an extension that can run code (.exe, .scr, .js, .bat, .vbs, .jar, .lnk), or a macro-enabled Office type (.docm, .xlsm, .pptm). If the real extension is dangerous and you did not expect a file of that type, stop here.
2
Verify the sender through a separate channel
Expose the actual sender address (not just the display name) and check the domain. Then, if the file is at all unexpected, confirm the sender really sent it through a different channel — a call, a chat message, a reply to a known earlier thread. "Did you just email me this file?" takes ten seconds and catches the case where their account was hijacked to mail malware.
3
Be wary of pressure, passwords, and macro prompts
If the email pressures you to open the file urgently, supplies a password for a protected archive in the same message, or the document asks you to "enable content" or "enable macros," treat all three as strong signs of malware. None is normal for a legitimate file, and any one is reason enough not to proceed.
4
Let your email service scan it — and preview, don't download
A modern email client scans incoming attachments against known malware before they reach you; one your provider has already flagged should never be opened. When you do open a file you reasonably trust, view it in the browser-based preview rather than downloading it. Previewing renders the document at a safe distance and avoids saving an executable where a careless click could later run it.
5
Scan the file yourself if you must download it
If you must download a file and remain unsure, run it through up-to-date antivirus first, and consider a free multi-engine online scanner that checks it against dozens of engines at once. Remember the limit: scanners cannot see inside password-protected archives, and brand-new malware can briefly evade them — a clean scan is reassuring, not a guarantee.
6
Detonate it in a sandbox for the highest-risk files
For a file you cannot verify but may need to deal with, a sandbox is the safest option: an isolated, throwaway environment — a free online malware sandbox or a disposable virtual machine — where you open the file and watch what it does without risking your real device. If it reaches out to the internet, drops files, or tries to encrypt things, you have your answer, and your computer was never exposed. This is the principle good email security automates for you.
7
When in doubt, do not open it
If you are still unsure, do not open the file. Delete the email, or leave it unopened and ask the sender to share the file another way, such as a link to a trusted cloud drive. The cost of not opening a legitimate file is a minor delay; the cost of opening a malicious one can be ransomware. Weighed honestly, caution wins.

A word on the most powerful of those tools, because most people have never used it and professionals rely on it. A sandbox is an isolated environment, walled off from your real system, where a file can be opened and its behavior observed safely — if the file is malicious, it does its damage to a disposable virtual machine that gets wiped, not to your documents, passwords, or network. Email security platforms use automated sandboxing this way: they detonate suspicious attachments and links in a controlled environment before delivery, and only let through what proves harmless. You can do a manual version with free online sandboxes that detonate a file and report everything it tried to do. This matters for everyday users because it is the model good email tools build in for you — so the vetting that is laborious by hand happens automatically, on every message, before anything reaches your inbox. That is the bridge to how AI Emaily fits in, which the next section covers honestly.

Why should you never enable macros in an email attachment?

Of every warning in this guide, one deserves to be stated on its own and held without exception: never enable macros or content on a document that arrived by email, especially one you did not expect. This is not an abstract caution — enabling macros on a malicious document is one of the most direct paths to a ransomware infection that exists, and the prompt is engineered specifically to get you to do it. Understanding why makes the rule stick.

Macros are small programs embedded in Office documents. They were built for a legitimate purpose — automating repetitive tasks in a spreadsheet or document — but because they can run code, including code that reaches out to the internet and downloads other programs, they are a near-perfect weapon. Microsoft has long disabled macros from internet-sourced documents by default, putting up a warning bar instead, precisely because the feature is so dangerous in the wrong hands. The attacker's entire goal with a malicious document is to get you to click past that protection, so they make the document appear unreadable until you act: blurred text, a fake "protected document" overlay, an instruction to "enable editing" and then "enable content" to see the file. Each click peels back a layer of your own security, and the final one runs the macro, which quietly downloads and installs the real malware, often using a legitimate system tool so the activity blends in. From your side, it felt like the steps required to open a document. From the attacker's side, you just executed their code for them.

The defense requires none of the technical detail. It is a single, absolute rule: if a document you received by email asks you to enable content, enable macros, or enable editing to view it, do not do it — close the file. No legitimate invoice, receipt, shipping notice, resume, or report requires you to switch off a security control to read its contents. If you genuinely believe the document is real and important, verify with the sender through a separate channel and ask them to send it in a safe format — a plain PDF, or a link to a trusted cloud document — rather than enabling macros. Treat the "enable content" button as the most dangerous click in your inbox, because, statistically, it is among them.

"Enable content" is the most dangerous click in email

If an email attachment opens blurred, locked, or with a notice telling you to enable content, enable editing, or enable macros to view it, that is the attack — not a step toward reading the file. Clicking it runs hidden code that frequently installs ransomware. Close the document. No legitimate file ever needs you to disable your own protection to be read. Verify with the sender and ask for it in a safe format instead.

What should you do if you opened a malicious attachment?

Mistakes happen, even to careful people, and the modern lures are designed to fool exactly the people who think they are too smart to be fooled. If you have opened an attachment you now suspect was malicious — or enabled macros, or extracted and ran a file from a protected archive — the worst response is to freeze in embarrassment and hope it was nothing. Speed limits the damage, and the steps below are what to do, in order, the moment you realize. They apply whether you saw something obviously wrong (a strange window flashing, files behaving oddly) or just a sinking feeling that the file you opened was not what it claimed.

1
Disconnect the device from the internet immediately
Turn off Wi-Fi and unplug any network cable. Many attachment-borne threats — ransomware especially — need to phone home to download their payload, fetch an encryption key, or spread. Cutting the connection at once can stop the infection before it finishes and isolates the device from shared drives and other machines on your network.
2
Do not enter passwords or pay anything
If a ransom note appears, do not pay it and do not type credentials into anything that has popped up. Paying funds the attackers and rarely guarantees recovery; entering passwords on a compromised device can hand over more accounts. Leave any ransom screen as-is — recovery and reporting come first.
3
Run a full scan with up-to-date security software
Run a full system scan with your antivirus or endpoint security and quarantine or remove what it finds. On Windows, the built-in protection can do this; make sure its definitions are current first. A scan may contain the malware, though sophisticated threats can resist removal, which is why the next steps still matter.
4
At work, tell IT or security right now
If this happened on a work device or account, report it to your IT or security team immediately rather than quietly cleaning it up yourself. They can isolate the machine, check whether the threat spread, and protect colleagues. Targeted attacks rarely hit one person, and early reporting often stops a single click from becoming an organization-wide incident.
5
Change passwords from a different, clean device
Assume any credential used on the affected device may be compromised, especially if a keylogger or info-stealer was involved. From a separate, known-clean device, change the passwords for your email (first, since it can reset everything else), banking, and other important accounts, and turn on two-factor authentication. Do not change passwords on the infected machine — you could simply be handing the new ones over.
6
Watch your money and report fraud
If financial information was on the device or you entered any, contact your bank or card issuer right away to stop fraudulent transactions. In the United States, report the incident to the FBI's Internet Crime Complaint Center at ic3.gov and the FTC at ReportFraud.ftc.gov, which also offers a recovery plan at IdentityTheft.gov if your information was stolen.
7
Restore from a clean backup if needed
If files were encrypted or the infection cannot be fully removed, the reliable path is to wipe the device and restore from a backup made before the infection. This is why regular offline or cloud backups matter — they turn a ransomware attack from a catastrophe into an inconvenience. With no clean backup, a reputable professional or, for some strains, a free decryptor from a project like No More Ransom may help.

Two reassurances to balance the urgency. First, opening a malicious attachment does not always mean a successful infection — modern operating systems and security software block a meaningful share of attacks, and you may have caught it before the payload fully ran. Acting fast on the steps above is what tips the odds further in your favor. Second, the experience is a powerful teacher. Almost everyone who gets caught can, in hindsight, see the signals they missed: the file was unexpected, the sender was a little off, the message pushed them to hurry, the document asked them to enable something. The point of cataloguing those signals — as this guide and its companion on protecting your email from hackers do — is so that next time the pause comes before the click, not after. Being caught once is common; the goal is to make it the last time, and to lean on tools that watch for these attacks so the burden does not rest entirely on a single moment of human attention.

If you opened it: disconnect first, then act fast

The instant you suspect a bad attachment, pull the device off the internet — that alone can stop ransomware mid-attack. Then scan it, tell IT if it is a work device, change your passwords from a different clean device (email first), and watch your finances. Do not pay any ransom. Speed is what limits the damage, and a recent clean backup is what makes recovery possible.

How does AI Emaily protect you from dangerous attachments?

Everything above is something you can learn to do by eye, and you should, because no tool catches everything. But running the full vetting routine on every file, every day, is a lot to ask of a busy person — and the lures around malicious attachments are built to slip past a tired reader at the end of a long day. This is where the inbox itself can carry part of the load. AI Emaily is an AI email client built on the principle stated at the top of this guide: email is untrusted input. It does not assume a message or its attachment is safe because the writing is polished or the sender's name looks familiar. It inspects what arrives and surfaces the risk, so the checks you would otherwise have to remember are run automatically, before you act.

Described honestly — these are protections that reduce risk, not a promise that nothing dangerous will ever reach you — here is what that means for attachments. AI Emaily treats every incoming message and the links and files it carries as untrusted, applying the same scrutiny this guide teaches. It runs its own AI detection over incoming mail and flags suspicious senders and attachments, so a message bearing the markers of an attachment-based attack — an unexpected risky file type, impersonation and lookalike-sender signals, the language patterns of a malware lure — arrives with a clear warning rather than a blank invitation to open it. When a message contains links, AI Emaily sandboxes and neutralizes them, so the dangerous-website mechanism described earlier is defused before it can reach you. And it blocks tracking pixels by default, stopping the quiet remote-image beacons that confirm your address is live and worth more attacks — the same beacons that often ride along with the spam and phishing that carry malicious files.

The list below sums up what AI Emaily does on the attachment-and-link front, and what it does not pretend to do.

Email treated as untrusted input by design: AI Emaily inspects messages, links, and files for risk rather than assuming polished, familiar-looking mail is safe — directly countering the convincing lures that wrap malicious attachments.
Suspicious senders and attachments are flagged: the AI detection scores incoming mail for the markers of attachment-based attacks and impersonation, so a risky message arrives with a warning instead of a clean-looking invitation to open it.
Links are sandboxed and neutralized: the dangerous-website path — fake login pages and malware downloads reached through links in messages and attachments — is defused before it can reach you.
Tracking pixels blocked by default: remote-image beacons that confirm your address is live, and that ride along with the spam and phishing carrying malicious files, are stopped — keeping you off the lists that draw more attacks.
Works across Gmail, Outlook, and every provider you connect, so the same scrutiny protects all your inboxes in one place, not just one account.
Private by default: AI Emaily never trains its models on your mail and does not sell your data — the inspection serves your safety, not an ad profile.
Honest about limits: the flags and warnings are a strong prompt to slow down and verify, not a guarantee that every threat is caught. Your own checks from this guide remain the final line of defense.

The right way to think about it is layered defense. Your judgment — checking the real file type, verifying the sender through a second channel, refusing to enable macros, previewing instead of downloading, and never opening an unexpected file that can run code — is the foundation, and this guide exists to make that judgment sharp. AI Emaily sits on top of it as a safety net: a second set of eyes that flags the suspicious sender you were about to trust, neutralizes the link you might otherwise have clicked, and treats a polished message carrying a risky file as exactly what it is — untrusted until proven safe. It backstops the habits; it does not replace them, and no tool is perfect against a determined attacker or brand-new malware, so keep running the checks in this guide. The spam-protection feature page and the security overview go deeper, and you can try the whole thing free — see the box at the end. The takeaway is simple: a private inbox that treats email as untrusted, flags suspicious senders and attachments, and sandboxes links turns the file-by-file vetting in this guide from something you must remember into something that mostly happens for you.

Putting it all together

Is it safe to open that email attachment? It is safe when three things are true at once: you expected the file, you trust and have verified the sender, and the file type is low risk — with no pressure, no password supplied in the same email, and no prompt to enable anything. When any of those is missing, the answer flips to "not yet," and the move is to verify before you open, not to open and find out. Keep the danger list in mind — executables and scripts (.exe, .scr, .js, .bat, .vbs, .jar, .lnk), archives and disk images that hide what is inside (.zip, .rar, .iso, .img), macro-enabled Office files (.docm, .xlsm, .pptm), and script-bearing web files (.html, .svg) — and remember that even a PDF or a plain document, while usually safe to view, can carry a malicious link. Read the real file extension, not the icon, so the double-extension trick cannot fool you.

Above all, internalize the two rules that stop the most damage. Never click "enable content" or "enable macros" on a document you received by email — that single click is one of the most reliable ways to invite ransomware, and no legitimate file ever requires it. And be suspicious, not reassured, when an attachment is password-protected and the password sits in the same email, because that is usually there to blind your scanner, not to protect you. When you do open a file you trust, preview it rather than downloading it; when you cannot be sure, scan it or open it in a sandbox; and when you remain in doubt, simply do not open it. If you slip and open something bad, disconnect the device, scan it, change your passwords from a clean device, tell IT at work, and watch your money — fast action limits the harm.

Finally, let your inbox carry some of the weight. A private, AI-native client like AI Emaily that treats email as untrusted input, flags suspicious senders and attachments, sandboxes and neutralizes links, and blocks the tracking pixels that feed more attacks your way — without ever training on your mail — is a genuine safety net under the judgment this guide has built. To go further, the companion pieces on how to spot a phishing email, the most common email scams, and how to protect your email from hackers build directly on these skills, since malicious attachments almost always travel inside a phishing message or a scam. Stay a little suspicious, run the checks, and the dangerous attachment becomes just another file you saw through before it could do any harm.

Frequently asked

Keep reading

How to Spot a Phishing Email: 12 Red Flags to Catch in 2026 The Most Common Email Scams in 2026 (and How to Avoid Every One)How to Protect Your Email From Hackers: A 2026 Security Checklist

Sources