Yes, You Can Get a Virus from Opening an Email. Here’s How

June 10, 2024 • Shannon Flynn

Advertisements

Usually, you can only get a virus if you click on an attachment or link. However, there’s a slight chance simply opening the message will trigger a zero-click exploit. So, how exactly can you get a virus from opening an email — and what can you do to stay safe?

Can You Get a Virus From Opening an Email?

The short answer is yes, you can technically get a virus from opening an email. Cybercriminals can embed malicious code — Trojans, viruses or worms — in attachments or the email itself. 

However, there’s a catch — most email clients don’t allow scripting. Years ago, Microsoft allowed code to run in Outlook. Threat actors used to trick its renderer into executing the code by making the email itself an HTML message. In those cases, viruses were downloaded onto victims’ devices without any action on their side. 

Of course, the code was malicious — meaning the answer to the question, “Can you get a virus from opening an email?” used to be a definite yes. Microsoft has since fixed this Outlook vulnerability, and most email clients no longer allow JavaScript. While some allow HTML or CSS, they’re much more attentive to security. 

However, that doesn’t mean that getting a virus from opening an email is impossible. Hackers constantly evolve to find new security weaknesses and vulnerabilities. Plus, technological advancements like AI make it easier than ever for them to find new, inventive workarounds.

How Can You Get a Virus from Opening an Email?

There are multiple ways opening an email could infect your computer with a virus. 

Resident Virus Infection

While typical computer viruses can only execute if you perform a certain action, a resident virus activates when you open a file or run a program. Basically, it can install itself as soon as you click on an infected email. It can infect any file you run because it hides in your PC’s memory, making it particularly nasty. 

Spy Pixel Tracking

Spy pixels — also known as web beacons or tracking pixels — are 1×1 images or GIFs hidden in an email’s body. Since they’re small and match the email’s background color, they’re basically invisible. You don’t have to interact with it for it to track you.

These spy pixels are embedded into most emails you get. Brands usually use them to track whether you’ve seen their messages or if you’re interested in promotions. While they’re typically harmless, any tool can be dangerous in the wrong hands.

Cybercriminals can see what time you open the email, where you’re located, your device OS and your IP address. While most email clients prevent image attachments from automatically downloading, threat actors might be able to get enough information to launch follow-up attacks.

Viruses in Images

Images can contain viruses if they use stenography — the practice of hiding information within information. It’s kind of like using a code word with your friend to signal they need to come pick you up from a bad date. 

The image won’t look suspicious since all their changes happen in the background and don’t affect on-screen pixels. Threat actors can attach malware to the end of an image’s file, alter its metadata or make slight code tweaks. 

When you open the email and the image loads, the exploit activates — and your PC gets infected with a virus. Usually, email clients like Gmail, Outlook and Apple Mail scan attachments like this to make sure they’re safe. However, no method is 100% foolproof.

Vulnerability Exploits 

Threat actors can exploit email clients’ security vulnerabilities to give you a virus once you open an email. This isn’t a hypothetical, either — it’s happened as recently as 2023. Researchers discovered they could trick the system into trusting a sound file from a malicious server. 

Once they exploit that vulnerability, they can use another — a reminder with a custom notification sound — to auto-play the sound file as soon as the recipient opens the email. At this point, the code executes on the victim’s machine.

So, Should You Be Concerned About Viruses?

Although you can technically get a virus from opening an email, the chances of that happening are low. Most email clients scan every incoming message and attachment for viruses and suspicious code before it arrives in your inbox.

You might be asking yourself, “But wait, how can you get a virus from opening an email if email clients scan for viruses?” The answer is simple — no defense is impenetrable. Like we pointed out earlier, hackers are constantly finding ways to poke holes in defenses.

Having said that, the chance an average person gets a virus from opening an email is still relatively low. Threat actors prefer to target high-ranking, well-connected and wealthy targets to get the most money for their troubles. 

While a widespread campaign is complex and costly, a targeted attack is efficient and more likely to succeed. Threat actors only get a small window of time before their exploit is patched or their new virus is cataloged, so they don’t want to waste resources.

You shouldn’t brush off the possibility of getting a virus from opening an email, though. If the 2023 Outlook exploits are anything to go off of, there’s always a slight chance threat actors could be experimenting with new methods.

Steps to Take to Protect Yourself from Viruses

There are a few you can protect your PC from zero-click email viruses.

1. Make Images Ask to Be Displayed

Images automatically display in some email clients by default. In most cases, you can turn this feature off in the settings. For instance, in Gmail, you scroll down to Images and click Ask before displaying external images

A screenshot of Gmail settings

2. Enable Message Previews 

You should also consider enabling message previews so you don’t have to click on emails to see if they’re scams. In Gmail, you scroll to the Snippets section in the settings and select Show snippets

A screenshot of Gmail settings

3. Contact the Sender Before Opening

If you received an email from someone you know but you weren’t expecting one, reach out to them through text, call, or direct messages and ask if they sent you something. This can prevent you from unintentionally downloading a virus or getting phished by a hacked account.

4. Delete Messages From Unfamiliar Senders

If you received an email from an unfamiliar sender, deleting it is the safest bet. Cybercriminals may know your email address because your information leaked on the dark web. Besides, if it’s legitimate, they’ll often follow up later or contact you another way.

The Bottom Line on Zero-Click Email Viruses

Hopefully, we’ve answered the question, “Can you get a virus from opening an email?” adequately. While they’re technically possible, most email clients do everything in their power to prevent them from making their way to you. However, things fall through the cracks sometimes. Generally, it’s better to be safe than sorry — and trust your gut if you get a suspicious message.

Recent Stories

Follow Us On

bg-pamplet-2