I would like to know why is it considered to be dangerous to open an email from an unknown source?
I am using Gmail and I thought it's only unsafe to download an attachment and run it.
The first thing that came into my mind was what if the email text contains XSS JavaScript code but I am sure that every email provider has protected their site from getting XSS-ed.
What is going on behind the scenes when you get infected just by clicking on email and reading its content, for example on Gmail?
`
– Xavier59
Sep 05 '16 at 10:05
There is a small risk of an unknown bug — or a known but unpatched one — in your mail client allowing an attack by just viewing a message.
I think, though, that this very broad advice is also given as a defense against some types of phishing scams. Social engineering attacks are common and can lead to serious trouble. Making sure people are at least suspicious is a first line of defense. It is like telling an elderly grandparent to never give their credit card info over the phone — okay, sure, there are plenty of circumstances where doing that is relatively safe, but when they keep getting scammed over and over, it's easier to just say: don't do it.
Likewise, not opening mail keeps you from reading about the plight of an orphan in a war-torn region who has unexpectedly found a cache of Nazi gold and just needs $500 to smuggle it out and they'll share half with you, and your heart just goes out, and also that money wouldn't hurt.... Or, while you know the rule about attachments, this one says that it's pictures of the cutest kittens ever, and how can that be harmful — I'll just click it and okay now there are these boxes saying do I want to allow it, which is annoying because of course I do because I want to see the kittens....
Not for gmail, but for Outlook there have been a number of "preview pane" exploits where simply looking at the email is enough to compromise: Can malware be activated by previewing email in Outlook's Preview pane?
Even if nothing actively bad happens, many passively bad things can happen -- for example, you might view a one pixel transparent image tagged with your email address that flags you as the kind of person who opens and reads suspicious email. Those are lists that you don't want to be on.
Take the example of Gmail. Incoming email is pushed through mail filters, or milters. Each of these milters assesses the email based on characteristics. For example, sender status, SPF, DKIM, domain reputation, greylist, spamlists, contents, etc.. If the mail is not already rejected at this point, it will reach the antivirus scanner.
The scanner simply detaches the files in the mail content, and matches them with virus definitions. In the case of Gmail, archives are also unpacked to scan individual files. When no threats are found the email will be stored in your email folder.
However, this works great but Gmail cannot protect you from all threats. Strange compression formats or encrypted files can still slip through. XSS is highly unlikely because these type of exploits are recognized quite fast, either by Gmail or the browser. The best chance of infection is though a local mail client using extensions (eg. CVE-2015-6172) to load attached content.
Generally it should be safe to view an email, but software is complex and very rarely perfect.
Although good software makers will try to make sure they display all emails in a safe way they have certainly made mistakes. When these bugs are discovered people will send crafted emails that exploit the bugs in some way and may install malicious software on your computer or do other unpleasant things.
A new bug could be discovered today in either Gmail or the web browser you use, and someone might send an email that exploits that bug before you get an update that fixes the bug.
The danger increases substantially if you use an old or unmaintained web browser or email client.
There are ways to know you opened an email (for example, Mixmax is a Chrome's extension which tracks emails sent via Gmail by embedding a 0 length hidden image in the email's body).
Even when you do not allow images to be loaded automatically (when in Gmail you see at the top of the email a link with "Display images below"), if HTML is loaded, you're allowing possible exploiters to know you're reading them, which is a go-ahead for email-spam bombardment.
Therefore, answering the "why" question with another question: is it risky to open and load an unknown email with embedded HTML in it?
Other email clients that do not thoroughly block images of opened emails will also send the data when you open them.
Malicious links account for a majority of exploitation today. Malicious code (javascript mostly) is specially crafted to execute unwanted code via your browser. Just last week we saw the 3 iOS 0-days (see Trident/Pegasus) which started from a malicious email and possibly has been in the wild since 2014 (from security now) These links were even "one time use" links, had support for every iOS since 7, and was able to "jailbreak" the iOS remotely. My point is, I wouldn't worry about the actual "content" of the message so much as clicking on images or links in the email. While yes, there are tricks to loading scripts via image loading (or the like), modern browsers and emails clients have the ability to prevent scripting, so you can just turn that off. Solved.
The reality is that programs process data. These programs may contain bugs causing the program to behave completely differently than intended. Usually what happens in such circumstances is that the program will either be terminated by the operating system or just engages in random non-harmful behaviour. However, everything a program does is technically still deterministic (unless randomness is involved) - so what a program actually does when encountering data it processes wrong is deterministic thus attackers are able to construct data in a way to control exactly what the program does.
When receiving e-mails, your e-mail client is already processing data, so there's a good chance that an attacker can gain control of your e-mail program just by sending an e-mail to you - no matter if you actually look at it. The e-mail program will download the e-mail and, for example, display the Subject to you. When you open the e-mail, your e-mail client will likely do even more things, such as parsing the HTML in the e-mail, displaying the contents, displaying images etc. In everything it does (from parsing HTML, to rendering images, to rendering text, to downloading e-mails, to display the Subject), there can be a bug in it.
Opening a suspicious e-mail is only riskier because more stuff is processed when you actually open it.
When you visit a website (such as Gmail) and open an e-mail there, things are vastly different because Gmail is just a website like any other... except it displays e-mails. The issue there is that websites need to take into account that you can't just send the content of the e-mail raw to the browser because then there could be malicious HTML and/or malicious JavaScript in it. Technically this isn't too much different from sites like Wikipedia where users can write articles that contain formatting.
Of course, your browser will also use libraries to render text, process fonts, process images etc. so if there's a bug in an image library and the e-mail contains a malicious image then you're out of luck and it's not Gmail's fault. You can expect that the possible security vulnerabilities with Gmail are the same as the browser's, plus the issue of XSS and other web-specific security vulnerabilities.
This is also the reason why you'll get infected with stuff even when you don't visit any suspicious sites (and people usually mean porn, streaming, warez sites by that) is because even non-suspicious sites serve ads from different networks, so if an attacker infects an ad network somehow even the non-suspicious sites will serve you malware. Technically it's insecure to use third-party content you don't control. Think about what happens when an attacker manages to control a CDN that serves jquery or bootstrap or whatever, where thousands of sites are using it. Then all these sites will contain malicious javascript. To prevent that from happening there's SRI but I don't know how well supported that is as of now.
Opening a suspicious e-mail is only riskier because more stuff is processed when you actually open it. For example processing that can:
track your IP
perform XSS / CSRF / Command Injection if website is vulnerable.
or in an advanced attack process a backdoored exe to gain terminal or root
