News & Stories

Apple Mail and Gmail are terrible at flagging malware, study finds

Ray Fernandez

Apr 12, 20244 min read

Apple Mail and Gmail are terrible at flagging malware, study finds: Header image

Consumer trust in big tech is not as high as it used to be, yet when it comes to email, billions of users trust Apple Mail, Gmail, and other providers every day without a second thought. But what if that trust is misplaced?  

Recently, SquareX Labs revealed that all of the top email providers, including Apple iCloud Mail, failed in their antimalware scans. SquareX called on email vendors to “publish details of their scanning technology’s limitations” and warn users about the dangers.

Apple and other email platforms fail to provide basic antimalware protection  

During the development of a new browser-native security product that could detect and mitigate attacks and malicious attachments, SquareX researchers Dakshitaa Babu and Govind Krishna discovered that Gmail, Outlook, Yahoo, AOL, and Apple iCloud Mail all failed to recognize known malware. 

Researchers were shocked to discover that most of the malware attachment documents they sent in emails using ProtonMail successfully evaded the malware and security scans of top email providers. 

“It genuinely scared us that it was this easy,” SquareX researchers said. 

A screenshot of the Apple iCloud Mail sign-in page.
Apple iCloud Mail was one of the top email providers that failed to identify basic malware in email attachments, according to SquareX. iCloud and Apple Mail are trademarks of Apple Inc.

The SquareX test: Sending malicious email attachments

SquareX distributed malicious documents to test “various entry points into a user’s computer.” 

“This approach helped us emulate the real-world workflows users experience daily in their browsers,” SquareX Labs explained. 

The proactive security test collated 100 malicious document samples under 4 groups. The first group included malicious, non-modified documents from MalwareBazaar. MalwareBazzar is a platform where malware samples are shared between the infosec community, cybersecurity researchers, and threat intelligence providers. 

The second group included slightly altered malware, also from MalwareBaazar, while the third group was composed of malware that was modified using attack tools that have existed for many years. Finally, the fourth group was custom-built but were basic macro-enabled documents that execute programs on user devices.

SquareX then sent these malware samples as attachments to different top email providers’ accounts. 

The results: Malware attachments slipped through cybersecurity guardrails

Square set clear criteria for what a successful attack implied during their test. If the sent email was delivered without any warnings or blocked by any provider, the attack was considered unsuccessful.

Shockingly, these email providers’ antimalware scans failed to detect, flag, or block malicious .pptx, .doc, .xls, and .xlsx files that are well-known in the cybersecurity community. These are files that should be included in scanning databases.

Additionally, custom-built malicious files flew past all security guardrails despite being unsophisticated malware.

All email providers studied delivered this malware sample without any warning. Since SquareX disclosed its findings, only Gmail has flagged this sample as malicious.

Zero-day defense falls apart 

Like other email providers, Apple’s policy says that the company scans email attachments for “known malware.” This phrase, “known malware,” represents the go-to defense strategy used by email providers when they are confronted with new attacks that bypass their email security guardrails.

The argument of zero-day defense is simple. Zero-day attacks exploit unknown vulnerabilities. Therefore, all mechanisms that are in place to protect users fail because these can only respond to known threats.

However, SquareX research showed that these email providers did a poor job of flagging malware even when attacks were well established and known.

Additionally, while companies stay busy responding to zero-day threats with new patches, this vector is not what drives phishing, nor attacks that leverage malware attachments via email.

Is human error driving cyberattacks, or are email providers partially to blame? 

The SquareX research test paints a concerning picture and provides data-driven depths and perspectives that could change our understanding of the top cybercriminal attack vectors. It also shines a light on the escalation of breaches, as well as spyware and ransomware incidents. 

Cloudflare’s 2023 phishing threats report states that an estimated 90% of all successful attacks start with email phishing. From May 2022 to May 2023, Cloudflare processed 13 billion emails and blocked approximately 250 million malicious messages from users’ inboxes. 

Only 1.9% of those blocked included malicious attachments. 

The implication is that often-cited cybersecurity mantras blaming human error for the acceleration of attacks, using phrases like “all it takes is for one person to click on a link or download a malicious file,” miss the point.

While end users do play a large role in protecting their own security and privacy, if top email providers fail to block simple malware attachments sent via email, the blame can no longer fall entirely on the shoulders of users. 

In reality, despite the abundance of phishing cybersecurity reports that exist, few of them offer details on malware attachments sent through email providers.

Companies like Google, Microsoft, and Apple often release communications related to large numbers of emails processed and scanned, including the number of attacks that have been stopped. However, these reports also offer little information on email malware attachment incidents.   

Conclusion: Increased transparency is needed

SquareX called for email providers to be more transparent about their technologies and processes. Moonlock joins this call and adds that information on the effectiveness of email antimalware scanning and antiphishing performance reports is owed to the public and the industry. 

One thing is certain. If 9 out of 10 cyberattacks start with phishing, leading global email providers could be doing more to bring those numbers down. Until more information is made available and technologies, processes, and policies are updated, users will have to step up and close the email security gaps themselves.

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. or Google LLC. Apple Mail and iCloud are trademarks of Apple Inc. Gmail is a trademark of Google LLC.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.