Executive Summary 

  • A new cyber attack targeting NATO countries supporting Ukraine during the NATO Summit shows why only a comprehensive email security solution can stop sophisticated attacks 
  • Protecting against attacks like this requires URL Rewriting, URL Emulation, Threat Emulation, Content Disarm & Reconstruction, and more 
  • These key capabilities should be integrated into  a complete email security solution 


A new attack making international news underscores the importance of comprehensive email security. 

Let's explain. 

During the recent NATO Summit in Vilnius, Lithuania, a key topic being discussed was Ukraine's elevation to the organization’s membership. Threat actors took advantage. 

According to research by Blackberry, members of the RomCom group sent targeted spear-phishing attacks to those members supporting Ukraine’s membership. 

To do so, these threat actors created a malicious document that impersonated the Ukrainian World Congress and promoted it via email.:

The email--which hasn't been released by Blackberry or any other researchers --aims to get recipients to click on a link leading to a replica of the Ukrainian World Congress website. 

The domain used by threat actors was ukrainianworldcongress [dot] info.  The domain of the organization’s actual website is ukrainianworldcongress [dot] org. 

The two sites look practically identical: 


The scheme is compel recipients to go to the fake website and click on the document. 

Inside the document, however, is an embedded RTF file. 

Once the Word file is downloaded and opened, an OLE object is loaded, connecting to an IP address. 

 C2 connections made after opening the document

These external connections eventually will load malware onto the end-user's computer. The RomCom backdoor will be loaded onto the machine, in the form of a DLL file, and then connects to the C2 to give over username details and do other data exfiltrations.  

It also includes a script utilizing the Follina vulnerability. Follina essentially allows for a remote code-executed attack by crafting a specially designed document. 

This is a very sophisticated attack. This goes beyond the Business Email Compromise of the week--this is the type of attack that can only be prevented by a full-fledged email security solution. 

A few things are happening here that are worth dissecting in more detail. 

The Domain 

The first thing is the domain. The actual site itself isn't malicious; it's what's downloaded from it. But it's not the real site of the Ukrainian World Congress. The first path to stopping this is by doing a thorough investigation of the link. Oftentimes, though, phishing links included in emails don't have any bad reputation or aren't activated until clicked. Click-Time Protection works by replacing links in the body and attachment. Every time a user clicks on a link, the website behind the link is inspected. Check Point’s Harmony Email and Collaboration (HEC) does this in two ways. First, we look at URL reputation. We check to see if the URL is known to be malicious. It's a good first step that blocks out the basic attacks. But the key is going a step beyond and doing URL emulation. Our Zero-Phishing engine scans the website and collects indicators, such as brand similarity, non-ASCII characters, time of registration, and more. Beyond that, every URL is tested to see if it leads to a file download, and if so, it is emulated in a sandbox.  

So if the domain scans as clean initially, URL emulation is there to pick up any hidden dangers. 

The File 

We scan any file - good or bad - attached to an email. We do this using multiple anti-virus scanners to detect known malware and then use our advanced sandbox, Threat Emulation, to detect zero-day malware. Further, files are sanitized with Content DIsarm & REconstruction, delivering safe content within milliseconds. 

Beyond that, we have anti-exploit and anti-evasion protections, and machine learning-based context-aware detections for EXEs, file-less scripts; emulations for password-protected attachments; CPU-level emulation, and OS-level inspection for zero-day threats.  


The NATO attack showcases why 90% of all cyberattacks begin via email. Bad actors can accomplish so much with email. This attack starts as an email, but instead of just stealing your credentials, it goes beyond that to infect the victim's machine. 

This is an advanced threat that starts via email and continues to cause all kinds of damage. It's the type of sophisticated threat from a sophisticated threat actor that can only be prevented by sophisticated Email Security.