The need to prioritise detection in email security rather than focusing solely on prevention


Cyber criminals know which techniques to use to increase their chances of delivering malware successfully, and here, the use of politically-themed emails and decoy documents makes it more likely that the victim will click on the included malicious link as part of what they believe to be important admin.

However, this is where the attack’s ingenuity ends, because surprisingly Arid Viper continue to use the same TTPs they have since 2017 rather than advancing to more sophisticated and technologically advanced attack vectors. Not only does this demonstrate the arrogance of the group, who don’t feel affected by the public exposure of its campaigns, the lack of change also points to a certain level of success with their current TTPs.

Clearly then, fraudulent emails are reaching user inboxes, and this is where security awareness training becomes critical; employees must be taught to recognise the tell-tale signs of a malicious attack, such as spelling errors and incorrect logos. Users should also know to be cautious opening attachments from suspicious looking emails. With this campaign, most of the attachments are double extended. For instance, document.pdf.exe looks to users like a harmless PDF file when it is really executable malware.

Current email security is overly focused on prevention, whereas organisations are far better off accepting that their employees will continue to be the target of attacks, and that some reach the inbox. They should implement a robust, layered security strategy in retaliation. This layered strategy should include real-time detection of zero-day and unique threats. By adding a real-time detection and automated remediation capability to identify and eliminate threats rapidly, we can minimise the impact of when a malicious email makes it through our defences.”