Check Point Email Security | Blog

Dat's Bad Attack: Hackers Using .dat Files to Bypass SEGs

Written by Jeremy Fuchs | May 19, 2021

A .dat file is a generic file that is used in various applications. What's unique about them is that they can only be used by the application that created them.

For example, if a .dat file is created in Minecraft, it can be only used in Minecraft—it wouldn't make sense anywhere else. 

Avanan researchers uncovered an email attack that uses a .dat file to hide malicious content. Here's what it looks like:


There's nothing inherently malicious about this email as it appears, which is why it sailed past SEGs and into user inboxes. 

This .dat file was created using Outlook. So, once a user downloads and opens the file, if they have Outlook installed, it will immediately recognize and read the instructions inside the .dat file. The instructions in this particular .dat file say to extract the contents and display it as a new email. The contents are just simple HTML code, pretending to be a FedEx email:

This file contains a .zip file—and that's where the malicious file lies.

If the user were to then download that .zip file, they would be presented with this .xlsm file:

Because it is a .xlsm file, it's a macro-enabled Microsoft Excel file. If the user hits "Enable Content", then all havoc breaks loose.

This is a complicated attack and the hacker is hoping that the end-user goes through all the steps to fully execute the malicious file.

But it goes to show the lengths attackers will go to get to the inbox. And the attacker was able to sneak in malware using a .dat file that no scanner would find malicious.

Avanan caught this because our AI looked at the language used in the email, the historical reputation of the sender with the organization, and combined with the rarity of .dat files to deem this as malicious and block it from reaching the inbox.