The email connection with ATP attacks

Advanced persistent threats (APTs) are sophisticated cyberattacks in which the attacker gains unauthorized access to a system and remains undetected for an extended period. Unlike opportunistic attacks, APTs are highly targeted, strategic, and persistent.

As the study APT Attacks: Become The Most Dangerous Cyber Threat for Email Security in 2020, describe it, an APT is an attack in which a hacker “accesses a system and goes undetected.” It is this ability to remain undetected that makes APTs particularly dangerous in healthcare settings that manage protected health information (PHI). The longer an attacker remains inside a system, the greater the risk of widespread data exposure and HIPAA violations.

The email connection

The authors of the study APT Attacks: Become The Most Dangerous Cyber Threat for Email Security in 2020 identified APTs as the most successful email-based attack type in bypassing security technologies. In 2020, APTs had a 97.42% success rate in reaching target inboxes, making them the single most successful attack type measured.

The email delivery mechanism

Email remains the primary delivery channel for APT attacks. Most campaigns begin with phishing-style emails that appear legitimate and trustworthy. Attackers impersonate executives, vendors, or partner organizations, crafting messages designed to evade detection and suspicion.

In the study, a large-scale APT-focused test illustrates how effective these campaigns can be. As noted in the report “APT is more successful at bypassing security technologies and reaching target inboxes than phishing and other types of attacks.”

In the testing campaign:

• 274,816 emails were sent to evaluate APT-focused vulnerabilities.
• 162,562 emails successfully reached target inboxes.
• Only 4,189 emails were blocked by security tools.
• 108,065 recipients (around 40%) did not check the emails in question.

According to the above study, almost 40% of recipients ignored suspicious emails entirely. When high inbox delivery rates are paired with low user engagement, it opens up an opportunity for attackers to operate unnoticed.

APT attack cases

Here are some real-world examples of APTs using email as their weapon:

• APT29 (Cozy Bear) and APT28 (Fancy Bear): These two Russian APT groups are linked to various high-profile cyberattacks, including the breach of the Democratic National Committee (DNC) in the United States. They use phishing emails as a primary method to trick victims into downloading malware or revealing sensitive information.
• APT32 (OceanBuffalo): APT32, a group associated with the Vietnamese government, used email phishing campaigns to target various organizations, including multinational corporations and political dissidents. They often send emails with malicious attachments or links to compromise their victims.
• APT33 (Elfin): APT33, believed to be Iranian in origin, also uses phishing emails to deliver malware. They've targeted organizations in the aerospace and energy sectors, distributing emails that contain either harmful attachments or links leading to malicious websites.
• APT35 (Charming Kitten): Another Iranian APT group, APT35, is known for using spear-phishing emails to target individuals and organizations, especially those associated with Middle East politics. They write convincing emails to trick recipients into clicking on malicious links or opening infected attachments.
• APT41 (Winnti Group): APT41 is a Chinese APT group that engages in both cyber espionage and cybercrime activities. They've used phishing emails to deliver malware to their targets, often exploiting software vulnerabilities to gain access to systems.
• APT34 (OilRig): APT34, an Iranian group, used spear-phishing emails to target individuals and organizations in the Middle East. They use social engineering techniques to write emails that encourage recipients to open malicious documents.
• APT1 (Comment Crew): APT1 is believed to be a Chinese military-affiliated group involved in numerous cyber espionage activities. They use email-based spear-phishing campaigns to compromise a wide range of targets.

Go deeper:

• What is an advanced persistent threat (APT)?
• Advanced Persistent Threats endanger HIPAA email security
  
  

How to defend against email-based APT attacks

According to Microsoft, advanced persistent threats are “stealthy and continuous computer hacking processes” that require a coordinated response combining both technology and human expertise.

Managed detection and response (MDR)

Microsoft notes that “solutions like managed detection and response help organizations detect and respond to threats using a combination of technology and human expertise.”

Managed detection and response (MDR) services provide continuous surveillance of systems to identify unusual behavior, suspicious login activities, lateral movements within the network, and attempts at data exfiltration. In healthcare settings where PHI is particularly valuable, this real-time monitoring can reduce the amount of time attackers remain undetected.

The goal of MDR is early detection. The faster an APT is identified, the less damage it can cause.

Zero Trust security model

APTs often succeed because attackers gain initial access through email and then move laterally across the network. A Zero Trust model helps prevent this spread by assuming that no user or device should be trusted automatically, even if they are inside the network perimeter.

Under a Zero Trust framework:

• Access is granted on a least-privilege basis
• Multi-factor authentication (MFA) is enforced
• Continuous verification is required
• Network segmentation limits lateral movement

When organizations restrict access pathways, they can prevent attackers from escalating privileges or reaching sensitive systems that store PHI.

Endpoint detection and behavioral analytics

Traditional signature-based security tools struggle against APTs because these threats constantly evolve. Behavioral analytics and endpoint detection tools, however, monitor for unusual patterns rather than known malware signatures.

This includes identifying:

• Abnormal login times
• Unusual file access patterns
• Large data transfers
• Privilege escalation attempts

Email security hardening

Since email is a primary entry point for APTs, strengthening email security is essential. This includes:

• Advanced phishing detection
• Link and attachment scanning
• DMARC, DKIM, and SPF implementation
• Encryption for sensitive communications

Incident response readiness

Microsoft notes that “while no defense is perfect,” organizations can significantly reduce impact “if an attack is detected.”

Healthcare organizations should ensure they can:

• Isolate compromised systems quickly
• Revoke unauthorized credentials
• Notify compliance and legal teams
• Meet HIPAA breach notification timelines

Related: Why investing in ongoing cybersecurity training is good business

Paubox in APT prevention

Paubox can strengthen this first line of defense by:

• Blocking phishing and spoofing attempts before they reach users
• Scanning links and attachments for malicious content
• Enforcing DMARC, DKIM, and SPF policies
• Automatically encrypting outbound email

Paubox reduces the number of malicious emails that reach inboxes and decreases reliance on user judgment, thus limiting the primary entry point that APT attackers depend on.

While no single solution can eliminate APT risk, strengthening email security as part of a layered defense strategy significantly reduces exposure.

See also: HIPAA Compliant Email: The Definitive Guide

FAQS

How long can an APT remain undetected?

APTs can remain inside a network for weeks, months, or even longer if not properly detected. Their goal is to operate quietly, avoiding triggers that would alert security teams.

What are common signs of an APT attack?

While APTs are designed to be stealthy, warning signs may include unusual login activity, unexplained privilege changes, abnormal data transfers, or suspicious outbound traffic. Continuous monitoring is essential to identify these subtle indicators.