Cofense Phishing Detection and Response Platform

The phishing story is not new. In fact, if anything, we are far more aware of phishing threats than we’ve ever been. Here are some things to think about: 

  • Attackers are human and constantly innovating to bypass technology 
  • 96% of breaches start with a phish 
  • Phish are easily bypassing gateway technology 
  • Business email accounts are routinely compromised (BEC) 
  • Many organizations are forced to pay ransomware bounties 
  • Large financial losses are occurring from compliance fines, loss of customers, IP theft, and recovery costs 
  • SOC analysts are overwhelmed performing incident response 
  • Awareness training can be ineffective if it is not aligned with real threats 
  • Artificial Intelligence that is deployed to detect phish is failing 

We’ll stop there – it’s 2020 after all, and there’s been enough bad news. So, here’s something good: 

Today, Cofense introduced its Phishing Detection and Response (PDR) platform, a solution designed specifically for enterprise organizations. As phishing attacks continue to become more sophisticated, persistent, and adaptive to legacy security defenses, demand for an extensive phishing defense solution is at an all-time high, and the need is critical. The Cofense PDR platform provides a comprehensive approach to stop phishing attacks through globally crowd-sourced phishing intelligence from 25 million people, combined with advanced automation.   

Cofense’s PDR platform can be deployed as an integrated suite of products or as comprehensive managed PDR service through our Phishing Defense Center (PDC). Both options effectively stop phishing attacks and combat the acuity of attackers through a combination of people and automated technology that quickly reduces and removes the risk.  

Cofense’s PDR platform is the most holistic solution on the market, and includes: 

  • PhishMe: Completely rearchitected to address the needs of enterprise-size organizations, users can more easily and efficiently run phishing simulations and manage their security awareness program; carefully crafted simulations based on real – not theoretical – phish immerse users in the experience of being phished from end to end, improving an organization’s resiliency to attacks. 
  • Triage: The first phishing-specific orchestration, automation and response solution that helps identify active phishing attacks in progress; suspected phish are rapidly clustered and analyzed by SOC analysts who queue indicators for remediation. 
  • VisionDriven by automation, Vision quickly identifies all recipients of phishing attacks and automatically quarantines and removes the threat from all mailboxes; enables SOC and IR teams to proactively hunt for unreported threats, IOCs and TTPs, and creates transparent audit and governance of mitigation actions. 
  • Reporter: Report suspicious emails and notify security teams in real time — with just one click. Users flag potential threats and the original email and other valuable information is sent directly to an organization’s SOC be quickly analyzeand the attack stoppedInstant feedback reinforces user training, strengthening the front line of defense. And with quick deployment and PC, Mac, and mobile device compatibility, it’s easy to get any team up and running. 
  • Intelligence: Proprietary global collection sources provide an extensive real-time view into threat campaigns observed in the wild; delivers high-fidelity, phishingspecific alerts and intelligence, providing accurate and timely assessments of both the current phishing threat landscape and emerging trends. Information from the Intel solution can be easily integrated with existing SOARs, SIEMs and TIPs.

Cofense Managed PDR 

  • For enterprise organizations that prefer to seek managed solutions, the Cofense PDC team delivers Managed PDR, handling the entire phishing detection and response process. Security operators gain the expertise and resources — and the peace of mind — needed to proactively defend against current or emerging threats with unparalleled outcomes when they engagCofense’s Managed PDR. In fact, you can read about how the PDC team stopped and removed an attack in less than 10 minutes.

 With the Cofense PDR Platform, you get:  

  • A global network of 25 million people actively identifying and reporting suspected phish 
  • Automation technology to quickly analyze, verify and quarantine phish throughout an organization 
  • Shared intelligence across teams and with others in a global network  
  • Effective, real-world phish simulation training 
  • Solutions delivered as integrated products or managed service 

 The Cofense combination of human detection with automated response and intelligence allows organizations to detect phish in their environment, educate employees on how to identify and report phish, and respond quickly to remediate the threats before there is harm done to their organization. Cofense is the only PDR platform, and the only one to provide all of these capabilities in one solution. Our goal is to enable every company to defend itself against phishing threats. And with the strength of our global Cofense network, together we can OutHuman the Threat.  

Learn more about Cofense and PDR, here.  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

PDR Platform: Cofense Introduces Industry Changing Phishing Detection and Response Platform

Leesburg, Va. – Dec. 7, 2020 – Cofense®, the global leader in intelligent phishing defense solutions, today introduced its Phishing Detection and Response (PDR) platform, a solution designed specifically for enterprise organizations. As phishing attacks continue to become more sophisticated, persistent, and adapt to legacy security defenses, demand for end-to-end phishing defense solutions is at an all-time high. The Cofense PDR platform provides a comprehensive approach to stopping phishing attacks through global crowd-sourced phishing intelligence from 25 million people combined with advanced automation.

Cofense’s new PDR platform is designed to deploy as an integrated suite of products or delivered as a comprehensive managed PDR service through the Cofense Phishing Defense Center (PDC). Both options effectively stop phishing attacks and combat the savviness of attackers through a combination of people and automated technology to quickly reduce and remove the risk.

Despite massive investments in secure email gateways (SEGs) and awareness training across industries, phishing attacks continue to reach users. Gartner’s report* “How to Respond to the 2020 Threat Landscape” (17 June 2020; John Watts), mentions:

·       “Phishing is still the No.1 initial access vector for malware attacks”

·       “Phishing and other human-facing social engineering tactics remain the primary vectors of successful attacks”

·       “Spear phishing, as well as whaling using business email compromise (BEC) are becoming more common and, potentially, more destructive. The FBI reported that BEC accounted for more than $26 billion in losses from 2016 through 2019.”

“Cofense is the leading provider of PDR as a result of our approach in combining technical innovations with a network of over 25 million people around the world who identify, report and share suspected phish information. Human Intelligence will always be greater than Artificial Intelligence, and when combined with technology, Cofense delivers unparalleled protection for organizations,” said Rohyt Belani, Co-Founder and CEO, Cofense.

Cofense’s PDR platform is the most holistic solution on the market, and includes:

  • PhishMe: Completely rearchitected to address the needs of enterprise-size organizations, users can more easily and efficiently run phishing simulations and manage their security awareness program; carefully crafted simulations based on real – not theoretical – phish immerse users in the experience of being phished from end to end, improving an organization’s resiliency to attacks.
  • Triage: The first phishing-specific orchestration, automation and response solution that helps identify active phishing attacks in progress; suspected phish are rapidly clustered and analyzed by SOC analysts who queue indicators for remediation.
  • Vision: Driven by automation, Vision quickly identifies all recipients of phishing attacks and automatically quarantines and removes the threat from all mailboxes; enables SOC and IR teams to proactively hunt for unreported threats, IOCs and TTPs, and creates transparent audit and governance of mitigation actions.
  • Intelligence: Proprietary global collection sources provide an extensive real-time view into threat campaigns observed in the wild; delivers high-fidelity, phishing-specific alerts and intelligence, providing accurate and timely assessments of both the current phishing threat landscape and emerging trends. Information from the Intel solution can be easily integrated with existing SOARs, SIEMs and TIPs.

Cofense Managed PDR

  • For enterprise organizations that prefer to seek managed solutions, the Cofense Phishing Defense Center team delivers Managed PDR, managing the entire phishing detection and response process. Security operators gain the expertise, resources and peace of mind needed to proactively defend against current or emerging threats with unparalleled outcomes by engaging Cofense Managed PDR. As recently discussed, the PDC team stopped and removed an attack in less than 10 minutes.

The Gartner Market Guide for Email Security (published September 8, 2020, Mark Harris, Peter Firstbrook, Ravisha Chugh) recommends that “Security and risk management leaders responsible for email security should: Address gaps in the advanced threat defense capabilities of an incumbent secure email gateway (SEG) by either replacing them or supplementing them with complementary capabilities via API integration.”

By integrating all components of the Cofense PDR platform, organizations can detect phish in their environment, educate employees on how to identify and report phish, and respond quickly to remediate the threats before there is harm done to their organization. To learn more about Cofense and PDR, please visit cofense.com/product-overview.

*Gartner, How to Respond to the 2020 Threat Landscape, John Watts, 17 June 2020

 

About Cofense
Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 25 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

 

Media Contact

press@cofense.com

Emergency Financial Aid Phish

By Dylan Main, Cofense Phishing Defense Center

With widespread financial uncertainty and talks of further stimulus funding in the newsmany are desperate for some form of monetary relief. Threat actors have begun taking advantage of this desperation by creating campaigns tailored to these uncertain times. The Phishing Defense Center (PDC) has discovered a phishing attack that attempts to obtain personal information by exploiting hopes for economic relief.  

Figure 1: Email Body 

The email itself presents itself as a reply to a filled-out contact form and attempts to get the recipient’s attention through a tone of familiarity. By beginning with “Thank you for contacting us,” the threat actor has made it appear as though the recipient had previously expressed interest in a third party by filling out the form with their email address. The message body then lures the victim with a link to details of an emergency grant of $5,800 available from the U.S. government. By appealing to the current fiscal concerns of many Americans, the threat actor wants to entice the target into clicking the “Read details” link. 

Figure 2: Landing Page of Phish 

Clicking the link redirects to a detailed page that appears to be a legitimate federal government website (Figure 2). Unlike many campaigns, this one goes a step further in terms of attention to detail to make it look like a real government page. The threat actor has added several items to advance its validity, including financial statistics and a detailed outline of this “Emergency Financial Aid.” The page also has a button that allows the person interacting with it an option to verify their data to collect funds. 

Figure 3: Second Step of Phish 

Clicking the button takes the viewer to the actual phishing page, seen above in Figure 3. Much like the other page, it is detailed and is unlike generic phishing pages. This page asks the user to check compensation eligibility by providing their Social Security Number, address, date of birth and other personally identifiable information (PII). Another detail to note is the form gives a warning that checking another person’s data is strictly prohibited, adding to the seeming authority. By entering data into the requested fields and clicking the “Run Check” button, all of this private information is then sent to the threat actor. 

Figure 4: Phishing Page 

The Cofense Phishing Defense Center has also identified a new phishing page that redirects from the same infection URL (Figure 4). This page is similar to the original phish; however, it uses the allure of tax relief for the current coronavirus pandemic to lure people into giving their personal information.   

Figure 5: Phishing Page 

As you can see above, Figure 5 resembles Figure 3 in that it collects PII. However, on this page, a chat window at the bottom right appears to simulate actual conversations between other users apparently excited about the potential tax relief. This is an interesting tactic and adds to the illusion of authenticity.  

Figure 6: Final Confirmation Page 

After data is entered into either of the two phishing pages, it redirects to a confirmation page thanking the victim for providing their information and promising them a prompt reply. This is just the last of many tricks the threat actor uses to trick the victim into believing that this application is legitimate. It shows that they will attempt to take advantage of any, and all, situations to gain confidential information. 

 Indicators of Compromise 

hXXps://gynexivo[.]page[.]link/HoMkDxuaa5hTwWtg6  172[.]217[.]15[.]110 
hXXp://ungodsirealnighchis[.]gq/us/protecting-americas-consumers-covid/  104[.]24[.]101[.]186 
hXXps://otasasbetiscu[.]tk/us/korona  172[.]67[.]168[.]232 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

The New Cofense Resource Center

By Carolyn Merritt 

Today, Cofense officially launched its new Resource CenterFormerly known as Community, the new Resource Center features a completely redesigned interface, smarter search capabilities and integrated support ticketing  

This initiative has been in the works for some time. We heard from internal and external users alike that the old Community was difficult to navigate, and that information was challenging to locate. We believe those issues have been solved with our new interface, an integration with our Zendesk ticketing system, and a new set of capabilities designed to improve the user experience. 

Also, we organized the new Resource Center by product to make it easier to search and navigate to your desired results. Another exciting new feature is the customer ticket portal which allows you to access all your tickets, sort by key words, and ticket status. You can link to events, webinars, other resources, and assets on the Cofense website as well. The Resource Center is a central location for frequently asked questions, product details, policies, and more to help you be more proactive in your phishing detection and response efforts. As an added value, you have access to a discussion board where you can submit and vote on future product features and capabilities.  

One noteworthy change is to our Knowledge Base articles. They have all been incorporated into a library so you can easily access them. Additionally, our technical support engineers can easily insert knowledge base articles into tickets for added reference. In the near future, we’ll be adding a support bot that will promote associated knowledge base articles to support tickets at the time of creation, in hopes of providing quick answers and reference materials before or instead of you having to engage with a support engineer.    

Why did we do this? 

We want to engage with you – our customers – in the best way possible when you need help or have feedback. We saw the opportunity to improve the old Community system, its search functions and Zendesk integration. Your feedback is still very important to us, and we want to know what works in the new Resource Center, and if anything doesn’t.

To see the new Resource Center with all of its new features and functionality, login:

North American instance – https://support.cofense.com 

European instance – https://supportintl.cofense.com 

We are very proud of the new Resource Center and look forward to supporting all of our users and ultimately helping your organization improve your phishing detection and response programs.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Phish Found in Proofpoint-Protected Environments – Week ending November 27, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Remote Access Trojan 

DESCRIPTION: FedEx-spoofing emails found in environments protected by Proofpoint deliver njRAT via an embedded URL. 

TYPE: Remote Access Trojan

DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Quaverse Remote Access Trojan via an embedded URL.

TYPE: Trojan 

DESCRIPTION: Notice-themed emails found in environments protected by Proofpoint deliver Banload via embedded links. The embedded links download an advanced INF installer that downloads and runs Banload malware. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Keeping Santa’s Helpers Out of Your Inbox

As with everything else this year, the holiday shopping season will be open to more cyber threats as we shift from hitting the brick-and-mortar retail outlets to the online store front. Threat actors have your wallet and credentials on their shopping list. When it comes to preparing your users, friends and family for the holiday shopping season, we’ll cover some basics to remind everyone to remain calm and protect their wallets and credentials.

Gift Cards

The ease of sending gift cards makes these a top purchase. While retailers have made it easier to purchase online and send electronically, threat actors too are leveraging this in their gift bag.

RISKY Behavior: Clicking on a link in an email without verifying the link or the sender.

SAFE Behavior: Hover over the link to see where you are being directed. Reach out to the sender directly via a separate email or text message. Many retailers will include the claim code in the message body. Navigate directly to the website to locate the Gift Card redemption page. Manually enter the claim code.

Shopping Sites

As the pandemic of 2020 began, we shifted our purchasing to online. We’ve become accustomed to navigating the online shopping world, making holiday shopping season shopping easier.

RISKY Behavior: Click a link via an email or an ad via another website.

SAFE Behavior: Navigate directly to the website for your product selection. While retailers and online banking sites proactively hunt for spoofed websites mimicking their brand, it’s a cat-and-mouse battle to find these. Ensure you are on a site that’s using encryption by verifying the lock in the address bar (URL). If the page allows you to use a secure payment method, such as PayPal, ApplePay or GooglePay, use these options to add a layer of protection to your bank account.

Shipping

Expecting a package? Maybe you’re not expecting a package, but suddenly you have an email informing you that a special gift is on its way to your doorstep. It’s not uncommon for threat actors to spoof the popular brand, such as the phishing email sample seen below.

RISKY Behavior: Clicking the link in an unexpected email.

SAFE Behavior: Navigate directly to the website of the shipping company to get a shipping status. As with gift cards, manually enter the tracking code directly into the website’s tracking feature.

Charitable Giving

Tis the season to catch up on charitable giving to make the tax benefit cut-off for end-of-year donations. Threat actors follow the newsworthy events and leverage the theme to tug at your heart strings.  

RISKY Behavior: Click on a link and providing your credit card information.

SAFE Behavior: Navigate directly to the charitable website and locate the donation giving page. Ensure you are on a site that is using encryption by verifying the lock in the address bar (URL). If the page allows you to use a secure payment method, such as PayPal, ApplePay or GooglePay, use these options to add a layer of protection to your bank account. If you receive a phone call asking for your donation for a worthy cause that you support, take down the name and inform the caller you’ll follow up at a later time. At that point, follow the same steps to navigate directly to the charitable website.

Enjoy a safe and cyber-secure holiday! Remember that Cofense is always here to help. Check out our phishing resource center for best practices and product information to fight phishing.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week ending November 20, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Credential Phishing 

DESCRIPTION:  Finance-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials. 

TYPE: Credential Phishing 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials.

Note: They were made to look like a Dropbox document notification.

TYPE: AZORult Stealer 

DESCRIPTION: Order-themed emails found in environments protected by Proofpoint deliver AZORult stealer via attached passwordprotected RAR archives. The RAR archive contains a GuLoader executable that downloads and runs an AZORult binary. 

 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actor Utilizes COVID-19 Uncertainty to Target Users

By Kyle Duncan, Cofense Phishing Defense Center

As the world continues to contend with a tenacious pandemic, many employers are obliged to revisit medical-benefit policies. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Microsoft login credentials by posing as a company-wide sick/medical leave policy update.  

Figure 1-2: Email Body 

The sender’s email address is spoofed to appear as though the email is originating from the company’s SharePoint services by using the format “Sharepoint@[companyname].com“. However, one look into the email’s header information shows that this is not the case and that the email originated from outside of the organization, potentially from a compromised account operated by the threat actor. 

The email body itself is put together well and, at a glance, appears as though it could be legitimate. It even contains little details such as “This link will only work for anyone at [company name]” and “Microsoft OneDrive for [user’s email].” The threat actor has spoofed a legitimate Microsoft notification to appear legitimateusing a format the recipient would quickly trust at first glance. Since the file being shared refers to the company’s approach on sick leave during COVID-19, users are naturally going to be curious about what their company is doing for them. 

The glaring flaw with the email body is where it references both Microsoft OneDrive and SharePoint. Since the spoofed email address is attempting to trick the user into thinking this is a shared SharePoint file, it does not make sense for the email body to reference both of these services. It thus raises suspicion. The button users are intended to click also references OneDrive and, hovering over it, it reveals that the domain of the destination (oraclecloud[.]com) has nothing to do with Microsoft. It is apparent that this is not what it claims to be. 

Upon visiting the malicious URL, users are taken to a fake Microsoft login page as shown in Figure 3.  

Figure 3: Phishing Page 

The email address field of the login is automatically populated with the user’s email so they would only have to include their password. The page even includes the company’s logo to more effectively pass the login off as legitimate. Once the credentials have been secured, the user is then redirected to a page containing COVID-19 documentation, as seen in Figure 4, that seemingly appears relevant to what was mentioned in the email. While many phishing attempts redirect the user to a legitimate login page, the use of this document instead is another attempt to prevent the realization that the user’s credentials were just stolen.

Figure 4: Final Redirect Page 

Indicators of Compromise 

hXXps://objectstorage[.]us-sanjose-1[.]oraclecloud[.]com/n/ax7ybehehrcl/b/office-100345/o/index.html  134[.]70[.]124[.]2 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending November 13, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION:  Purchase order-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via embedded links. The embedded links download an ISO archive that contains an Agent Tesla Keylogger executable. 

TYPE: Credential Phishing 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links. The embedded links download a PDF file that contains a link that leads to a credentialphishing landing page. The PDF was hosted and downloaded from SharePoint. Note: this campaign is in the Dutch language. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION: Courier-spoofed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via embedded links. The embedded links download a TGZ archive that contains an Agent Tesla Keylogger executable. The payload was hosted and downloaded from OneDrive. Note: this campaign is in the Romanian language. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.