search cancel

Email Security Services defines the targeted attack types that Advanced Threat Protection: Email identifies

book

Article ID: 150675

calendar_today

Updated On:

Products

Email Threat Detection and Response

Issue/Introduction

 

Resolution

Table: Targeted attack types

 

Targeted attack type

Technology detected

Volume and statistics

Theme or topic

Actor (senders and recipients)

Type 1

New malware

Examples:

  • Zero-day exploits

  • Recently discovered exploits that use newly-found malware technology

A high likelihood of a targeted attack

Indicators:

  • Raw email count of 1 - 10

  • Affected user count of 1 - 3

The email campaign is either highlyspecific or highly relevant to the recipient.

Highly specific recipients.

Type 2

Advanced malware technology

Example: Recently discovered exploit that uses newly-found malware technology.

A medium likelihood of a targeted attack

Indicators:

  • Raw email count of 10 - 50

  • Affected user count of 3 - 5

 

  • Themes and topics that are related to a company's business transactions or its industry

  • Popular or industry-related news topics

Recipients that have a common link through industry, country, or region.

Type 3

Different malware technologies with common characteristics

Examples:

  • PDF attachments with malicious links but no direct exploits

  • OLE files with macros

  • Malicious control panel (.cpl) files

A medium likelihood of a targeted attack

Indicators:

  • Raw email count of 10 - 50

  • Affected user count of 3 - 5

 

  • Themes and topics that are related to a company's business transactions or its industry.

  • Popular or industry-related news topics.

Recipients that have a common link through industry, country, or region.

Advanced Threat Protection: Email assigns a severity level to each incident. Table: Threat severity ratings describes what each severity level means.

Table: Threat severity ratings

Severity level

Factors for classification

Critical

An email that is infected with malware was delivered.

The email was not quarantined because the malware was detected after the email was delivered.

High

The incident is part of any type of targeted attack.

Medium

The message includes an advanced malware technology that has been used in a recent Type 1 or Type 2 targeted attack.

Low

All other incidents that are not associated with a targeted attack.