Cybercriminals targeted a U.S. government agency with a spear-phishing campaign that leverages the increasing geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments that contain malware strains, including a never-before-seen malware downloader, coined “Carrotball”. The fraudulent emails were sent from four different Russian email addresses to 10 unique targets.

The reality is, cybercriminals have become extremely adept at crafting emails that are indistinguishable from legitimate emails that recipients receive every day. In this incident, threat actors are using Russian email addresses to distribute documents that relate to the ongoing geopolitical tensions surrounding North Korea in hopes to lure victims into opening the malware-strapped documents. In many cases, though, social engineering phishing attacks include no malicious links or attachments at all, and therefore very often slip past traditional, content-based email security controls.
As phishing emails increasingly become harder and harder to detect, the first essential step is to prevent malicious emails from ever entering inboxes. For instance, these attacks would have been stopped by a robust sender-identity approach that blocks untrusted email senders like the ones used in this campaign. By implementing advanced anti-phishing solutions that validate sender identity, modern phishing attacks like these can be stopped in their tracks.