Cyberattacks in Ukraine Reaffirm Need for Proactive Training, Testing and Validating

By Mollie MacDougall

As events unfold in Ukraine, many predict cyber warfare will play a significant role in Russia’s offensive operations. We have already seen reports of government and banking website denial of service attacks, and an advanced new wiper malware deployed to some targets in Ukraine. We are continuing to monitor the situation to see what more sophisticated cyberwarfare capabilities might be deployed.

Any Russian state-sponsored phishing activity conducted for access to targets to leverage in this conflict was almost certainly completed weeks ago – or longer. Russia already has options on the table and is likely prepared to ratchet a cyber conflict up or down, depending on how expanded this conflict becomes, and on how the international community reacts to Russian actions. The United States on Thursday imposed sanctions on Russia, targeting some of its biggest banks and members of the elite. While we don’t know how this will unfold, and how countries beyond Ukraine may be caught in the crosshairs, most agree that it’s appropriate to be on high alert for disruptive cyberattacks at the hands of Russia and its sympathizers, especially in the critical infrastructure sectors.

These current events highlight a critical tenet of a mature and effective phishing defense program: phishing defense must be proactive and constant. It cannot be reactive and event-based. Phishing is the upstream access point for more devastating attacks. If we are asking what we need to watch out for in phishing as news breaks of Russia attacking Ukraine, then we are too late. When we hear of Russia building up a military presence in Belarus, we are likely, even then, too late. Phishing is connected to staging—it’s the cyber side of preparation for forward deployment. Thus, an effective phishing defense program must always be on guard, and must always include a vigilant, educated and empowered workforce.

What Organizations Should Do Now

As our customers and partners know, Cofense is mission-focused on stopping phishing threats. I hope it is clear that phishing defense must be consistently prioritized within your organization. Still,there are important actions organizations can take now to best protect themselves. This especially holds true for financial, government, and other critical infrastructure organizations:

  1. Review your organization’s footprints and assets operating in Ukraine, Russia, and Belarus, including contractors. All employees or contractors in those countries should undergo a full entitlement review – meaning their privileges should be fully understood and regulated to the lowest levels of access necessary. This should also include a thorough review of all third-party dependencies or vendors that operate out of Ukraine or Russia.
  2. Organizations should look for any indication of anomalous account activity by system administrators, as well as any privilege escalation outside of normal operating procedures.
  3. Critical infrastructure organizations (especially energy, telecommunications, and financial sectors) should require shortened password reset times and ensure expedited patching of critical vulnerabilities.
  4. All organizations should closely monitor any traffic connecting to assets in Ukraine, Russia, and Belarus.
  5. Organizations should implement strict impossible travel rules. If an employee regularly logs in from one place, such as New York, and they suddenly ping from an IP in Moscow, their account should immediately be locked, forced into a password reset, and fully investigated.

We cannot lose focus in defending against phishing attacks. Other sophisticated actors may be keen to take advantage of our attention on Russian threats. Russian sympathizers or opportunistic criminals looking to take advantage of the crisis may increase their phishing activity. Train your staff to identify suspicious emails, empower them to report those emails, ensure you can properly analyze reported emails, and stay focused on the campaigns and tactics that are successful in reaching end users. The current Ukrainian crisis reminds us that while specific phishing attacks cannot be predicted, enterprises can still be at the ready.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

QakBot Campaign Attempts to Revive Old Emails to Gain the Upper Hand

By Kaleb Kirk and Kat George, Cofense Phishing Defense Center

QakBot is a form of malware commonly reported into the Cofense Phishing Defense Center (PDC). With that in mind, it is no surprise that analysts in the PDC are witness to myriad tactics implemented by attackers to manipulate or influence recipients into running the malware. Recently, we observed emails delivering QakBot that use a familiar tactic, which is the use of old emails or email chains involving the target in an attempt to disguise the threat and, possibly, to lower recipient suspicions. A strange move for a malware type that’s so widely circulated given the additional effort involved.

Figure 1: Email Body

Looking at the email in Figure 1, it does not really have any intricate design details to it. It can be assumed that the threat actor is using the revived email chain as the main source of influence against the target. The start of another email can be seen at the bottom of Figure 1, but it’s been cropped. One other thing to point out is that the threat actor does not bother to spoof the email of the person who was conversing with the target. They instead only choose to use their name. Once the recipient clicks the malicious URL, a ZIP with the same name as the last part of the URL’s pathing is downloaded. Within this ZIP file is only an XLS file.

Figure 2: XLS File

When it comes to appearance, the XLS file in Figure 2 is typical for malware utilizing macros and an XLS file. For starters, it has the classic labeling at the top calling this file a “protected” document. It also includes instructions for the recipient on how to click “Enable Editing” or “Enable Content.” Once enabled, a trusted service will be initiated by the infection, and it will reach out to three different payload URLs. These payloads will then download DLLs which will attempt to connect to C2s and, in turn, finish the connection chain for QakBot. One thing to notice is that, in some instances, the payload URLs that are reached out to after the content is enabled will potentially change after a certain amount of time. This can even occur if the initial URL in the email is the same. Despite this, it will only try to reach three different URLs.

Exploring different delivery tactics with emails is something that threat actors naturally must do to have any recurring success. While they perpetually devise new ways to trick recipients into interacting with emails where the environment is protected by a secure email gateway (SEG), the Cofense PDC constantly watches for such emails when they inevitably land in inboxes. The PDC is perfectly positioned to catch and analyze emails that wind up in such environments, and that are reported by well-conditioned users. Contact us to learn how to address the phish that SEGs miss.

Indicators of Compromise IP
hXXps://asc[.]meticulux[.]net/iatuvtleme/civlaaisesqtpemsai-pfalntlesuumtoitia- 208.75.149.34
hXXps://radolabs[.]in/AS8IJaDWA/nh.png 103.53.42.97
hXXps://masterdomoficial[.]com[.]br/8cntzcgI3T/nh.png 108.179.252.230
hXXps://geeksrn[.]com[.]br/nDRc2IJgN/nh.png 69.49.241.29

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishers Spoof Power BI to Visualize Your Credential Data

By Jake Longden, Cofense Phishing Defense Center

Microsoft Power BI, a popular data-visualization tool, is designed to help users wrangle their data in multiple and more human-friendly formats. As a recognizable application from a commonly used and trusted vendor, Power BI is also a prime target for threat actors to spoof and abuse it for phishing attacks.

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that harvests Microsoft credentials by impersonating Power BI emails.

Figure 1: Email Body

As seen in Figure 1, the email resembles a legitimate Microsoft notification. There are a couple of reasons how this happens. Threat actors have become comfortable adapting legitimate MS notifications in their phishing templates. We also observe them leveraging stolen credentials to create a legitimate looking notification from a legitimate MS instance. We see that the threat actor in this email used a common theme to try to get the recipient to interact with the links – Weekly Sales Report.

Figure 2: Phishing Page

Once the user has clicked the link in the email, they are presented with a page seen in Figure 2, designed to look like a legitimate Microsoft log-in page. The first indicator that something’s not right with the page, beyond the missing standard imagery, is that the URL doesn’t look anything close to what’s indicated in the email or associated with Microsoft services.

Figure 3: Phishing Final Page

Subsequent to the recipient providing their credentials, the final step of the attack is an error message indicating that there was an issue with the account verification. This is another Microsoft spoof the threat actor employed to distract the recipient from the fact that they have not been redirected to the Power BI report they expected to see. This discourages the recipient from suspecting that they have just given away their credentials.

Cofense continues to observe credential phishing as a major threat to organizations. This is why it’s critical to condition users to identify and report suspicious messages to the security operations team. This recipient was well-conditioned to identify something wasn’t adding up with this email and landing page, and used Cofense Reporter to send this off to the Cofense Phishing Defense Center. Cofense can help you, too. Attacks such as this one are effective at eluding common email security controls, and are – by design — overlooked by end users. Cofense can help. Ask us how we can help your teams spot phishing email that turns up in environments protected by “secure” email gateways.

Network IOC IP
hXXps://ad[.]atdmt[.]com/s/go;adv=203350;
c.a=13320;p.a=Saturday1550;a.a=50133;qpb=1;cache=50133;?h=web-wk01[.]web[.]app
hXXps://web-wk01[.]web[.]app
hXXps://l-formula[.]com/wp-reporting.php 202.254.234.76

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Six-Year Reflection – What is Business Email Compromise Today

By Ronnie Tokazowski, Principal Threat Advisor

When it comes to tracking business email compromise (BEC), a lot has changed over the last six years. In the same breath, absolutely nothing has changed except our understanding of the problem. Duality of multiple truths can be a difficult concept to grasp, as two contradicting truths can be just that: true. On one side, BEC is seen as being responsible for billions of dollars lost, which is true. However, when you slightly shift your vantage point, the cyber criminals behind BEC attacks are responsible for MUCH more damage than initially thought. Let’s take a look at both vantage points where both everything and nothing have changed since we first started phishing the phishers and attempting to understand all things BEC.

How Everything BEC Has Changed

Setting our vantage point to the last six years, and everything BEC has changed. Initially, scammers started targeting CFOs and other corporate employees who had access to financial data. The initial attacks were extremely simple, where the actor asked for a simple wire transfer for some outstanding payment that needed to be processed. While those types of attacks still exist, BEC has shifted to include other types of attacks as well.

While CFO and executive spoofs are still a part of BEC, it has expanded to include invoice, W2, direct deposit, gift cards, and aging report scams. In each of these attacks, actors are able to expand their target list to include not just high-ranking executives and human resources, but to target regular employees within an organization. While losses in some of these cases (ex., W2 or gift card scams) may be lower or unseen to the organization, the truth of the matter is that scammers are still making billions of dollars due to this type of fraud, with institutions and organizations writing off the losses.

How Nothing BEC Has Changed

While business email compromise has changed and shifted over the last six years, the overall problem of cyber-enabled fraud in Nigeria hasn’t changed in decades. While many see BEC as a brand-new thing that started in the 2014-2015 timeframe, it’s actually a symptom of much larger issues in Nigeria, where citizens are forced to choose between poverty and a life of crime to survive.

In terms of cyber fraud in Nigeria, Yahoo Boys don’t do one type of crime but frequently dabble in multiple areas of crime. For example, the history of 419 scams harkens back to the 1990s, where Nigerian actors would send emails and letters to unsuspecting victims. In many of these scams, actors would promise large sums of money in exchange for a small tax fee. To the unsuspecting victims, the promise of untold riches is extremely enticing and, in many cases, spirals out of control.

As Nigeria gained access to the internet, access to victims across the world became much easier to achieve. The internet boom led to dating websites where lonely hearts could search for everlasting love, with the promise of finding their happily ever after. Cyber criminals figured out that they could make fake accounts pretending to be these love interests to manipulate victims into not only sending money, but laundering money on their behalf. And by using these networks of money mules, actors are able to let the victims take the hit if the fraud is ever detected.

And this brings us to 2015 and the times of BEC, where actors figured out that they could use networks of romance victims to send and receive money on their behalf. If law enforcement asks them what’s going on, they’re going to “lie” and say the money was moved on the lover’s behalf. However, the victim

has been caught in a web of lies facilitating a type of fraud that’s responsible for losses in the hundreds of billions of dollars.

Nigerian Fraud has been around forever…So what?

Understanding where we’ve been and where we’re going in the BEC fight is crucial to its success, because many of these problems have existed much longer than the six-to-seven years the security industry has been tracking BEC. While governments, agencies, and private sector partners are aligning for the next phase of the fight against fraud, understanding HOW we got here will help us understand what needs to be done to actually solve the problem. What was once billions in losses is now hundreds of billions in losses, period. The unfortunate truth about BEC is that we could arrest every single scammer tomorrow, and the underlying issues responsible for driving the fraud would still exist.

Now what?

It should be clear by now that business email compromise is both highly lucrative to threat actors and exploding in its use to defraud countless victims worldwide. Billions are lost to unemployment fraud, romance victims, real estate fraud, advanced-fee fraud, and dozens of other crimes. No single security provider can solve all BEC, but we’re working hard to help fight it.

There are actions you can take to inform your employees and avert this threat. Educate your executive leadership team about this type of crime and discuss business email compromise with your organization at large, particularly employees responsible for payments and payroll. Reach out to suppliers, customers, and clients. Training should include preventative strategies and reactive measures in case they are victimized.

There is no single technology solution to BEC; rather it’s a combination of technology, process and user awareness. Cofense can help. Visit our BEC microsite for information and guidance. You can also contact us to learn how we can help you fight BEC and other ever-changing cyber threats.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Launches Cofense Validator to Help Organizations Evaluate the Efficacy of Secure Email Gateways Against Real Threats

Leesburg, Va. – February 9, 2022 – Cofense®, the leading provider of phishing detection and response (PDR) solutions, today announced Cofense Validator, a new and innovative solution designed to empower organizations to independently understand the effectiveness of their secure email gateways (SEGs) by testing them with active, live phishing threats.

Organizations spend a significant portion of their budget on secure email gateways to prevent phishing attacks. Cofense Validator is the first product in the marketplace that offers the ability to continuously evaluate this spend against peers using live phishing data.

Cofense is the only email security company that detects phish that have bypassed SEGs from all major vendors. This dynamic dataset of advanced phishing threat intelligence fuels Cofense Validator on a constant basis offering the ability for continuous validation of a SEG’s abilities. With Cofense Validator, users can:

  • Independently test SEG vendors’ claims of “stopping 99% of phishing”
  • Benchmark how their SEG compares to other vendors for different phishing tactics
  • Collaborate with peers on configuration best practices
  • Quickly evaluate how changes to their SEG’s configurations enhance or degrade efficacy
  • Proactively alert security teams when filtering changes may have been made by other departments

“There are numerous options out there when it comes to selecting a secure email gateway, and they promise to block 99% of bad emails, some at a much higher cost than others,” said Aaron Higbee, Cofense CTO and co-founder. “Until now, customers had to rely on ridiculously contrived bake-offs conducted by the SEG vendors using self-serving datasets. Of course, they are going to pass their own test. They know how difficult it is for customers to curate live phishing data to perform their own independent testing. Cofense’s 24×7 visibility into threats such as BEC, ransomware, credential harvesting and malicious attachments that have bypassed major SEGs allows Cofense Validator to be the only objective analyzer of SEG performance.”

Cofense Validator works by sending real, in-the-wild phishing threats identified by Cofense through a customer’s SEG to see how effective it is at stopping those active threats. Customers realize instant ROI through reports with immediately actionable information. Cofense Validator uses what we know about advanced phishing tactics from Cofense Intelligence to test SEG effectiveness against current, verifiable, live phishing threats – not older threats that are already found on common access deny lists or threats that are cherry picked specifically to make a SEG evaluation look good.

To learn more about how Cofense Validator is helping organizations determine the effectiveness of their SEGs and make more informed buying decisions, click here.

To schedule a free trial of Cofense Validator, click here.

About Cofense
Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 32 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact
Henry Ruff
[email protected]
443-504-2331

COVID-19 Status Update? Sounds Like Credential Theft.

By Adam Martin, Cofense Phishing Defense Center

As self-testing via antigen and professional testing via PCR have become more common across many sectors of society, so has status-based phishing. Just as COVID-19 guidelines have evolved, so have threat actor phishing tactics. This recent Office365 credential harvesting campaign utilizes the topic of potential repercussions if the status form isn’t completed. A classic tactic of creating panic in the end user, this ploy threatens financial or other penalties if a certain urgent task isn’t completed.

The phishing email for this campaign plays on fear and conveys urgency. It uses a relevant topic — COVID-19 – demanding completion of a form to disclose information, and it includes the threat of some form of reprisal for noncompliance. The email is tailored to the target organization, complete with branding. However, illustrated in Figure 1, the “Covid Form” button will direct the user outside of any authentic corporate environment. The initial “svc[.]dynamics[…]” link will redirect the user to an external domain once the button is pressed.

Figure 1: Email Body

Figure 2: Phishing Page

The unsuspecting user, having clicked on the link, will be directed to the phishing page seen in Figure 2. As can be seen from the URL, this page is not a legitimate Microsoft website and the domain is being hosted from a Russian TLD (.ru). The information box is spoofed with target company branding along with the affiliation to Microsoft, shown in the tab logo. The most glaring giveaway is the URL base address, in tandem with the randomized look of the rest of the URL path.

The user is given the prompt to enter their password as “sensitive information” is being accessed. Once the password is entered, this information is exfiltrated to an external server. Another indicator of the illegitimacy of this service is the fact that there isn’t any typical email login option. We noted the absence of “have you forgotten your password,” “Contact” and any semblance of a help menu as would typically be seen with legitimate services. Regardless of the password entered, the page will return an error for incorrect password and run this error in a loop.

Figure 3: Whois Records

The sender address “[email protected][.]net” found in Figure 1 and references in Figure 3 is relatively new. What also draws attention is the technical contact page. The contact address looks to be randomized, and the phone number is unusable.

As the world adapts to COVID, with different measures of detection and status declaration, so too adapts the world of credential phishing. As with most of the traffic seen here at the PDC, automated detection systems still underperform when compared to human analysis. With testing becoming more the norm, it is likely that phishing lures will exploit this trend. The driving factor behind the success of such a lure is the fact that a large number of employees are accessing or uploading these results for travel or other purposes. It’s not beyond the realm of possibility that a recipient would be panicked into revealing credentials if threatened with loss of access to work resources. Cofense continues to monitor these and disposition these threats. We can help your company, too. To find out how, contact us to learn more.

Indicators of Compromise IP
hXXps://015e86e84bce4534a8a6f8e57cc4bd23[.]svc[.]dynamics[.]com/t/r/7HK
qRHWPuvayNfeu9O0COW3Y3T6s9OwbRCRs3Zuq1N4
104[.]40[.]78[.]147
hXXps://636500[.]selcdn[.]ru/scans3/bbdef085359361/covid_form.htm?
ioxwrxnaerll&auth=&7589cf-3ac6-4e1c-9e2a-
babd0161c3c4&utm_source=mail&utm_campaign=&utm_medium=u=589a04
49d04476c8af0f92bc7&id=ca92440317&e=c5cec25e50BgVtWAzsQmMcaL3z
BjzlZ2TJR&
92[.]53[.]68[.]201
92[.]53[.]68[.]203
92[.]53[.]68[.]202
92[.]53[.]68[.]205
92[.]53[.]68[.]204

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Meet Cofense Validator: Finally. An objective assessment of secure email gateways.

Author: Megan Horner

“Continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.” *
Gartner®

You know that feeling? The one where you think you’re doing a good job. You feel like you’re doing okay. But the reality is you just aren’t quite 100% sure? A lot of security professionals we talk to feel the same. That feeling, when paired with guidance from companies to reevaluate their email security controls, usually leaves someone trying to answer the question of, “How do I objectively evaluate the efficacy of my email security controls against real, active threats?”

The team here is happy to announce the release of Cofense Validator to help answer exactly that. Cofense Validator helps organizations understand the effectiveness of their secure email gateways (SEGs) by testing them with active, live phishing threats.

With Cofense Validator, you can:

  • Understand how your SEG will protect against real world email threats
  • Understand how your SEG compares to other SEG solutions (including Microsoft) for different threat types
  • Quickly evaluate how changes to your SEG’s configurations will affect efficacy
  • Articulate email security control performance clearly and help make decision-making more objective

Let me walk you through some reasons why this is so valuable:

Assess performance against real, active phish

The ability to run an assessment using standard malware test files is a great first step, but what you really need to know is whether today’s active, real threats will make it to your users’ inboxes. Cofense Validator uses what we know about advanced phishing attacks from Cofense Intelligence to test SEG effectiveness against current, verifiable, live phishing threats – not older threats that are already found on commonly access deny lists or threats that are built specifically from intelligence you’d expect the email security vendors to already have access to. Email security controls are successful at catching traditional phishing tactics that utilize malicious attachments, but as you can see in Figure 1, most perform poorly when it comes to protecting against phishing attacks that contain malicious URLs, with most seeing well over 40% make it to the inbox. Spoiler Alert: This data came from real Validator customers!

Figure 1: Validator Results

Optimize SEG configuration to increase efficacy

Having data to work with is a great starting point but putting that data to work to make positive changes is what it is ultimately all about. Most security purchases are a considerable financial and time investment so ensuring they are performing at their tip top best is key. Validator enables you to set up multiple configuration profiles to test what specific changes could affect your inboxes when it comes to how many and what type of phishing attacks are successfully blocked. Think of it as a vulnerability assessment. But a vulnerability assessment with the ability to constantly tweak and improve your configuration to know instantaneously that you are better protected. Your SEG vendor just implemented an update to their product – did they change anything that impacts your risk? We’ve heard from customers this is a thing!

Recently, we worked with an electronic and building materials retailer to do exactly this – optimize their SEG configurations. Cofense Validator was able to quantitively show the efficacy levels of multiple configurations, providing this organization with clear insight into which was the right choice for them. Over time, we can understand the practical implications this has on security posture. Prior to making configuration changes to their email security controls, a retailer regularly saw around 25-30% of their reported emails were confirmed malicious. Immediately after updating the configuration post-Validator engagement, there was about a 10% drop to 15.8% confirmed malicious showing immediate impact to overall email security posture. This number continues to decrease which likely points to less malicious emails landing in the inbox resulting in less malicious emails being reported. Read the full case study here.

Figure 2: Retailer Sees 10% Drop in Malicious Email After SEG Configuration Changes

Make data-driven consolidation and purchasing decisions

The focus on digital transformation and vendor consolidation has all eyes on the performance level of technology and how it impacts the rest of the business. Having the responsibility of deciding where to reduce costs and where to consolidate is a heavy burden to bear unless you are making confident, data-backed choices. With Validator, compare SEGs against one another to understand the types of threats being blocked by each to reduce redundancy and unnecessary spend in your organization.

Organizations can even use this information when making initial purchasing decisions for an objective, third-party benchmarking assessment.

Although you certainly should trust us, we’re not the only ones who realize the impact that Cofense Validator can have on your email security posture.

“As an organization with multiple environments and controls, keeping email security in lockstep has always been challenging. Outside of traditional validation testing with dummy files, the only way we could gauge email security effectiveness would, unfortunately, be through triaging real threats that made it to our actual mailboxes. Without a way to continually evaluate our controls, drift was not possible to track. Validator has allowed us to get meaningful evaluations of how each of our environments stacks up in a way that reflects real-world attacks, helping us determine which controls we are lacking (or which controls are too tight). Validator has also provided us with an additional means of testing potential email security solutions against our current setup to make smarter purchasing decisions that have an actual impact on our organization’s security.

— Financial Services Organization

Ready to see more? Request a demonstration of Cofense Validator today.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

* Gartner®, “Market Guide for Email Security”, Mark Harris, Peter Firstbrook, Ravisha Chugh, 7 Octoboer 2021. GARTNER is a registered trademark and service mark of the Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.