A File Format Built for Convenience

.MSG files are the native format for saved Outlook email messages. In many enterprise environments, they’re used to preserve important business communications, forward records between departments, and sometimes archive support tickets or client interactions for posterity.

Since .MSG files are familiar, easy to generate, and often implicitly trusted, it’s common that enterprise platforms allow users to upload saved messages to storage without much friction. That’s especially true in legal, HR, and compliance workflows where messaging documentation is often a requirement.

This convenience, however, carries a hidden risk: .MSG files are a commonly overlooked method for malware delivery in enterprise environments.

What’s Inside an .MSG File?

It’s easy to think of PDFs and DOCX files as complex “documents” and relegate .MSG files to “basic text containers” – but that’s a mistake.

Much like the other complex document formats used in enterprise environments, .MSG files can carry embedded attachments (e.g. – executables, scripts, macro-enabled files), active links to malicious domains, HTML content (capable of executing in in vulnerable .MSG viewers), spoofed headers, and deceptive metadata (i.e., falsified senders or timestamps, attachment name manipulations, hidden relationships with other message threads, etc.).

The .MSG format stores the message body and all its properties — including the malicious content referenced above. This gives threat actors a layered canvas to obfuscate threats in – and it’s very possible these threats go unnoticed during upload.

Common .MSG-Based Attacks

Threat actors frequently aim to disguise .MSG files as internal emails or invoices so they blend into the target (victim) enterprise environment. They can, for example, label malicious .MSGs with “FWD” or “RE:” to seem conjoined with normal workflows. Emails like these can hide links to credential harvesting sites or obfuscate embedded attachments designed to execute immediately once opened/previewed in the Outlook application.

One case of .MSG-based attack in 2024 involved the distribution of malicious message files through legal file upload portals. In this case, each message included a seemingly benign contract attachment. Inside each attachment were downloader trojans which quietly opened a backdoor in the target enterprise network.

Many of the message files in this case were initially cleared by basic antivirus (AV) tools. The threats were deeply nested and encoded within the .MSG files, making it impossible for a basic signature-based scanning engine to identify them.

Why You Can't Rely on File Extensions or Simple Scanners

Many modern upload filters still operate on basic file-type rules or conventional AV software integrations. When we’re investigating a complex file type like .MSG, neither is enough.

File extension validation only checks the file label — not the actual file contents. If we let .MSG files pass through a file upload portal simply because they “look like emails”, we’re blindly trusting documents that could easily contain full malware payloads or phishing redirects. If we wouldn’t blindly trust PDFs, we shouldn’t trust .MSG either.

Signature-based AV tools, meanwhile, typically fail to unpack the embedded structure of malicious .MSG files or recognize when they contain links to known malicious domains. They’re still effective at rapidly identifying weakly obfuscated threats, but they’re not a comprehensive security solution by any means. Even sandboxing solutions may struggle if the execution trigger lies deep within an attached file inside of an email.

Deep Content Verification with Cloudmersive

The Cloudmersive Advanced Virus Scan API scans .MSG files in a way that addresses what they really are: dynamic, layered documents with embedded behaviors.

For every .MSG file, the Advanced Virus Scan API parses internal structures, uncovering all message components. It then extracts and scans attachments recursively – no matter how many layers deep that goes. All links within the email body (and HTML sections) are rigorously inspected with a special website-scanning component, and all obfuscated payloads – especially those which tend to evade traditional AV tools – are detected.

This isn’t just metadata validation; it’s structural and behavioral analysis designed to uncover deeply hidden threats before the .MSG file ever reaches a sensitive web server or user-accessible file storage location.

In Conclusion: Don’t Assume .MSG = Safety

The key takeaway here: files that “look like emails” aren’t implicitly safe. Outlook message files are more than just text containers — they’re complex, full-fledged documents that can quietly deliver scripts, payloads, and phishing attempts right past our front door the same way PDF and Office documents can.

Given that we live in a world where email is consistently the most-used business tool and the most common cyberattack vector, scanning .MSG files with a basic AV engine just won’t cut it.

If you’re interested in learning more about the Cloudmersive Advanced Virus Scan API capabilities and deployment options, please feel free to contact a member of our team.