Can Opening an Email Get You Hacked?

Did you know that 47.3% of all email is spam, which is around 15 billion spam email messages sent every day?

Today it’s email security 101 not to download an email attachment or click on a malicious link in a spam message as this can likely lead to malware infection, but what about simply opening a spam email?

Can a hacker do anything to your account if you open a spam email?

No, Opening Spam Emails Won’t Get You Hacked (Anymore)

Let’s put your mind at ease right away.

Opening a spam email will not get you hacked.

This, however, wasn’t the case just a few years ago.

So, a short history lesson about our beloved email is in order here.

You see, email has been around for 60 years as we know it today, having been invented by Ray Tomlinson in 1971 (the first email was created in 1965 at MIT as a computer program called “Mailbox”).

Back then, emails could only be exchanged as plain text messages (no images, links, formatting, etc.). This, however, changed when Tun Berners-Lee wrote HTML in 1993.

Soon, email could contain not only plain text, but also links, images, you could make words bold or underlined and more.

In other words, you could “do things” with email, which opened a lot of opportunities for users (and businesses), but also made email vulnerable to spreading malware.

The reason for this was DHTML (Dynamic HTML) and JavaScript, which gave the ability to HTML to “do things” such as turn text red when you hover over it with a cursor or play games in a browser.

And hackers soon found a way to exploit this and infect your email account and device with malware.

Microsoft Outlook and the Preview Pane Email Account Vulnerability

Now, just to be clear, Outlook wasn’t the only email service provider that had this vulnerability. Other email services that offered a preview pane (and most of them did) could also be exploited by hackers.

So how did this work?

1. You leave your email client running;
2. Your most recent message is displayed in the preview pane;
3. A new message arrives in your inbox;
4. Outlook selects the new message as the “most recent” and updates the preview pane;
5. If the message you just received contained malware (DHTML or JavaScript), it could run, spreading malware to your computer.

Problem Fixed No Need to Worry About Getting that Spam Email Message Any More

Fortunately, it didn’t take long for email providers to figure out and fix this vulnerability.

Now email is no longer treated as a webpage and so it won’t run JavaScript before the actual message is displayed (and not just previewed).

Okay, almost. There was still a vulnerability in Microsoft Outlook dubbed CVE-2020-16947 that allowed remote code execution when opening or previewing emails that contain malware.

Fortunately, Microsoft fixed this with a security update in October, 2020.

Your Personal Information is Still Not 100% Safe

That said, don’t think that your mail client and personal information are now completely safe.

You can still get hacked via a malicious attachment or a link from a phishing email.

To ensure that this doesn’t happen here are some email security tips to keep your inbox safe from bad guys:

• Use an end-to-end encrypted email like CTemplar to protect your confidential information in transit and at rest;
• Don’t send personal information via email;
• Create a filter for spam emails;
• Create a strong password to keep your email login credentials secure;
• Use two-step verification;
• Understand how phishing scams work and always inspect the sender’s email address;
• Don’t open malicious files or click on links in a suspicious email message;
• Never reply to a potentially dangerous email.

FAQ