Our threat researchers examined how adversaries use different types of file attachments to help prevent malicious spam from being detected. What we found is that they are continually evolving their strategies, experimenting with a wide range of file types, and quickly switching tactics when they don’t find success.

Figure 17 shows how malicious spam operators experimented with the use of .docm, JavaScript, .wsf, and .hta files during the period observed. As noted earlier, many of these file types are associated with spam sent by the Necurs botnet. (For research related to other file types we examined, see the Appendix on page 78.)

High