Email Security Blog

Understanding Phishing: Fake Attachments AKA “Phaxttachments”

That attachment you just clicked on – yeah, that’s fake.

Cybercriminals have used attachments to disseminate phishing attacks since the inception of the attack vector itself. So, why are criminals now using fake attachments to lure people to double click on a fake attachment?

The answer is actually quite simple. Legacy email providers see it as a legitimate PDF attachment and allow the email to go through.  

This new trend in the phishing attack universe is identified as Fake Attachments, defined as emails with fake attachment icons – or phaxttachments – which has been released in INKY’s latest report: Understanding Phishing: Fake Attachments.  

Attackers lure users by embedding ‘images’ and ‘links’ in a way that deceives traditional email security systems into assuming the attachment within an email must be safe. In reality, there is no real attachment.

By making the images, that look like valid attachments, clickable, the user is actually clicking on a URL that opens a malicious site impersonating the intended website. Upon clicking, the user is prompted to enter their credentials (a credential harvesting operation) enabling the attacker to go on to impersonate the user on other O365 sites and steal more information.

Fake Attachments are making it through legacy email security systems that all industries must be aware of so that they can get a head start on spotting the fakes and taking the steps to protect themselves against this type of phishing attack. Heading towards the end of Q1 2020, it is clear that threat actors are only going to become more sophisticated using relatively unknown techniques that cause the next wave of malicious attacks targeted at exploiting organizations through email phishing scams.

Implementing mail protection software, such as INKY Phish Fence, enables businesses to prevent malicious activity originating from phishing attempts to protect and defend valuable assets communicated through emails.


INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.