How about PDF support?

[yoshimo]

PDF is the newest attack vector in Qakbot campaigns. The format itself is portable and used widely.

There can be JS inside, exploits of the reader itself or social engineering that tricks the user into downloading the second stage loader of the infection from an external website masquerading as secure cloudstorage. Often protected by short passwords to further prevent automatic analysis.

There are tools like danger zone to cut out active content from incoming mails and pdf examiner and quicksand to find malicious attachments but so far there is no way to automatically have them treat mail attachments and the social engineering part seems to be missing a detection method.