ARCHIVES

Malicious email attachments are a common and successful attack vector on today’s Internet. Sophisticated attackers can craft highly-targeted attachments, using publicly available information about potential victims to create convincing documents that contain hidden malicious payloads. Users who open these attachments using vulnerable applications are at a high risk of infection. Unfortunately, current mitigations are unreliable, relying either on fallible malware detection techniques or user education. In this work, we propose adopting a default policy of isolated attachment rendering. Emails bearing attachments are transparently rewritten (in a sandboxed virtual machine environment) to contain static renderings of the attachments. Users who wish to obtain the original attachment are explicitly warned of the dangers of doing so – akin to TLS warnings as used in web browsers – before being allowed to access the requested documents. We implement this technique in a system we call Pellucid Attachment. We further report on an extensive user study that measures the usability and effectiveness of Pellucid Attachment in shielding users from attacks. Our evaluation shows that adopting email attachment security indicators and an isolation-by-default policy results in a significant increase in user security, while maintaining the usability of email attachments.