Tools & Team Together — How Tetra Defense and Cofense Fight Phishing

By Rich Keith

Tetra Defense has broadened the partnership with Cofense to include instant phishing detection, showing lightning-fast results by deploying Cofense Protect MSP. This helps keep malicious emails out of inboxes while dramatically reducing the load on security analysts.

Phishing attacks are a massive problem for end users and SOC analysts, and today’s threats are increasingly difficult for humans to detect. Data from Cofense Validator results show that secure email gateways (SEGs) miss roughly half of all malicious URLs, which change faster than blacklists can keep up. Worse, the majority are credential phishing attacks and come with multiple layers, designed to lure the user further away from the initial phish, making them nearly impossible for legacy SEGs to detect. Data from the Cofense 2021 Annual State of Phishing Report shows 57 percent of phishing attacks are aimed at credential theft. An example is shown in Figure 1.

Figure 1: Most phishing attacks are credential-theft themed. This is an example.

This data intrigued Tetra Defense, a company that specializes in managed detection and response (MDR) services, drawing from deep experience in both incident response and cyber risk management.

“We need a system that can detect and stop these URLs before a user can click on them,” said Bradley Roughan, Tetra Defense Vice President of Cyber Defense Operations.

As threat actors change their methods, it’s imperative for security solutions to improve as well. This is an approach that Tetra has embraced for years, now backed by Cofense Protect MSP.

————————————————–

“In the first 4 weeks after installing Protect MSP, we have blocked more actual malicious emails for our client than we found in those reported by users for the entire year…With an immediate 94 percent reduction in volume of threats to be investigated, Protect MSP quickly reduced the window of exposure to our clients. This lowers client risk and lessens the time spent by our threat analysts.”

Bradley Roughan, Tetra Defense Vice President of Cyber Defense Operations.

—————————————————–

Because today’s threat actors embed malicious URLs in fake login pages several layers down in the phishing email, SEGs can’t detect them. Instead, Cofense Protect MSP opens all the links in a protected sandbox environment, and follows them to their final destination. This multi-level investigation is something no SEG can do. The ultimate landing page URL is compared to the landing page (often login pages) and, if they differ in the slightest, it’s a phish.

Cofense Protect MSP is the only instant-threat detection solution to emulate the way a human would “see” a phishing email attack. Cofense Protect MSP looks at the target landing pages, using visual perceptual cues, analyzing them against images of legitimate landing pages previously and continuously scanned into its database. Legacy SEGs today are simply incapable of doing this, rendering their end users vulnerable to these sophisticated, yet common, phishing attacks.

Tetra Defense already uses Cofense Triage as part of their Managed Detection and Response services to analyze user-reported suspicious emails. Now, Cofense Protect MSP provides an additional layer of defense: A speedy solution for phishing protection at the inbox that combines Computer Vision and AI to stop phishing emails and websites in real-time, all before they have been reported and added to the blacklists.

“In the first 4 weeks after installing Protect MSP, we have blocked more actual malicious emails for our client than we found in those reported by users for the entire year,” Roughan said. “Another client we installed slightly later shows this same trend. With an immediate 94 percent reduction in volume of threats to be investigated, Protect MSP quickly reduced the window of exposure to our clients. This lowers client risk and lessens the time spent by our threat analysts.”

Saving this time is crucial in the threat intelligence realm where dedicated research and continuous hunting is required to stay ahead of threat actors.

“With nearly 60 percent of all phish aimed at credential harvesting, having such a layered defense is the best way to win,” Roughan added.

Figure 2: This graph displays malicious emails reported and protected with Cofense Protect MSP

The graph shown in Figure 2 illustrates how the number of phishing detections from Protect rose very quickly immediately after implementing Protect MSP. Within four weeks of implementation, the number of reported malicious emails that Tetra’s Cyber Defense analysts had to inspect decreased by 77 percent. Cofense Protect MSP not only makes the customer more secure, it also empowers Tetra Defense to direct its valuable SOC resources where they make the most impact. This underscores a key requirement in cybersecurity: The need to have both technology and humans to form the most effective solutions.

“You need both humans and smart systems to defeat phish,” said Robert Iannicello, Vice President of MSSP Programs for Cofense.

Using this strategy, Cofense Protect MSP continues to improve detecting and providing email security protection, learning not only through scanning millions of emails and URLs every day, but also through a proprietary feedback loop that delivers phishing intelligence continuously from the global Cofense network to the solution’s AI engine. This makes Cofense Protect MSP smarter every day as it constantly learns from IOCs detected in emails flagged by 30 million human reporters. These are emails that bypassed SEGs and landed in user inboxes.

”Cofense is proud to deliver the unique benefits of rapid phishing detection and user training in one package with Protect MSP,” Iannicello said. “Tetra Defense’s MDR customers can get instant benefit with our 40-second onboarding experience with no MX record changes required. MSPs and cybersecurity teams at Tetra can take advantage of our MSP-friendly NFR licenses to protect themselves, as well as our monthly consumption-based billing, low-touch maintenance and advanced reporting with analytics.”

These unique benefits are a key requirement in cybersecurity. Both powerful tools and knowledgeable teammates combine forces to continually learn, improve and protect organizations of all sizes. Tetra Defense brings this combination to the forefront with their MDR services, leveraging Cofense Protect MSP to not only protect client inboxes but to learn from these messages and shed light on the ever-changing dark-web activity that threatens organizations today.

“We don’t just notify, we take action,” Roughan said. “We optimize the best tools and methods to stop sophisticated cyber threats and detect what may otherwise go unfound. Cofense Protect MSP is part of what lets us go beyond, and it’s only getting better.”

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Three is the Magic Number

By Michael Callahan

When it comes to prioritizing or recalling information, three is the magic number. Many of us know this thanks to Schoolhouse Rock with the original airing or the newly popular rediscovery of recent generations. Either way, it’s true that our ability to remember more than three things decreases dramatically with each additional thing. And it’s no different with phishing detection and response (PDR). There are a dozen or more capabilities you need to stop phishing attacks but there are three that separate out from the pack.

They are:

  1. Breadth of Phishing Intelligence
  2. Ability to Auto Quarantine Attacks
  3. A Feedback Loop that Ensures the System Continues to Get Smarter

Let’s go through each one.

Breadth of Phishing Intelligence. Many companies have threat intelligence. Some track what goes on in their environments with custom solutions. Others have what they capture with their current email security solutions. But to be truly effective, you need to have phishing intelligence. Not only phishing intelligence, but phishing intelligence based on state-of-the-art research and attacks that have made it through all email security systems.

This last piece is critical.

It’s not enough to know what hasn’t been stopped by one of the legacy, expensive and often redundant secure email gateways (SEGs). You need to know what has bypassed all those systems to effectively understand how attackers are targeting your organization. At Cofense, we see – our phishing intelligence — what gets past all the leading SEGs and the latest IESS/CESS/CAPE startups, and even the smaller market-share email security solutions. In fact, we actively monitor around 20 different email security solutions knowing what they stop and what they don’t stop. No one else has this breadth of phishing intelligence, and it’s why Cofense can stop attacks faster and more efficiently than any other solution.

Ability to Auto Quarantine Based on Intelligence. Attackers rely on you being inefficient in response to their attacks. The ultimate tool you have is speed. Once an attack starts, how fast can you confirm you are being attacked and how fast can you respond? Millions of phish bypass existing email security solutions every month. As soon as a phish gets through your SEG, it’s a race against the clock. You have to quickly identify the attack and stop it. The only way to do this quickly is through automation. Once confirmed, you need to auto quarantine all the other emails that make up the attack. At Cofense, we’ve seen millions of attacks. In fact, one reported email resulted in identifying 4,500 other emails that were part of the attack; they were auto quarantined. This happens instantaneously. And this is not the exception; it’s the rule with Cofense. We routinely see attacks consisting of hundreds and thousands of emails stopped in their tracks instantly with Cofense Auto Quarantine technology.

The effectiveness of Auto Quarantine is based on the high-fidelity intelligence from Cofense Intelligence, and automation technology in Cofense Triage and Vision. It’s important to point out that this instantaneous Auto Quarantine capability doesn’t only work for the company that reported the phishing attack. For Cofense PDC customers, once confirmed, that intelligence is used to automatically and instantly stop attacks in other customer environments. We call this the Cofense Network Effect. If you’re part of the Cofense network, you benefit from the collective intelligence. We’re like the Waze of email security – powered by the crowd and benefiting everyone in the network. But it all boils down to speed and the ability to stop attacks as quickly as possible. In or out of the network, Auto Quarantine ensures attacks against your organization are stopped quickly.

Feedback Loop. What good is intelligence if you don’t use it to get smarter? At Cofense we believe that the best way to continuously stop attacks quickly is by incorporating a feedback loop where all of the email intelligence is fed back to the machine learning algorithm to get smarter. When a phishing email makes it to the inbox, and well-conditioned users apply their own vision (Human Vision) to determine the email is suspect, that email and any other in the attack will be instantly auto quarantined. Once we have that intelligence, it’s used to train the Computer Vision technology in our Cofense Cofense Protect product to get smarter and stop similar attacks in the future as they enter an organization. Cofense is the only company with this feedback loop that continues to make the overall system better, faster and smarter every day. In fact, as a result, Cofense’s Protect product doubles in intelligence about every three months. Computer Vision and Human Vision bookend the protection with the automation technologies in between eliminating the risk and getting smarter through the designed-in feedback loop.

There you have it. Like triangles, tricycles and tripods, those are the three critical capabilities of an effective phishing detection and response solution. There are more capabilities, of course, and I encourage you to investigate them with your Cofense account manager, but those three are the critical ones.

We’re happy to set up a time for you to talk with someone on our team to help stop phishing attacks against your organization. You can send us your information here and we’ll get back to you in less than 24 hours.

We’re Cofense.  We Stop Phish.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing as a Ransomware Precursor

By Max Gannon

For what seems like years now, ransomware has captured headlines due to its sensationally disruptive and costly nature. And over these years, phishing has been used to directly deliver ransomware or to use a single intermediary loader, often targeting individual machines for low ransom amounts. However, phishing is now most often a preliminary step in multi-step ransomware operations, rather than a direct delivery mechanism for ransomware itself. The price tags have surged exponentially.

In this blog, Cofense addresses two primary factors that have pushed phishing further upstream in the ransomware delivery process:

  1. Ransomware operations are seemingly more profitable when they focus manual effort on ransoming an entire organization after the initial compromise of an individual member, rather than simply conducting automated attacks against a distributed set of unrelated, individual victims.
  2. These focused ransomware attacks can be conducted more effectively if the ransomware delivery is segregated from the initial phishing chain. Tools used to establish a pervasive presence and deploy ransomware in the targeted organization’s network may be loaded via the phishing campaign’s malware payload, but only at the command of a human attacker after the automated phishing chain is complete.

Once inside, a threat actor can use any of a large variety of custom and commodity tools to move laterally, escalate privileges, establish persistence and deliver the final ransomware payload. Therefore, an excessive focus on signatures of the ransomware itself is counterproductive. By the time an actual ransomware binary is detectable within a targeted organization’s network, it may be too late to mitigate the impact. Thus, it is more important than ever to catch a ransomware operation at the phishing stage, before it is even identifiable as a ransomware attack.

Ransomware, the Media Headliner

In the context of cyber threats and security responses, ransomware has taken on a life of its own, and has become a major focus of media attention around the world. While a large variety of other threat types exist, many broadly labeled simply as “malware” and “cyberattacks” in media coverage, ransomware is specifically named. Obviously, using ransomware to acquire a ransom is the final objective of any ransomware operation. The process through which threat actors compromise and prepare victim networks for ransomware deployment involves an initial entry vector, as well as a host of other tools, malware and infrastructure.

Phishing is one of the most common entry vectors for ransomware operations. However, the trend of threat actors delivering ransomware directly via a phishing email or via an attached intermediary downloader has diminished. Instead, threat actors now often choose to deliver ransomware using malware originating from a phishing email. For example, BazarBackdoor was used to deliver Ryuk ransomware to healthcare companies in October 2020 and, recently, IcedID was used to deliver OnePercent group ransomware, according to an FBI advisory.

Some recent ransomware related headlines have highlighted software vulnerabilities and account compromises as being key factors in expensive and eye-catching ransomware incidents. Software vulnerabilities, while newsworthy, are generally not recognized as a common ransomware attack vector. Most sources, including the United States Cybersecurity and Infrastructure Security Agency (CISA), state that phishing is one of the leading ransomware infection vectors. Account compromise is the other ransomware infection vector mentioned in recent headlines. This vector can be heavily influenced by credentials stolen via credential phishing or keyloggers, which also originate with phishing. These facts merit increased scrutiny of phishing as a ransomware infection vector.

Focused Ransomware Attacks are More Profitable than Distributed Attacks

In the past, ransomware such as Avaddon was widely distributed via phishing, with little regard for the identity of the recipient. While this tactic proved profitable to an extent, it also limited threat actors. With no idea whether they were infecting an individual, a small business or a large company, threat actors were forced to set a ransom that individuals could be expected to pay. By doing so, threat actors potentially missed out on significantly larger amounts that companies could be expected to pay.

For example, a threat actor might ransom individual employees for $700 each (the average Avaddon ransomware payment at one point). On the other hand, the threat actor could spread laterally and ransom all of the infected machines and shared drives to the company for an average of $170,404. If the threat actor performed additional information gathering (i.e. to determine things like the company size, the company’s profit for the last year, and how often the company needs to access the soon-to-be encrypted content), then the threat actor could further tailor the ransom amount to be much higher but still within an “affordable” range.

Shifting from distributed attacks to more focused attacks seems clearly to be more profitable for threat actors, but targeting enterprise environments comes with additional challenges. Enterprise environments are more likely to have security controls in place and more likely to have methods of blocking malicious attachments than a single user with a simple desktop email client. Using large-scale generic campaigns with attached ransomware or attached simple downloaders, as in the past, is generally not an effective way to bypass enterprise security controls. Instead, threat actors often opt to bypass some security controls in two ways. The first is to buy access to enterprise environments that have already been compromised by other malware and then deploy the ransomware. The second is to use methods that can bypass security controls to deliver harder-to-detect payloads, such as Cobalt Strike, which then perform reconnaissance before delivering the ransomware.

Post-Phishing Delivery is More Conducive to Focused Ransomware Attacks

In current operations, ransomware is most likely to be delivered by other malware or tools already placed on the targeted system. Among other benefits to the threat actor (including limiting exposure to researchers and law enforcement personnel interested in ransomware), this delivery tactic helps to bypass initial security controls and collect information to determine whether the compromised machine is part of a potentially profitable ransomware target. Whether this data is provided by a threat actor who has already compromised a computer and is selling access, or by tools used by the threat actor deploying the ransomware, it can allow threat actors to tailor ransom amounts and make more money. The threat actor deploying the ransomware can also perform reconnaissance to target and exfiltrate high value data. This can allow the threat actor to charge ransom for both the encrypted data and the stolen data.

The currently observed methodology used by threat actors consists of several steps:

  • Threat actors purchase access to a computer that has already been compromised by previous malware
  • Deploy reconnaissance tools to gather information
  • Employ lateral movement to establish persistence in multiple connected systems, and then,
  • Deploy ransomware

 

This process takes time. FireEye estimated that, in most ransomware incidents, there were at least three days between an initial infection and the deployment of ransomware. This time can allow a grace period of sorts before ransomware deployment when defenders can detect and take care of the problem. However, that is only the case if the defenders are provided with the tools and intelligence necessary to identify steps preceding a ransomware deployment.

Some of the malware more commonly used to infect computers and sell access to ransomware operators include TrickBot, Dridex, IcedID and BazarBackdoor. These malware families are well known, but advanced enough to bypass some security controls. We consistently see these families reaching user inboxes in environments protected by secure email gateways (SEGs). A number of commonly seen and less sophisticated malware can also deploy additional malware including ransomware. A list of some of the more prominent families that are capable of downloading and deploying additional malware, including ransomware, can be seen in Table 1.

Table 1: Prominent Malware Families Capable of Downloading Ransomware

Family Has Been Seen Downloading Ransomware Primary Malware Function
Loki Bot No Information Stealer
NanoCore RAT No Remote Access Trojan
Remcos RAT No Remote Access Trojan
TrickBot Yes Banking Trojan
Chanitor Yes Loader
Ursnif Yes Banking Trojan
BazarBackdoor Yes Loader
IcedID Yes Banking Trojan

Things to Consider

As ransomware continues to be delivered based on decisions and actions taken by human threat actors, rather than as a default configuration, it becomes increasingly important to look “upstream” at the chain of events that leads to that decision. Treating most malware detections as a potential vector for ransomware may seem excessive, but most advanced malware and remote access trojans (RATs) can deliver additional malware and ransomware. By treating each malware infection as a potential vector, and tracing the steps that led to that infection, you can determine the flaws in your defenses and fix them.

Using tools such as Cofense Intelligence‘s Yara rules and published threat indicators can help detect and prevent infections, while training employees to recognize and avoid interacting with malicious content can provide an intuitive line of protection that machines are not capable of. Phishing tactics are always evolving and becoming more complex. The Cofense Phishing Detection and Response (PDR) security solutions combine technology and unique human insight to catch and stop phishing attacks – before they hurt your business. Learn more here.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Strengthens Focus on Business Email Compromise with Addition of Ronnie Tokazowski as Principal Threat Advisor

Leesburg, Va. – Sept. 21, 2021 –  Cofense®, the leading provider of phishing detection and response (PDR) solutions, has appointed Ronnie Tokazowski as Principal Threat Advisor. Tokazowski brings to the Cofense team a wealth of firsthand knowledge and research on Business email compromise (BEC), which will bolster the company’s mission to support organizations in the fight against all types of email attacks including BEC.

Cofense’s 2021 Annual Report showed that 6% of reported malicious emails over the last year were BEC. And according to the latest FBI Internet Crime Report, this phishing tactic caused nearly $2B in financial losses for businesses in 2020. Damage caused by BEC attacks can also include reputational and brand damage, presenting serious business risk that organizations should be taking steps to address. In his role at Cofense, Tokazowski will be focusing on BEC threats in an effort to further Cofense’s research, threat intelligence, and product features to better protect customers against this impactful threat.

“Cofense is thrilled to welcome Ronnie to the company. I’ve personally known Ronnie for a long time and look forward to his professional contributions in furthering Cofense’s mission of stopping all forms of email attacks by guiding enhancements based on his unparalleled insights in that area,” said Rohyt Belani, Co-founder and CEO, Cofense.

Tokazowski’s proven track record as a security researcher includes experience reverse engineering crimeware and APT malware, creating decoders and IOCs for detecting malicious attacks, and using active defense techniques against cyber criminals attempting to exploit organizations via BEC attacks. Previously, Tokazowski was senior threat researcher at Agari, following his roles as senior malware analyst at Flashpoint and senior researcher at Cofense.

“Business email compromise not only creates significant financial loss for businesses, but at the human level, BEC can take a serious mental toll when someone realizes they have been caught up in a scam with massive implications for their organization,” added Tokazowski. “There is no single technology solution to prevent BEC attacks, so we must empower organizations with a combination of technology, process and user awareness. I have been impressed with Cofense’s continued innovation and expansion of their phishing detection and response solutions, and I am excited to return to the company to help organizations prepare for and prevent BEC.”

Tokazowski has significant experience and knowledge in creating actionable intelligence reports detailing emerging trends in cybersecurity and will be brining that to Cofense. He has also collaborated with multiple law enforcement and government agencies to identify fraudulent and criminal activities targeting victims across the world and collaborates directly with current and former scammers to understand how cybercrime works from their perspective, including forging bank statements and other documents as part of active defense engagements to glean intelligence. Tokazowski has also contributed greatly to the tech community through raising money and awareness for Nigerian tech hub, Future Labs, for training the next generation of youth, and creating IntroTech and other networking locations for victims and security researchers to connect.

For more information about Cofense’s Phishing Detection and Response (PDR) solutions, please visit www.cofense.com.

About Cofense

Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of nearly 30 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact

Taylor Hadley

[email protected]

IT Support Lures Users into Mimecast Phish

By Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has intercepted a new phishing technique that uses information technology (IT) support-themed emails to get users to enter their old password. It’s common practice within industries to deploy a reset password communication from IT support for essential purposes such as hardening the employee’s email security. In countless situations, the more legitimate the email appears, the more likely the threat actor will succeed with the intrusion. Why? Because individuals would not be compelled to question the people in charge of the company’s confidentiality, integrity and security. They are considered authorities.

This report showcases an email that prompts the user to update their soon-to-be expired password. The first red flag is the newly created domain name that’s only a few months old, as of this writing. In this case, the address “realfruitpowernepal[.]com” is similar to an organization’s internal IT department, yet further analysis of the domain leads to a free web design platform. The opening of the email doesn’t contain phrases such as “Good Morning” or “Dear…”, possibly indicating this is a mass-email attack, which most probably had been accomplished via a purpose-built script.

Figure 1: Email body

When the recipient hovers over the “Continue” button, a Mimecast reference appears, along with the now redacted user email address toward the end of the URL. This might not raise suspicion as the correct spelling and naming function was used, which directs user to the next stage of the attack.

Figure 2: Mimecast security

Upon clicking the link, the user would be taken to a Mimecast web security portal that asks whether they want to block the malicious link or ignore it. This method of security services is very effective.

Figure 3: Security portal

Clicking on either “It’s Safe” or “It’s Harmful” led to the same result, which loads the page seen in Figure 4. This page gives the final confirmation about continuing.

Secure gateways miss phish; find out which ones fail, and how.

The attack is initiated via a counterfeit Mimecast page that prompts the user to enter their email address to reset their password. After clicking on the “Continue to Page” evident above in Figure 3, the user would be redirected to the phishing landing page that displays the session as expired, as shown in Figure 4.

We assumed the goal was to make the phishing landing page appear identical to the legitimate Mimecast site. However, during our investigation, we discovered that the URL provided does not match the authentic Mimecast URL and the footer detail is missing, as shown in Figure 4.

Phishing URL: hXXps://hiudgntxrg[.]web[.]app/#

Legitimate link: https://login[.]mimecast[.]com/u/login/?gta=apps#/login

Figure 4: Phishing landing page

 

Figure 5: Legitimate page

Whether the user provided their true login credentials or a random string of credentials, they would be automatically redirected to the page within Figure 5 displaying a successful login message. This is yet another technique used to boost the appearance of authenticity and protection by “Mimecast.”

In conclusion, this attempted intrusion demonstrates the complexity of phishing attacks that utilize the power of social engineering. Cofense is here to help with our analysts and technology to enable customers to quickly identify validated or newly observed threats. We have the necessary products to help your SOC team quickly identify threats to reduce risk and further leverage the IOCs to mitigate a potential incident.

 

Indicators of Compromise IP
hXXp://aznyibe[.]creedidory[.]com/# 162[.]0[.]217[.]31

 

hXXps://hiudgntxrg[.]web[.]app/# 199[.]36[.]158[.]100

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Updates to Cofense Vision Enable Operators to Squeeze More Value Out of Intelligence with Wildcard Matching and UX Improvements

By Megan Horner, Sr. Product Marketing Manager

“The average click rate for credential phishing simulations in PhishMe customers in 2020 is 10.7%—meaning that during a real attack, almost 11 users out of 100 will likely click on the phish, potentially leading to compromise of their corporate credentials. The longer a malicious email stays in the inbox, the greater the chance of an erroneous click.” – Cofense 2021 Annual State of Phishing Report

What if you could automatically quarantine emails before they are even opened? By using both internal and external sources of threat data, Cofense Vision makes this a reality.

Security teams all over the world trust Vision to help protect their employees’ inboxes and that trust drives our focus on continuous product improvement. The latest improvements are now available in Vision 2.1.

Cofense Vision 2.1 introduces the following enhancements and benefits:

  • Automated IOC Wildcard Matching exponentially increases the visibility a URL from Cofense Intelligence provides
  • User experience improvements simplify the investigative and system management processes

Increase efficacy of your security program by staying ahead of dynamically changing IOCs

IOCs (indicators of compromise) are flags that help analysts understand that something nefarious is going on. Thanks to modern tools, the IOCs being used by attackers are extremely dynamic in nature – always evolving ever so slightly to evade detection.

To keep up with these slight changes that may have gone undetected before, we have introduced automated IOC Wildcard Matching to URLs shared from Cofense Intelligence to Vision. Intelligence teams can identify URLs that contain similar variable information and push the URLs to Vision for automated quarantine of associated emails. Now, each URL provides more value than before leading to an expected two-fold to ten-fold increase in the related IOCs being processed with Vision AutoQuarantine.

Traditionally, this process of identifying a URL as an IOC, completing a wildcard match exercise, and porting it to your security solution of choice for blocking has been very manual and disjointed. Vision automates this workflow behind the scenes, completing a process that previously took hours in just seconds.

Not familiar with IOC Wildcard Matching?

Let’s break this down. As an example, let’s say Cofense Intelligence has identified an attack that directs users to https://baddomain.com/thisisreallybad. With IOC Wildcard Matching, Cofense Intelligence applies a wildcard at the end of the URL making it possible to also match and AutoQuarantine the following URLs as well:

– https://baddomain.com/thisisreallybad/malware
– https://baddomain.com/thisisreallybad/credphish
– https://baddomain.com/thisisreallybad/spyware

Stop exponentially more threats by using Vision Wildcard Matching and AutoQuarantine to remove malicious emails from employee inboxes before they can cause issues.

Improvements in user experience with navigation and reporting enhancements

In the world of security, few things are worse than a technology solution with a user interface that is difficult to navigate. With our own team of Vision operators in the Cofense PDC (Phishing Defense Center), we appreciate that just as much as other security professionals. A continued focus on user experience has led us to the development of four new components to the Vision user interface. Each aspect was purpose-built to increase efficiency by minimizing the clicks required to take a desired action within the UI.

Now, Vision operators can:

  • Download logs directly from the dashboard for more visibility into usage and easier troubleshooting
  • Get more IOCs into Vision with the ability to manually import via an easy-to-use form

Figure 1: Simple-to-Use Form Makes Adding IOCs on the Fly a Breeze

  • Access recent searches right from the main navigation to quickly pick up where they left off