Analyze Attachment Details

The Attachments icon in an investigation shows how many attachments were found in the messages in an investigation.

The Attachments icon shows how many attachments were found in an investigation.
The Attachments icon shows how many attachments were found in an investigation.

An investigation with one or more attachments considered malicious will display a count of both the total number of attachments found to be malicious and the total number of attachments found, and the Attachments icon will have a red background:

The Attachments icon has a red background when one ore more attachments are considered malicious.
The Attachments icon has a red background when one ore more attachments are considered malicious.

If you hover over an Attachments icon with a red background, you will see a summary of the first two malicious issues found:

If you hover over the Attachments icon when it has a red background, a pop-up appears listing the basic details of the first two malicious attachments found in the investigation, including the attachment file names and the scanning services that discovered maliciousness.
If you hover over the Attachments icon when it has a red background, a pop-up appears listing the basic details of the first two malicious attachments found in the investigation, including the attachment file names and the scanning services that discovered maliciousness.

If you hover over an Attachments icon with a red background in a selected investigation, it will turn a darker red, and you can click on the darker red Attachments icon to view details of the attachments found in the investigation:

When the Attachments icon has a darker red background when you hover over it, the investigation is selected, and you can click on the Attachments icon to get further details of the attachments in an investigation.
When the Attachments icon has a darker red background when you hover over it, the investigation is selected, and you can click on the Attachments icon to get further details of the attachments in an investigation.

An attachment is considered malicious when at least 2 VirusTotal scanning engines consider it malicious or when at least 2 scanning services consider it malicious. Each attachment is evaluated automatically by VirusTotal engines (if you have automatic scanning selected in organization settings, see Phishing Response Settings for details) and for blacklist existence, known threat profile, whitelist existence, known malware, and known spam. The result is a determination of Clean or Malicious.

To analyze attachment details

  1. Click on an investigation to select it.
  2. Click on the Attachments icon in the selected investigation. You will see the investigation details page with the Attachments tab selected. (If it is not selected, Details tab, and than click the click the Attachments tab.) The Attachments tab lists all Attachments found in all the messages in an investigation.
  3. Click an attachment name or hash to view more information about that attachment. The details panel for a selected attachment shows:
    • The full hash that you can select and copy.
    • Information returned from any systems that scanned the attachment. (If VirusTotal scanned the attachment, you can click More details to view additional details about the scan.
    • The date and time that the attachment was initially scanned.
    • The result of the scan.

For the message reported as phishing, you can click Get Link to get a link to download the attachment so you can perform your own local analysis and then click Copy () to copy the link to your clipboard so you can paste it into your browser's Address field.

NOTE: You download attachments to your system at your own risk.

Phishing Response can use multiple systems to scan attachments:

  • VirusTotal™, a multi-engine static scan where the attachment is analyzed and checked against a number of malicious attachment databases and can be set to automatically upload and scan all attachments
  • Hybrid Analysis™, a sandbox scanner offering in-depth static and hybrid analysis

The sandbox scanners activate the attachments in isolated sandbox environments. These in-depth analyses typically take 5-10 minutes, and the results are displayed when the scan is finished and the page is refreshed. The results include a Threat Score and a list of any threats found.

You can scan or rescan an attachment using any of the systems at any time. See Scan an Attachment Manually for details.