Skip to main content
Skip to main content
Microsoft Security

JavaScript-toting spam emails: What should you know and how to avoid them?

  • Microsoft Defender Security Research Team

Modern social engineering attacks use non-portable executable (PE) files like malicious scripts and macro-laced documents. Every month, Windows Defender AV detects non-PE threats on over 10 million machines.

Learn how machine learning drives next-gen protection capabilities and cloud-based, real-time blocking of new and unknown threats:

Machine learning vs. social engineering

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:


Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.


Figure 2: Sample code and URL



Figure 3: Another code sample



Figure 4: Another code sample



Figure 5: Another code sample


In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.


Figure 6: An example of a JavaScript attachment and a dummy file



Figure 7: Another example of a JavaScript attachment and a dummy file


These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.



Figure 8: A screenshot of how the JavaScript attachment gets executed.


Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.



Figure 9: A screenshot of a sample bank-related email spam.



Figure 10: A screenshot of a sample remittance-themed email spam.



Figure 11: A screenshot of a sample invoice-themed email spam.



Figure 12: A screenshot of a sample resume-themed email spam.



Figure 13: A screenshot of a shipment notification-themed email spam.



Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

Alden Pornasdoro


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.