Scan the ISO here:
VirusTotal
General consensus is four hits and it's crap.
What ever this "ISO" file was
could be malware. AN ISO is usually in the several hundred megabytes in size. So the fact you got an ISO attachment via email tells me it was no more than maybe ~25 MB in size since email providers won't allow massive hundred + MBs of data as email attachments.
Any data can be turned into an ISO image file as well. I can take all my images or documents, etc and encapsulate them all in an ISO file.
You should NEVER double click on email attachments.
There's a whole slew of things that can be done for email security (I'll even touch base a little on phones further down). By far the best is to create email filters for KNOWN TRUSTWORTHY addresses. Anything not known that shows up in the inbox its self needs to be
scrutinized.
More than one email address should be used. One for very important stuff like banks, PayPal, Coinbase, eBay, Amazon, crap like that. Another email address or more for crap web sign ups and what not. (I'm looking at you - Facebook)...
Scan all downloads at VirusTotal. Again, the general consensus is four hits and you toss, but it largely depends on what you have. If it's a game hack, it may be coded in a way that mimics badware/malware/a virus. So it could be malicious and a game hack at the same time, you just never know. Same applies to pirated crap, their wrappers and what not. The program HashTools can be used to get an SHA256 bit hash of a download, copy that hash number value and simply search for that hash number value at VirusTotal. If that download was already uploaded to VirusTotal, its hash will match thus giving you a virus report on the file you have there. It's just an easier way to get a VirusTotal result over uploading the file. You could do this with your ISO file there. If its hash isn't at VirusTotal already you'll need to upload the ISO to VirusTotal.
Beyond all this, the email client should be configured to view emails as text only. Not in HTML form. And remote content (images) should never be downloaded in an email unless you can trust the email and you manually allow it per email. Or for the sake of absolute privacy, never allow it. These two options should be in the email client settings. The emails will look like crap though. If the email can't be read, and you trust the sender (easier said then done, believe me) then you can temp parse the email in HTML format. Just make sure to reset the option back to text only before loading another email. I read all emails as text. I can usually decipher links and what not if need be and know how to read email headers. To other people this might be a huge
PITA.
Consider sandboxing the entire email application in Sandboxie. But this requires know how and can be cumbersome.
E-mail is a real PITA, and by its inherit nature is NEVER secure.. Even if you think it's from a legit source, it may not be. The headers can be forged to mimic a legit sender. E-mails can also be made to look like official bank emails and what not. I've seen this trick a few times and I just play with the would-be hacker/spearfisher. Then report their web server IP and domain to the hoster and domain provider. I'll also report the email to spamcop (a Cisco company), and I used to forward the email to the Federal Trade Commission. Not needed anymore since they run their own honeypots or something. Believe me when I tell you I get very little email spam. That goes for SMS text crap as well. You HAVE to control who you give your number out to, and keep a landline (or VoIP DiD) attached to Nomorobo for other purposes. ( I also use PhoneTray). This is analogous to the two+ email address approach I talked about above.
I guess it all comes down to being smarter than the idiots that do all this crap and knowing how it all works.
PS.
Never load a spam text message. Doing so will send a possible read receipt to the spammer so he/she knows that you read the damn thing and can continue to send more. Just delete upon reading the subject line. Some cellphone companies offer a forwarding ability for spam text messages. Refer to your cellphone company.
PPS. NEVER text some number on TV. As an example you might see some Ad, or political campaign say, "Text WIN123 to 555343" or what ever the hell. You do that and you're data is mined, and you're on a sht list for life of the phone number as well as anyone else that may acquire your previous phone number should you ditch it for another.
Anyway, I know you asked simple question, but there are no simple answers. LOL
Whew!
