Why didn’t I receive an e-mail with a password-protected zip file in it?

January 8, 2014
If someone wants to send you a document with sensitive information in it, they’ll probably password-protect the file, attach it to an email, then sent it to you.

Password-protecting a file encrypts the file which means that without the password, the file isn’t readable. If it can’t be read, a virus scanner can’t determine whether the file is safe so an e-mail security service’s default – and safest – action may be to delete any unscanable attachment or, alternatively, drop the incoming message entirely. 

If one were to override this default behavior in order to receive password-protected file, you’ve just made a hacker’s day to whom allowing all password-protected files means that all they have to do to guarantee that their virus-laden message reaches its target is to password-protect their virus. 

We’ve already grown accustomed to the false security of including the password in the body of the message, so the hacker does just that – he crafts an important looking e-mail with an attachment that you might even be expecting like a delivery receipt during the holidays or an IRS notification during tax season. Double-click the attachment, enter the password and BOOM! You’re infected.
For this reason, we configure our clients’ e-mail security systems to reject messages with password-protected attachments. If someone, like your accountant, really wants to get sensitive information to you, they need to post the documents on a secure site and provide you with the credentials you need to download the file. Yes, it’s a hassle, but we’re just going to have to try a little harder than the bad guys.