If the first attempt fails, try and try again, several times. Our customer is a globally renowned Law firm, with an enviable reputation as an innovator in the cyber security space. Due to the specific nature of their area of speciality, they are uniquely targeted, and so are certain individuals in the organisation. The attack in question took place over the course of 3 days, all from a single email address, targeting one individual within the Law firm. No less than 11 emails were sent over the duration of the attack, yet an intriguing pattern emerged once the entire event played out, as you could also sense the frustration of the attacker that all attempts were failing.
Hidden within those 11 email attachments that were all Word documents, no surprises there, the attacker used 6 unique strains of malware – each an attempt to defeat the defences of our customer. After three days, and several attempts, the final email attachment contained Ransomware as a sign off from the attacker who must’ve just given up, and got that frustrated nothing was working – a bad day for him, but our customer went about their business completely unaware they’d had an unusually good day, it was business as usual.
How we protected this customer:
Each of those 11 Word documents contained a variety of Active Content, embedded files, macros, URL links to infected websites – the attacker really was trying everything in the kit bag. Since our customer is highly risk averse, no active content is permitted to enter within Word documents, but since they are the lifeblood of all Law firms, Metadata and Track Changes remain whilst everything else is surgically removed. This process of Sanitisation of active content and the regeneration process of a file protected our customer not just that day, but every day for the last three years they have been a customer.