New Enhancements Help Streamline Incident Response with Cofense Triage

With security analysts pulled in many directions, they must be able to prioritize and invoke incident response on ransomware, business email compromise (BEC), malware infections, and credential-based theft emails. The key to this is the automation and streamlining of the incident response. PhishMe Triage™ has been updated with new features to help security analysts and incident response teams streamline their processes and secure administrative access.

Key Features this Release

  • Tighter Integration – Authenticated API for integration across the incident response team
  • Additional Security – Two-factor authentication for PhishMe Triage users
  • More Accountability – Audit logs are generated for all users of PhishMe Triage
  • Better Visibility – System status alerts can be distributed via syslog

Tighter Integration

The new API is designed to help PhishMe Triage interact with other systems across the incident response process.  This authenticated API enables other systems to “talk” to PhishMe Triage to automate the process and get the right teams involved, faster. The fully documented REST API can be used to pull information from PhishMe Triage on emails, clusters, attachments, reporters, integrations, health stats and more.  The API can be used in the preprocessing stage to notify malicious attachments at soon as they are reported. Join the conversation in the PhishMe Community PhishMe Triage API discussion to share ideas and code samples for building solutions using the API.

Additional Security

This release adds in an additional layer of security for PhishMe Triage users. Two-factor authentication can be turned when a user logs in to PhishMe Triage. End users will install a standard two-factor authentication app on their mobile device, and then simply scan a QR code to register their phone with PhishMe Triage.  At log in, they will be prompted for code generated by the app. This makes authentication based upon “something you know”, the password, and “something you have”, the app. There is support Google Authenticator and other two-factor tools.

More Accountability

This release also introduces audit logging in PhishMe Triage. With the audit log, visibility about who did something in PhishMe Triage, what they did and when they did it is captured.  The audit log tracks over 145 Event ID’s across PhishMe Triage. This enables the tracking of all of the actions users of PhishMe Triage.  These logs can be viewed directly inside of PhishMe Triage, or exported to another tool for more analysis.

Better Visibility

This release also extends syslog alerting with PhishMe Triage.  With syslog enabled, PhishMe Triage can send out alerts to other systems. Syslog alerts can be used to share information like the cluster velocity, operational SLA alerts, platform health, ingestion health and triage recipe monitoring.  This enables PhishMe Triage to share alerts across the entire incident response team.

If you have any questions, please email [email protected]. Full details on the release are available in PhishMe Community. To access it, simply log in to your PhishMe Triage appliance and then click the “Visit PhishMe Community” icon.

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.

Greater Integration Between Incident Response Teams Now Possible with PhishMe Triage

Customers benefit from new APIs, multi-factor authentication, audit logs and status alerts

LEESBURG, VA. – December 22, 2017 – PhishMe®, the leading provider of human phishing defense solutions, today announced updates to PhishMe Triage™, its phishing incident response platform. These new capabilities enable security operations centers (SOCs) and incident responders (IRs) to automate the prioritization, analysis and response to phishing threats with greater ease.

The addition of fully documented REST APIs are one of the most central updates to PhishMe Triage. Information on emails, clusters, attachments, reporters, integrations and health stats can be easily pulled and visualized, providing tighter integration across response teams. For instance, the new API capability can be used to query PhishMe Triage at set intervals to notify a response team as soon as a phishing threat is identified. Other use cases include the ability to send information over to the second line team for quick remediation, track phishing defense progress and create custom dashboards to show historical data.

Additional updates provide PhishMe Triage customers with:

  • Additional security. Two-factor authentication provides an extra layer of security that works with Google Authenticator, Microsoft Authenticator, Duo and others
  • More accountability. Audit logs are generated to keep track of any activity within PhishMe Triage. With the audit log, visibility about who did something in PhishMe Triage, what they did and when they did it is captured. The audit log tracks over 145 Event ID’s across PhishMe Triage. Lastly, information provided in the audit can be viewed within the application, or exported.
  • Greater visibility. PhishMe Triage has also expanded support for syslog alerts. These can be created for clustering, performance, ingestion health and triage recipe monitoring, as well as operational performance. These alerts can be shared across the incident response team to distribute valuable threat information faster.

“Given the ever-changing nature of security threats, our product development team is constantly looking for ways to save our customers time and increase efficiency,” said Aaron Higbee, co-founder and CTO of PhishMe. “The latest enhancements to PhishMe Triage makes it easier for IR and SOC teams to act upon the collective work of their employees – ensuring that the collaboration between all departments plays a meaningful part in stopping phishing attacks before a breach occurs.”

PhishMe Triage integrates with existing security solutions including SIEM, anti-malware, analysis and threat Intelligence solutions and shares indicators of compromise and phishing with upstream security teams to block future attacks. For more information about PhishMe Triage, please visit:

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report and mitigate spear phishing, malware and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision-making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare and manufacturing industries, as well as other Global 1000 entities that understand how changing user security behavior will improve security, aid incident response and reduce the risk of compromise.

Zeus Panda Prominent in Italian-Language Phishing Throughout 2017

In 2017, PhishMe® analyzed over 40 Italian-language phishing campaigns that targeted victims with Zeus Panda. This popular multipurpose banking trojan is primarily designed to steal banking and other credentials, but is capable of much more as it provides attackers with a great deal of flexibility. Although some variation was observed, many of these campaigns demonstrated a large degree of shared tactics, techniques and procedures (TTPs).  Given the prolific nature of these campaigns, it is likely that Italian-language phish will continue to deliver Zeus Panda in 2018. Organizations should be alert to the indicators of compromise and phishing TTPs to prevent infection.

Recent Sigma Ransomware Campaign Demonstrates Danger in the Simplest of Changes to Malware Delivery

On 1 December 2017, PhishMe Intelligence™ identified a new delivery technique for Sigma ransomware, which was most likely employed to evade automated detection and mitigation by email and anti-malware defenses. Potential victims received phishing emails with an embedded image as the message body that also included an attached Microsoft Office document containing a malicious macro. The embedded image contained a password that could be used to open the Microsoft Office document.

10 Million End Users Bolster Cybersecurity Defenses with PhishMe

One-click reporting provides employees with tools needed to easily flag potential phishing attacks

LEESBURG, VA. – December 15, 2017 – PhishMe®, the leading provider of human phishing defense solutions, today announced that PhishMe Reporter® has been deployed to over 10 million end users’ work stations. With PhishMe Reporter, employees can easily flag a potential phishing email by clicking a button in their email toolbar, arming them with the tools needed to contribute to their company’s security posture.