Miming, Mimecast? The latest attempt at exploiting SEGs

By Adam Martin, Phishing Defense Centre

Secure email gateways (SEGs) often provide end users with a sense of safety from phishing and other malicious attacks delivered via email. This, however, can provide a false sense of confidence when interacting with notifications and alerts from phishing emails spoofing SEGs. The traditional tactic of employing a sense of urgency is generally the flavor of choice for threat actors in the form of disk space being full, invoices, etc. The objective is to draw the user into making rash decisions based on a fear of either data or monetary loss.

The initial link presented to the user takes advantage of the Google redirect feature using the following link:


Which will redirect the user to a malicious landing page. Which is designed to increase user confidence given the redirect is performed by Google. As illustrated in Figure 1, immediately attention is elicited by the email subject. Regardless of the keen eye evaluating a mailbox, the “WARNING” logo elicits concern from even the most experienced. This phishing tactic is a staple of malicious emails. In this case, Mimecast has been spoofed.

Graphical user interface, text, application, email Description automatically generated

Figure 1: Email body

Phishing emails that mention the target’s name are often more successful. The email body employs numerous tactics designed to be a double-edged sword. On one side the initial “shock” factor has been created and, on the other, an element of trust has been applied. The user’s name, along with specific reference to the percentage of memory remaining makes for a perfect match when stealing credentials. The other element, which is worth noting, is the fact that the threat actor has gone to the effort of giving the option of disabling the notification, seen in Figure 2. Although it is fraudulent, it provides another layer of confidence for the end user.

Graphical user interface, website Description automatically generated

Figure 2: Fraudulent Landing Page

Accessing the link in the email body will lead to a convincing landing page that mimes the Mimecast login page to a high degree of accuracy. The end user is prompted to enter their password as a server error has occurred. As seen in Figure 2, the base URL is indeed not the Mimecast domain. This base URL is also new, which merits alarm as an established SEG would have a cleaner URL.

Once credentials are input into the site, the data is exfiltrated to the external private server. The login page simply refreshes in a loop regardless of the amount of login attempts.

Unfortunately, as is the case with many privately hosted malicious servers/sites, they are taken down as fast as they pop up. As shown in Figure 3, a 403 error has occurred restricting access to the resource.

Figure 3: Network access attempt

Campaigns that seek the employ the guise of a SEG are often part of a targeted attack on a given company. Prior knowledge of the SEG in use can be attained via social engineering and OSINT. Constant updating of safe lists and ACLs on the firewall side of security management, along with end user training, continue to be the most effective means of avoiding account compromise.

Cofense can assist with these protections. Our Phishing Detection and Response platform comprehensively contains the phishing threats that bypass traditional email security. Cofense delivers the technology and advanced insight needed to rapidly detect, analyze and auto-quarantine phishing attacks. Contact us to learn more.


Indicators of Compromise IP
hXXps://1df493b81f7f45e68407442811a516e5[.]svc.dynamics.com/t/r/  hXXp://52[.]183[.]87[.]159/
hXXps://d5e5ecb84884425f98768108f081a87a[.]svc[.]dynamics[.]com/t/r/X-fsqjgi42gdMDDZPkaz34T9oWvCL2u-hDs3ZwpUAU8#[TO-EMAIL]:0002=12900 hXXp://52[.]183[.]87[.]159/
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
  The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Power Splunk with Cofense Triage Phishing Indicators

By Mike Saurbaugh

Security and operational technology teams rely on the data in Splunk. It’s also central to critical data used to make business decisions.

Regardless of the industry, phishing spares no one.

Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). It makes perfect sense to take all this enriched phishing data and feed it to Splunk for additional reporting and response actions.

Enhanced APIs Automate Collection and Indexing

Cofense Triage accelerates phishing email analysis, investigation and response by cutting through the noise automatically and surfacing the real threats faster, protecting organizations from the risk of compromise. The add-on provides the ability to extract reported phishing email data from the Cofense Triage inbox, processed reports, threat indicators, reporters, operators and status endpoints. And many more!

The enhanced Add-on developed by Cofense for Splunk runs on scheduled intervals and ingests valuable phishing data from Cofense Triage. Data from 20 Cofense Triage endpoints are called by the add-on and stored in Splunk for easy reporting and use by the security team.

Getting Connected

In Cofense Triage, create version 2 API client credentials:

Administration > API Management > Version 2 > Applications > New Applications

Graphical user interface, text, application, email Description automatically generated

Figure 1: Triage API Client Configuration

Obtain the add-on from Splunkbase and install it in the Splunk instance.

In Splunk, add Cofense Triage API credentials. The client ID and client secret are obtained after generating the API application in Cofense Triage.

Text, application, table Description automatically generated

Figure 2: Add-on Account Setup to Access Cofense Triage

Input Configuration

With 20 endpoints to choose from, select and configure inputs based on desired polling intervals and the data required to empower the security team.

Table Description automatically generated

Table Description automatically generated

Figures 3 and 4: Add-on Accessible Data Input Fields to Configure

Assign Preferred Parameters to the Input Configuration