Type 1

New malware

Examples:

• Zero-day exploits

• Recently discovered exploits that use newly-found malware technology

A high likelihood of a targeted attack

Indicators:

• Raw email count of 1 - 10

• Affected user count of 1 - 3

The email campaign is either highlyspecific or highly relevant to the recipient.

Highly specific recipients.

Type 2

Advanced malware technology

Example: Recently discovered exploit that uses newly-found malware technology.

A medium likelihood of a targeted attack

Indicators:

• Raw email count of 10 - 50

• Affected user count of 3 - 5

• Themes and topics that are related to a company's business transactions or its industry

• Popular or industry-related news topics

Recipients that have a common link through industry, country, or region.

Type 3

Different malware technologies with common characteristics

Examples:

• PDF attachments with malicious links but no direct exploits

• OLE files with macros

• Malicious control panel (.cpl) files

A medium likelihood of a targeted attack

Indicators:

• Raw email count of 10 - 50

• Affected user count of 3 - 5

• Themes and topics that are related to a company's business transactions or its industry.

• Popular or industry-related news topics.

Recipients that have a common link through industry, country, or region.

Critical

An email that is infected with malware was delivered.

The email was not quarantined because the malware was detected after the email was delivered.

High

The incident is part of any type of targeted attack.

Medium

The message includes an advanced malware technology that has been used in a recent Type 1 or Type 2 targeted attack.

Low

All other incidents that are not associated with a targeted attack.