Password-protected archive with password disclosed in body — malware delivery
archive-password-in-body
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
A .zip/.rar/.7z attachment is present AND the body reveals a password to open it. Malware distribution technique: AV scanners can't inspect encrypted archive content (it's opaque until decrypted), so wrapping a malicious binary in a password-protected archive bypasses every on-delivery content scanner by design. The attacker puts the password in the body so the recipient can extract the archive manually. Legitimate use cases exist (HR payroll, legal case files) but they're rare and typically use secure file-sharing links. Not applied to PDFs, which are format-inspectable even when encrypted.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started