Gmail now blocks all JavaScript email attachments

As of earlier this week, anyone who tries to send a .js (JavaScript) file attachment via Gmail will be out of luck, as they’re now on Google’s list of restricted file types for attachments.

That means that GMail users can’t send or receive emails with .js file attachments. Anyone sending a .js file to a GMail user will find their email bouncing back to them with an explanation of why it wasn’t delivered.

JavaScript joins an ever-growing list of file types, including .exe and .bat files, that Gmail won’t allow.

This change might prove to be a minor annoyance to a few website or JavaScript developers, but this is very good news for the rest of us. It seems that users might finally be getting wise to the threat of malicious Microsoft Office files and last year we saw a noticeable rise in malicious JavaScript email attachments.

Attackers switched to using JavaScript files because they know many Windows users’ computers are configured to run them by default using Windows’ Windows Script Host (WSH), granting the malicious script a lot of the same run privileges as an executable.

Regardless of the operating system you run, we strongly recommend enabling the view of file extensions (so often hidden by default!) so you can see exactly what kind of file type you’re dealing with, mitigating the risk of running a malicious file by accident.

For Windows users, we also recommend changing the Windows default behavior to open JavaScript files (.js, .jse) with Notepad, and not WSH. You can read instructions on how to make both these changes at the bottom of our article on ransomware in your inbox.

If you try to send an email with a .js attachment, Gmail will give you an error message letting you know that your file type isn’t allowed and was “blocked for security reasons”. As an alternative, Google will suggest using outside storage, like Google Drive or Dropbox, and linking to the file from within the email. (There’s no getting around this by zipping up your file either, as Google will take a look inside the compressed file to check.)

Don’t fall for malicious email tricks

With GMail users unable to receive malicious .js files attackers may switch tactics again so it’s important to stay wary of both emails with attachments and those without.

Remember that attackers cam control or fake almost every detail of an email so you can’t rely on any of the information you’ve been sent, whether it’s a link, a phone number or who the email’s from.

Some attackers will help you out by raising red flags with poor spelling, a sense of urgency (your account has been locked, your bill is overdue!), dodgy domains or suspiciously shortened links but some won’t. The crooks know that keeping it simple works and they how to copy and paste from legitimate emails.

If an email purports to come from an organization or person you know verify the email’s legitimacy by contacting the (apparent) sender directly.

If they want to talk to you find a number in your address book or on their website that you can call. If the email contains links that appear to go to their website, especially if it’s asking you to log in, don’t click on them. Ignore the links in the email and go directly to their website by typing their address in your browser or searching for them.