Why Malicious LNK Files Bypass Email Security Filters and Mitigation

That’s exactly how Turkish defense contractors got hacked this year, through .lnk shortcut files disguised as government documents and event materials.

Attackers didn’t need zero-days—just a believable file name and a shortcut that looked like a spreadsheet.

The payload? A multi-stage infection chain using PowerShell, scheduled tasks, and even VLC media player to sideload remote access tools, without ever showing a single pop-up.

The Patchwork APT group (aka Dropping Elephant) used this exact tactic in a spear-phishing campaign targeting Türkiye’s defense industry.

While the details of this campaign are specific, the delivery method, malicious files embedded in everyday emails, is part of a much broader trend. Email remains the primary threat vector for these kinds of stealthy payloads, and defending against them requires security that sees beyond the surface.

In this blog, we’ll break down how .lnk files are abused, why shortcut-based payloads are growing in popularity, and why most email defenses still don’t catch them.

What LNK Files Are and Why They’re Dangerous

A .lnk file is a Windows shortcut. It’s not a document. It doesn’t contain data. It points to something else on your system and tells Windows what to run when you click it.

That’s the problem.

Attackers have learned how to weaponize those shortcuts by embedding hidden commands. Instead of opening a file, a malicious LNK file might launch PowerShell, contact a remote server, or quietly install malware. Everything happens behind the scenes. The user sees what looks like a harmless file. No warning. No prompt. Just a shortcut that does more than it should.

To make detection harder, these files are rarely sent on their own. They are usually bundled inside a .ZIP archive and disguised with familiar names like Resume.lnk, Schedule.lnk, or Q3_Update.shortcut.lnk. As soon as one is opened, the attack chain begins. And because file extensions are hidden by default, most users will not see anything suspicious.

This is an old trick that is coming back, especially now that macros are mostly gone. People who want to steal your information are including this in phishing emails along with fake sender names or domains. The threat typically originates from a phony email address or is designed to appear as if it came from within the organization by using email spoofing. It is now crucial to learn how to identify phishing emails with attachments like these.

What makes a malicious LNK file so effective is that it does not rely on broken links or outdated exploits. It uses trusted system behavior to stay under the radar. That is what makes it one of today’s more persistent email security threats.

Why Most Email Filters Miss Them

Most email filters weren’t built to catch this.

They scan for known threats, block certain file types, or flag sketchy links. That’s fine for older attacks. But a .lnk file inside a zipped folder with a name like Schedule.lnk won’t set anything off.

A malicious LNK file doesn’t carry a signature. It doesn’t look suspicious. If it’s zipped and sent from a fake email address, it gets through—especially if the extension is hidden and the sender looks like someone inside the company.

These kinds of phishing email examples don’t fit a pattern. There’s no link to click, no form to trick you. Just a shortcut that behaves like email attachment malware, and most filters aren’t watching for that.

Some tools are built to inspect compressed attachments and catch shortcuts that behave like malware. Guardian Digital uses a multilayered defense approach to detect threats that slip past traditional email security systems.

This is what filtering has to look like now. Otherwise, shortcuts slip through.

Other File Types Being Abused in Phishing

Attackers are moving away from macros and turning to formats that email filters don’t treat as dangerous. These files don’t need exploits. They just need to look familiar and carry something hidden.

This shift isn’t temporary. These file types are now part of the standard phishing playbook. Recognizing them is a critical part of modern email security.

How to Protect Against These Attacks

You can’t stop what you don’t recognize. So, start with the basics:

• Block .lnk file attachments at the email gateway. They’re rarely needed in business and often carry hidden commands.
• Scan compressed files like .ZIPs. A buried shortcut.lnk that launches PowerShell or scripts shouldn’t pass undetected.
• Train users to spot unexpected attachments. A file called Resume.lnk or Invoice_Update.lnk probably doesn’t belong in their inbox. Knowing how to identify phishing emails like these can make the difference.
• Watch for behavior, not just signatures. Most email attachment malware doesn’t announce itself. Filters need to analyze how files act, not just what they’re named.
• Flag spoofed senders. Many of these attacks rely on email spoofing to make the message look internal when it isn’t.

Email security platforms that combine real-time attachment scanning with behavioral analysis are better equipped to catch threats like these before they land in a user’s inbox.

Modern Defenses for Modern Threats

.LNK-based attacks aren’t new. But now that macros are mostly gone, attackers are bringing them back.

A shortcut doesn’t need a zero-day. Just the right file name and someone to open it.

These files land quietly. They come through email, bundled in zips, sent from a fake email address, and disguised as something routine. Most users won’t think twice.

Most email filters won’t either. They don’t look inside attachments. They don’t follow what the file tries to do after it’s opened.

That’s the gap attackers are counting on.

Knowing how to identify phishing emails with file-based payloads like this has never been more important. A malicious LNK file doesn’t look like a threat. But it behaves like one — and it slips through filters that rely on rules and file names.

Protection today means watching how a file behaves, not just what it’s called.

That’s the kind of threat detection Guardian Digital was built to handle.

Still have questions?

Here’s what people ask most often about LNK files and email security.

What Is a .lnk File, and How Is It Used in Phishing?

A .lnk file is a Windows shortcut. It tells your system what to run when you click it. That’s what makes it useful—and dangerous. Attackers use malicious LNK files to run hidden commands, launch PowerShell, or install malware. You won’t see anything suspicious. It looks like a regular file. These shortcuts often show up in phishing email examples, disguised as résumés or event invites, and start the infection chain the moment they’re opened.

Why Do Email Filters and Antivirus Tools Often Miss Malicious LNK Files?

Most filters scan for known threats or block by extension. That doesn’t work here. A shortcut file inside a ZIP, sent from a fake email address, won’t trigger anything. There’s no obvious link, no form to fill out. Just a shortcut that behaves like email attachment malware, and most systems aren’t looking for that. If it uses email spoofing or looks internal, it’s even more likely to slip through.

What Are The Best Ways To Detect and Defend Against LNK-based Threats?

Block shortcut files at the gateway. Scan attachments for embedded commands. Train users not to open unexpected files, even if they look familiar. Stopping attacks like these means watching what a file does, not just what it’s called. That’s the difference between basic filtering and true protection. It’s also how to stay ahead of evolving email security threats and know how to identify phishing emails before they land.