Suspicious email attachments: six file types to watch out for in 2026

Not every attachment is dangerous — but not every attachment is safe either. These six file types deserve extra scrutiny, plus what to do if you accidentally clicked.

You get an email from a supplier. Or a message via the contact form. Or a job application. And there's an attachment. Most of the time that's perfectly fine — but sometimes it isn't. So how do you know which attachments are better left unopened, without needing to be an IT expert?

In this post, we walk through the file types most commonly used in phishing and malware attacks targeting SMBs in 2026. Plus: what to do if you accidentally clicked anyway.

Why attachments are still so popular with cybercriminals

Email filters have improved considerably in recent years. Suspicious links are often blocked before they reach you. But an attachment? That sometimes slips straight through — especially if the sender looks legitimate. And if the attachment also looks like an invoice, a packing slip, or a CV, someone is likely to click on it faster than you'd think.

The danger is that a single click can be enough. Not to bring your entire network down — that's a myth — but enough to install something that only becomes noticeable days later.

The six file types that deserve extra scrutiny

1. .zip, .rar and .7z (compressed archives)

A ZIP file isn't dangerous by itself, but it's the go-to method for sneaking something harmful past an email filter. Whatever's inside is hidden from view. Received a ZIP from someone you weren't expecting one from? Don't open it — contact the sender through a different channel (phone, WhatsApp) to verify it's genuine.

2. .iso, .img and .vhd (disk images)

These files used to be the exclusive domain of IT professionals, used to replicate installation discs. These days they're used to bypass Windows security: an ISO mounts like a separate drive, and the files inside it don't trigger any warnings. No supplier will ever send you an invoice as an ISO file. Full stop.

3. .html and .htm (web pages as attachments)

An HTML file opens in your browser and can look identical to a Microsoft login page or a DocuSign screen. But it runs locally, so your address bar won't show "microsoft.com". This is one of the fastest-growing phishing techniques right now. Received an HTML attachment? Close it immediately.

4. .xlsm, .docm and .pptm (Office files with macros)

The "m" at the end stands for macros: small programs that run when you open the file. Microsoft now blocks macros in files downloaded from the internet by default, but there are still ways to bypass that — for example, by wrapping the file in a ZIP (see point 1). Not expecting a macro-enabled file? Don't open it.

5. .lnk (shortcut files)

A shortcut file looks harmless, but it can quietly run a command that downloads malware in the background. LNK files have no business being in an email. Ever.

6. .pdf — yes, those too

A PDF is usually safe to view, but it's frequently used as a delivery mechanism: the PDF contains a "View document" button that leads to a phishing site. The attachment itself is technically harmless, but the link inside it isn't. Be especially critical of PDFs containing login buttons or QR codes.

The four questions to ask yourself before opening anything

1. Was I expecting this? An unexpected invoice from an unknown party is suspicious. An expected quote from your regular supplier, much less so.
2. Is the sender address actually correct? Not just the name — check the email address too. "John Smith <john@familiar-company.com>" is very different from "John Smith <john@fami1iar-company.com>".
3. Does the tone match the sender? Has your accountant suddenly started writing in broken English with a sense of frantic urgency? Give them a call.
4. Is there pressure or urgency? "Pay today", "account will be blocked", "confidential — do not forward": these are red flags.

What if you clicked anyway?

It happens. Nothing to be ashamed of — but do act quickly:

• Unplug the network cable or turn off Wi-Fi on the computer you clicked on. A few hours offline is far better than letting something spread.
• Report it immediately to whoever is responsible for IT in your organisation — even if that's an external party. Not tomorrow. Now.
• Change your passwords, starting with your email and your accounting software. Do this from a different device.
• Check that two-factor authentication (2FA) is still active on your most important accounts. Attackers sometimes try to disable it once they're in.
• Keep an eye on your bank account over the coming days, and warn colleagues that unusual emails may be sent in your name.

What you can do structurally

Awareness is valuable, but sending a reminder email once a year doesn't cut it. What actually works in an SMB environment:

• Tighten your email filter to block attachment types like .iso, .lnk and .html — in 99% of cases you don't need them anyway.
• Make sure Microsoft 365 or Google Workspace scans attachments before delivery (Safe Attachments / Advanced Protection).
• Agree as a team that any change to an IBAN must be confirmed by phone — no matter how convincing the email looks.
• Make sure your SPF, DKIM and DMARC records are properly configured, so criminals can't easily send emails impersonating your domain.

Not sure whether your email security is up to scratch? We offer a email security check (SPF/DKIM/DMARC) that maps out exactly where the gaps are — without you having to dig into DNS records yourself. Start there, and we'll filter out most of the junk before it ever reaches your staff.