An anti-malware tool must scan files that are attached to an email.
CIS Controls. 7.9 Block Unnecessary File Types: Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business.
CIS Controls. 7.10 Sandbox All Email Attachments: Use sandboxing to analyze and block inbound email attachments with malicious behavior.
CWE-509: Replicating Malicious Code (Virus or Worm): Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or software.
OWASP-ASVS v4.0.1 V10.1 Code Integrity Controls.(10.1.1): Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections.
OWASP-ASVS v4.0.1 V12.4 File Storage Requirements.(12.4.2): Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content.
PCI DSS v3.2.1 - Requirement 5.1.1: Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.