New from Cofense Intelligence: Q3 Phishing Review is Now Available

By: Brad Haas, Cofense Intelligence 

Cofense Intelligence™has released the Q3 2020 Phishing Review. This report highlights key phishing trends uncovered by Cofense Intelligence analysts who spend every day studying current phishing campaigns and producing actionable phishing intelligence so that our customers can better defend themselves. This intelligence keeps our customers proactively defended against emerging phishing tactics, techniques and procedures (TTPs). Our analysts focus on campaigns that reach enterprise user inboxes, and report on the TTPs designed to evade secure email gateways (SEGs) and other network defense technology.  

Report Highlights 

In this quarterly report, you will read about this summer’s unusual phishing activity, and why we assess that overall phishing volume was higher in the third quarter of this year as compared to years past. Contributing to such high volume: Emotetwhich returned after months of inactivity, bringing new campaigns and adjusted tactics. This, paired with a continued surge in Agent Tesla Keylogger, contributed to a very active summer phishing season. 

This report reviews the most prevalent malware delivered via phishing in the last quarter, highlighting returning malware that had become relatively dormant in phishing but returned in recent months. Moreover, we dig into new malware families to the phishing landscape and explore the increase in Remote Access Trojan (RAT) and ransomware phenotypes. 

Of course, every malware requires a delivery mechanism, and we consistently track the most common malware delivery mechanisms used in phishing campaigns. Here, we dig into which filename extensions of malicious attachments most frequently reached end users in the last quarterand which extensions are most commonly associated with the targeting of particular industries 

Figure 1: A COVID-19-themed phishing email.  

Finally, though COVID-19 themed campaigns have greatly declined since peaking in Q2, they continue to reach end users. Read this report to see how pandemic-themed phishing has evolved, and to learn about the threat activity we expect in Q4 and the new year.  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Purchase Order Phishing, the Everlasting Phishing Tactic

By Adam Martin, Nathaniel Sagibanda, Kian Buckley Maher and Cofense Phishing Defense Center

The PDC team has seen a recent up-tick in legitimate Mimecast services being used as vector for phishing campaigns found in environments protected by Microsoft ATP, Microsoft EOP and Mimecast. 

The phish leverage the Payment Order,” a common vector for enticing users into initiating the process set out by a malicious actor to attain sensitive credentials (Figure 1).

Figure 1

In this attack, as illustrated in figures, the body of the email is a reasonable facsimile of an authentic message that even replicates the style of the Mimecast heading and disclaimer. But grammatical, punctuation and spacing anomalies represent red flags. Furthermore, the email itself looks benign, simple and straight to the point, informing the recipient that the required information is behind an external service due to an issue with storage size or formatting (Figure 1). This is a common tactic that allows malicious actors to circumvent mail filters such as Mimecast, Microsoft EOP and Microsoft ATP.  

Figure 2 

Upon inspection of the Download Files button we can see that the service being used to deliver this phish is in fact Mimecast, itself a legitimate service. Combining this with the previously noted circumvention method makes standard detection almost impossible.  

Figure 3 

As seen in Figure 3, the page presented to the user is a legitimate Mimecast service being used to host the malicious file. This is compounded by the use of a key to gain access to the file by clicking the access-key button or entering a previously provided key (see Figure 3). However, both methods will direct the user to the next stage. 

Once access has been gained to the first landing page, there will be an option to download the malicious file at the side of the page. To add authenticity, the credentials of the original sender have been replicated, as shown below in Figure 4. 

Figure 4 

Figure 5 

Figure 6

Email Header analysis: Taking a look at the headers on Figure 6it is a different story altogether. IP addresses such as [10.x.x.182 and 10.x.x.36] are used bindependent operating networks. These may be as small as a single computer connected to a home gateway, and are installed in hundreds of millions of devices automatically. 

However, IP 41.x.x.131 belongs to MimecastSA (according to VirusTotal and Whois), and could be the reason it escaped SEG detection. 

Figure 7 

Having accessed the malicious link, the user will see the above page displayed (Figure 7) with request for the userMicrosoft email address and password. Unlike other credential phishing pages, the Microsoft background and logo aren’t displayed. The simplicity of the page, combined with a URL lacking indicators of Microsoft or associated domains, is suspect. The third field is the most obvious red flag (Figure 7): A recovery option is made available even though an incorrect password hasn’t been entered. This is done to prompt the victim into providing a phone number.  

 Figure 8 

Having inserted test credentials, the information is exported to the phishing campaign URL address. This site is hosted by hxxps://www.docdroid[.]net/OwKxXnZ/purchase-order-00177389-pdf. Entering information will continually refresh the page regardless of credentials supplied.  

Indicators of Compromise

Network IOC   IP   
hXXp://biz267.inmotionhosting[.]com/~craneo5/pow/po[.]php 

 

23[.]235[.]212[.]50 
hXXps://www.docdroid[.]net/OwKxXnZ/purchase-order-00177389-pdf 

 

 

 54[.]37[.]79[.]95 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

How phishing will forever be a problem

Two-plus decades ago Aaron Higbee, now Cofense CTO and co-founder, was hired by a company to help counter their exploding email spam problem, a role that evolved to addressing other internet-abuse issues. He took on threat tactics that evaded technical controls, and he never looked back.  

 Aaron shares what he learned in his article, My ‘Ah-Ha’ Moment: Phishing Will Forever Be A Problem, published by the Forbes Technology Council. In the article, he discusses what he‘s seen and uncovered about phishing attacks on organizations during his lengthy career in cybersecurity.  

In particular, Aaron mentions that he has learned: technologies can’t predict the future and that when attackers are sufficiently frustrated by an emerging preventative control, they will innovate around it.” But that by, “Actively training users to report suspicious email through carefully crafted simulations that immerse them in the experience from end to end will improve your organization’s resiliency to attacks. 

Get the rest of the story about Aaron‘s “Ah-Ha” moment, here 

 

Exploiting the Current COVID-19 Health Crisis Through Multiple Email Providers

By Ala Dabat, Cofense Phishing Defense Center

TheCofense Phishing Defense Center (PDC) team has seen the continued exploitation of the current COVID19 health crisis as an effective attack vector across all industries. 

A common theme seen is the use of cloned Dropbox landing pages requesting that users log in via well-known email service providers in order to view important documentation relating to COVID19. 

One such instance had escapedProofpoint’s secure email gateway (SEG), having bypassed spam filtering due to the benign appearance of the email, and the lack of spammy characteristics. Also bypassed were Microsoft’s EOP and ATP. 

Figure 1 – Original body of the email urging the target to download urgent information relating to COVID19      

The origin of the email appears to be a legitimate sender. It passed SPF checks, which also helped the email appear legitimate. It is likely that the campaign was launched from a compromised email account and that is why it was able to bypass SPF checks. Despite the message failing DKIM checks due to a difference of the value stored in the DKIM’s txt record bh=, it was not enough to raise any red flags because of the weighted system used to verify whether the email was malicious. 

As per the email headers we can see that the email did not contain enough spammy characteristics to meet the threshold required by Proofpoint’s Secure Email Gateway (SEG) to be categorised as being malicious.  

Figure 2 – Email originated from a legitimate sender and passed SPF record checks 

Microsoft’s EOP and ATP also miscategorized this email due to the lack of spammy characteristics and gave it a spam score of 0: 

Figure 3 – Microsoft EOP spam score of 0 

Once the target has clicked on the link, they are redirected to a landing page masquerading as Dropbox using original logos and fonts to fool the target.  

Figure – a Dropbox themed landing page with convincing logos and fonts 

The target is then prompted to authenticate against several email service providers to access the document. This method of Phishing widens the net for the attacker to harvest more credentials. 

Figure 5 – Login page for Gmail 

Figure 6 - Fraudulent login page for Yahoo  

Once the target has entered their credentials using one of the login options, their credentials are sent to a database via HTTP POST to a PHP script, which then stores all the credentials that have been harvested by the attacker. Although this attack is not as technically sophisticated as other more targeted attacks, it exploits a number of key vulnerabilities:  

  1. Exploits the COVID19 pandemic 
  1. Uses aesthetics that look and feel convincing to the target  
  1. Bypasses spam filtering by limiting the characteristics of the email body that would be considered spammy by most spam filters

Once the target has entered their credentials, they are redirected to a legitimate landing page owned by Accenture, and then to a document that is completely unrelated to the COVID19 crisis. 

Figure 7 – Landing page targets are redirected to after they authenticate  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Mandatory Internal Company Communications: The Best Time to Phish

By Ashley Tran, Cofense Phishing Defense Center

Companies are awash with numerous corporate communications: open enrollment notifications, new policies and so forth. With this crush of mandatory emails being sent out, threat actors are given the right amount of noise in a user’s inbox to slide their own attacks in without being heavily scrutinized. They are received as “just another HR email” that users may be hasty to quickly read, sign and be done with. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by disguising as an HR document that must be signed.

Figure 1: Email Body 

The threat actor has attempted to manipulate the “from” fields in the headers of emails for this campaign. As seen in Figure 1, the threat actor has changed the “sender name” field of the headers to appear as though this email was sent from “Human Resources” when in reality the real sender’s email can be viewed in the field next to it: [REDACTED]@ntlworld.com. Every email for this campaign originated from a unique sender from this domain, which suggests that the threat actor utilized compromised accounts to send out this attack. 

The subject for this campaign generally had a theme of “Reminder for [User’s Name] Reviewed Employee Handbook” with the user’s organization email ID being replaced into the subject each time. The context of this email is simple: there is a new employee handbook, everyone must review and sign the acknowledgement of this handbook upon receipt of this email. Interestingly enough, this phishing email was sent out well past the intended due date which simply adds to the urgency of the request – or the threat actor overlooked a variable that needed an update for their template. 

Within the body of the email, the threat actor has noticeably failed to disguise the URL. In fact, it is clear this supposed handbook is hosted on SharePoint in some way. 

The first step of this attack takes place on a SharePoint hosted document that users are redirected to from the email itself. This document, as seen in Figure 2, looks similar to any page one may see in an HR handbook except this one appears to outline the “Remote Working Policy” for the user’s organization. At the end of the described policy there’s a hyperlink to “proceed with acknowledgement” which, if you hover over it as shown in Figure 3, is simply another redirect to the same SharePoint. Except, this time, it directs to a survey hosted on it. 

Figure 2-3: Phishing Page 

Once users click on the link to presumably acknowledge this new policy, they are redirected to an “Acknowledgement Section” seen in Figure 4. On this page, users are prompted to enter their Microsoft credentials as a way to identify themselves, and “for successful submission of acknowledgement.” The threat actor in this case has utilized the Microsoft Excel web app to create and host a survey to harvest credentials, but this is far from uncommon. In fact, a lot of phish tend to utilize this method, exploiting the fact that these Excel surveys are hosted on SharePoint and leverage the trust most users place in the domain SharePoint.com as a whole.

Figure 4: Phishing Page   

Network IOC   IP   
hXXps://netorgft6696135-my[.]sharepoint[.]com/:w:/g/personal/hr_hrhandboook_com/Efj4moxVJidCogbJKcnVuQUBuhnrbvfNNdoq49e7ztvopQ?e=QpXfQL  104[.]146[.]136[.]48 
hXXps://netorgft6696135-my[.]sharepoint[.]com/:x:/r/personal/hr_hrhandboook_com/_layouts/15/WopiFrame.aspx?guestaccesstoken=EiYjYkpbbdYnGHOdsn0%2fA9ofWLWdjKnx0g5atRlMHTE%3d&docid=1_1c88d073e14d04676b3274b6a31ae8900&wdFormId=%7B72299567%2DF59D%2D40B1%2D8CAA%2D6E6DED3D7529%7D&action=formsubmit  104[.]146[.]136[.]48 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

FISSEA Recognizes Cofense with the Best Security Blog Award

This week, the Cofense blog post, Invoice Themed Phishing Emails Are Spreading from Trusted Linkswas named 2020 Best Security Blog by Federal Information Security Educators (FISSEA). Founded in 1987, FISSEA is an organization run by and for federal government information security professionals to assist federal agencies in strengthening employee cybersecurity awareness and training programs. Each year – with dozens of entries in varied categories – FISSEA recognizes a best entry in the FISSEA Training Exercise ContestTo meet the criteria, training exercises must have a security theme and be a part of an organization’s current security training program. Judging is based on originality, security message and graphic concept

“We are honored to be recognized for our efforts to help companies find and remove phish in their environments,” said Michael CallahanCofense SVP of MarketingCofense believes that a comprehensive phishing detection and response program is key to stopping phishing attacks, and we appreciate that the FISSEA program continues to raise awareness of resources like our blog designed to educate on the latest phishing techniques. 

Our analyst (and winning blog post author), Kian Mahdavi, and his coworkers in the Phishing Defense Center (PDC), devote their time to identifying and stopping phishing attacks. In addition, they provide insightful information about the dangers of phishing and how threat actors succeed in evading standard defensesThey, and the 24-plus million customers in our community who report phish daily, make the difference in our mission to rid organizations worldwide of phishing attacks.  

Read the winning blog post here. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Where Do Security Awareness Programs Belong on the Org Chart?

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here.

For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?

While I was attending a security awareness conference in 2017, day 1 kicked off with a keynote that discussed the incident response process/program. The speaker had a couple of key points that resonated with me and have stuck. The first point was related to responding to your annual penetration test – do build your program to align with their findings, they will ALWAYS get in, it’s their job, etc. The second point was aligning your security awareness program to your incident response team.

Should you report to Training and Compliance or Incident Response?

Having spent a number of years in the security awareness role and networking with peers who have similar responsibilities, I can tell you that the reporting alignment is all over the place. Some report into the GRC department, some into the Learning or Training department (typically under the HR function), and some into the security program directly under the CISO. Some organizations will have a first line of defense – the teams with the tactical responsibility of defending against threats to the organization. They may also have a second line of defense – the teams that provide oversight or governance for the security program. This alignment tends to be more present in highly regulated industries.

You also find that security awareness professionals have varying experience and skillsets. You will see all these differences when you search for a job posting in security awareness – including the title. In some organizations the function may be a part-time job, just one of the many responsibilities assigned to the person sitting outside the CISO’s office. Other organizations have taken the time to build a robust program, making administration a full-time job – maybe even one that requires a team and a budget allowing the team to lower risk by addressing behaviors.

If you read part 1 of this series, you will recall the recommendation to go ask your Security Operations or Incident Response team about their top incidents tickets. If your strategy is to address behaviors corresponding to REAL threats, then it stands to reason that the awareness function should be aligned as closely as possible to the department that responds to those threats. Here’s a visualization (purely an example) of the types of risks your program might address:

A robust security awareness program should include the resources – money and people – needed to make the program successful. If you have a compliance team that manages the regulatory and audit requirements, by all means, allow them to manage the annual training requirement for cybersecurity. Just make sure you’re able to review and provide input on the topics being covered, so the program aligns to the current threat landscape. When the auditors or regulators ask you about it, you’re covered.

Cybersecurity threats and behaviors are not black and white. They are constantly changing. Most cybersecurity frameworks and regulations simply state that you should have a security awareness program. Such statements are a little vague, but that’s a good thing. Without the constraints of specific elements – newsletters, posters, phishing annual training, squishy balls shaped like phish, stickers, a security awareness portal, etc. – you get to define what to include in your program, based on the threats and behaviors you need to address.

The metrics can help you find the right home.

One last item that helps decide where to position the security awareness role in the organization – metrics. When the role is aligned with the governance, risk management, and compliance side of the organization, metrics relate to completing the training or to how many users clicked a link or opened an attachment. When the role is aligned with the security program, metrics focus on end results like reducing risk and reducing time to contain an incident, which in turn leads to reducing time to remediate an incident. Instead of focusing on the number of clicks you would focus on reports: how many users reported the message, so the SOC can respond to and mitigate the attack.

Wherever your security awareness program lives within your organization, if you’re clear on the metrics you can communicate better. You can market the program and its goals to your business audience, translate technical/cybersecurity concepts in ways anyone can understand – and most importantly, tell people the actions you want them to take.

If you’re just getting started on building your security awareness program, there are plenty of free resources available to you when you’re on a shoestring budget:

See Awareness Resources

Recommended reading: If you’re looking to expand your knowledge on how to create powerful moments in your security awareness program, I suggest reading The Power of Moments by Chip Heath and Dan Heath.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

“We’re Grateful For The Trust!”

By Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has found a phishing campaign that aims to yield users credentials by exercising references to DocuSign. At first glance, the email is kept short and sweet in a bid to lure the user into viewing the invoice. Proofpoint and Microsoft’s Secure Email Gateway (SEG) both detected and failed to stop the phishing campaign. It’s claimed that the success of this attack was the skillfully concealed legitimate links within the (.PDF) attachment.    

 Here’s what happened 

Figure 1: Email body 

The subject of this phish is vague “Invoice attached,” guiding the user to learn more. The senders display name is William G. Kern, however the email address begins to read as “bill.kern”; could this be a possible mistake from the attacker? One would expect the display name and email address to correspondingly match with one another. As we pan down, we note the name of the attachment is in numerical order, with no indication of a detailed transaction, calling the attention of inquisitive users.   

Following on from the above, the email features just two sentences, first thanking the user for their “business” and second, encouraging the user to contact the sender by means of telephone should there be any discrepancies. The norm would be to touch base with one another via email, providing full anonymity and leveraging their spoofing techniques, which is a perfect social engineering tactic from the attacker. 

Figure 2 – Attached PDF

The above screenshot displays what the attachment looks like when opened. Behind the “authentication required” message is a document with a substantial amount of text, including two bulky signatures. Perplexed users are led to suppose they are steps closer to unveiling the invoice.

It’s important to note the importance that the subdomain “myemail” plays in this attack, which is hosting the initial malicious webpage, rather than the compromised root domain “constantcontact[.]com.” Consider the social engineering dialect toward the end of the URL below. It’s a troubling yet effective methodology that attackers use to spread phishing sites.

“hXXps://myemail[.]constantcontact[.]com/The-latest-news-for-you.html?”

Figure 3 – Redirect Malicious DocuSign Link

Upon clicking the hyperlinked “Review” button in Figure 2, the website “myemail[.]constantcontact[.]com” opens up within the default browser. Because of the legitimate service, such campaigns almost certainly pass email authentication techniques such as DKIM/SPF. Better still, the built-in SSL certificates shown in the address bar allow the domain to become “trusted,” presenting the green padlock at the beginning of the URL. It appears the domain had been purchased and hosted from namecheap[.]com,  a web-hosting platform.

Figure 4 – Payload Phishing Site

The sequel to this campaign is a somewhat similar “DocuSign” phishing site inviting users to enter their credentials.had.

DocuSign does not require an account to log in. The document would be sent via email from dse@docusign[.]net, allowing recipients to review the document, implement a signature and complete the signing process.

Upon logging in, the user is under the impression he or she has been authenticated via a legitimate DocuSign. At this point, the user’s credentials are unfortunately in the hands of the threat actor.

Network IOCs

IPs

hXXps://myemail[.]constantcontact[.]com/The-latest-news-for-you.html

208[.]75[.]122[.]131

hXXps://domainnameonline[.]net/

199[.]188[.]200[.]202

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending October 23, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Credential Phish 

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses a Systel Inc-spoofing email to deliver credential phishing via embedded Canva links. The embedded Canva links redirect to phishing URLs that harvest email login credentials. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses the lure of a shipping document from Maersk to deliver the Agent Tesla keylogger via embedded Dropbox links. The links download a RAR archive that contains an Agent Tesla executable.    

TYPE: Remote Access Trojan 

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses a finance-themed email to deliver Remcos RAT via XXE attachments. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.