Checking e-mail attachments with VirusTotal

Topic

New Reply

To @b in reply to #2335047, where you asked:
How would you check a webmail attachment against VirusTotal without downloading it?

In #2335004, @Microfix said:

Microfix wrote:

by using webmail, it’s never downloaded to your device,(unless you wish to do so) it’s only visable in your online mail account, which can be checked via VT/ purged from therein.

I took that to mean that I could find an e-mailed document in my webmail and check it in VT without downloading it.
So this is what I did to check a document that I e-mailed to myself (to see how VirusTotal works):
Step 1: I found the document in my webmail, but I did not do anything to download it, but instead did Step 2.
Step 2: I clicked on the entry for the document and an URL showed up in the URL field of my Firefox browser.
Step 3: I pasted the URL into the URL search field in VirusTotal
Step 4: I viewed the results.
See attachments here for Steps 1 thru 4.
So, am seeing the results of checking the e-mail message, including the attached document, both of which have not been downloaded? or both of which HAVE been downloaded?
Or am I seeing the results of checking the e-mail message only which has not been downloaded? Or which HAS been downloaded?

Reply | Quote

Replies

[Microfix]

That is how I do the VT check also.
not run into problems for over a year using the same method.
Although, up-to-date AV/Malware security should intercept it if bad and known, but new variants?
Sandboxed folder to download the attachment and check with VT prior to opening?

No problem can be solved from the same level of consciousness that created IT- AE

• This reply was modified 2 years, 8 months ago by Microfix.

Reply | Quote

I don’t think all webmail services will provide a direct URL for an attachment.

Is yours also Yahoo or another site?

Windows 11 Pro version 22H2 build 22621.2359 + Microsoft 365 + Edge

Reply | Quote

b wrote:

I don’t think all webmail services will provide a direct URL for an attachment.

Indeed, having one that doesn’t require authentication does feel like a security hole to me… especially if you haven’t specifically marked that attachment as “shared”.

WCHS wrote:

Step 3: I pasted the URL into the URL search field in VirusTotal
Step 4: I viewed the results.

If the webmail service works like I’d expect it to, what this should do is the VirusTotal results for the webmail service’s authentication-request page. As in the page where they ask for account and password…

Reply | Quote

mn– wrote:

If the webmail service works like I’d expect it to, what this should do is the VirusTotal results for the webmail service’s authentication-request page. As in the page where they ask for account and password…

IOW, VT is not checking the file itself??

Reply | Quote

[mn--]

Very likely so.

You can test what VirusTotal would see, by using a known-safe attachment link (such as one you sent yourself… a dummy text file would be enough, or a random doodle in Paint saved as a file and attached). Then copy the link for that, and open it in a browser that doesn’t share your cookies, authentication tokens etc. (Incognito / privacy mode, whatever you call it, is good for that.)

I did this with an attachment in Gmail, copying the link to an instance of Brave that’s in incognito mode. And instead of the attachment I got the Gmail login screen.

Therefore, if I were to submit that link to VirusTotal, I’d get the VirusTotal results for Gmail’s login screen.

(Also, VirusTotal says “please do not submit any personal information” and some webmail services have your primary email address as part of the URL.)

• This reply was modified 2 years, 8 months ago by mn--. Reason: fixed punctuation

Reply | Quote

You could always open your email in a sandboxed browser. The download will go into the sandbox and you can check it with VirusTotal from there.

Reply | Quote