Configuring Attachment Password Guessing

With Attachment Password Guessing, Cloud App Security attempts to find passwords in email content (subject, body, and attachment names) to access password-protected attachments, making it possible to detect any malicious payload in these files.

Attachment Password Guessing is available only after you turn on the Malware Scanning filter or Virtual Analyzer filter. This feature supports the following services, attachment file types, and email languages.


Attachment File Types

Email Languages

  • Exchange Online

  • Gmail

  • ZIP (by 7-Zip or PKZIP)


Cloud App Security uses the true file types instead of file extensions to identify file types.

  • English

  • Portuguese

  • German

  • Spanish

  • Italian

  • Russian

  • Czech

  • Polish

  • Bengali

  • Hindi

  • Chinese

  • Japanese

  • Korean

  • Vietnamese

  • Arabic

  • Hebrew

  1. Go to Administration > Global Settings > Attachment Password Guessing.
  2. Turn on Enable Attachment Password Guessing.

    Cloud App Security uses both predefined and user-defined password extraction rules to extract passwords from an email.

  3. Add user-defined password extraction rules.
    1. Under Custom Password Extraction Rules, click Add to define rules that you want Cloud App Security to use to extract passwords from an email.
    2. On the Add Custom Password Extraction Rule screen, use regular expressions to specify the following parameters:

      Make sure the regular expressions follow the expression formats defined in Perl Compatible Regular Expressions (PCRE). For more information on PCRE, visit the following website:

      • Preceding Text: The text preceding a password in an email.

      • Password: The password in an email.

      • Subsequent Text: The text following a password in an email.

    3. Optionally make the rule case sensitive.
    4. Input Test Data.

      Input the email content that you expect the rule to match.

    5. Click Test to verify that the rule can match the test data.

      The Test Result highlights the extracted password.

    6. Click Save.
  4. Click Edit to change a custom password extraction rule.
  5. Click Delete to delete one or multiple custom password extraction rules.