Ransomware: Proactive Phishing Detection to Mitigate Risk

Author: Tonia Dudley

As we close out our 2022 Annual State of Phishing Report webinar series, we addressed ransomware as it relates to phishing. While we don’t see ransomware delivered in an email campaign, there are plenty of tactics used by threat actors as leading entry into the organization. As we have repeatedly addressed, we can’t stress enough that credential phish, at 67%, still remains the number one phishing threat today.

For those that missed our ransomware webinar, below are three key insights that we discussed as ways to address ransomware as an organization.

One of the highlights from this webinar was a tactic that has been seen by Cofense only twice in the past five months. This banking trojan, IcedID, is used to steal information such as credentials. What’s interesting about this email is the fact the threat actor leveraged an email from 2017, also using the reply-chain tactic. It’s no surprise the recipient thought this was suspicious and quickly reported this email to our Phishing Defense Center (PDC).

Ransomware Phishing Email

Key Takeaway #1 – Resiliency is key to defending against Ransomware

As we look at the attack chain specific to ransomware, there are several precursor steps that take place before the ransom note is delivered. The key to building a resilient workforce is providing them with relevant phishing simulation training that aligns to current threats hitting their inbox.

Key Takeaway #2 – Zero Days are in play.

As threat actors in the ransomware community have built up their resources, they are now able to step into the zero day arena to further their attacks. We briefly addressed the Microsoft zero day published in late May that has been weaponized by the QakBot group. For more on that specific threat, keep an eye out for our quarterly Threat Intelligence webinar to gain more insights.

Key Takeaway #3 – Credential Phish and HTLM attachments

We reported credential phish taking a 10-percentage point jump over the previous year in our annual report. Cofense continues to observe this as the top threat in the first half of 2022. While fewer attachments are landing in the inbox, the top file type that continues to be successful are HTML / HTM files. Organizations should look for ways to identify ways to mitigate this threat by tuning their controls.

For additional insights from our 2022 Annual State of Phishing Report webinar series:

Human, Artificial, and Email Attack Intelligence: Why You Need All Three

Human, Artificial, and Email Attack Intelligence: Why You Need All Three

By Cofense

It’s a staggering statistic: 50% of all email phishing attacks, including business email compromise (BEC) and credential theft, evade secure email gateways (SEGs). Yes, your SEG misses half of all advanced email attacks targeting your organization.

While credentials are appealing for threat actors, their end goal is far more nefarious – to compromise your business’s crown jewels such as customers’ personal identifiable information (PII) and confidential intellectual property (IP). To protect their valuable assets, organizations must deploy an intelligence-driven solution to counteract phishing attacks, which make up 91% of all cyberattacks.1 With this approach, organizations gain the upper hand against threat actors by proactively identifying trends, predicting threats and preventing attacks. However, a solution is only as effective as the intelligence that powers it. New attacks and tactics are developed every day and organizations need insights from multiple sources to identify the latest campaigns.

Cofense enables organizations to detect and respond to email phishing attacks evading traditional email security controls with a comprehensive platform powered by a combination of unique intelligence sources: human intelligence, artificial intelligence and email attack intelligence. Each of these sources, deployed through various products in the Phishing Detection and Response (PDR) platform, provides an important and necessary view into active phishing campaigns.

  • Human Intelligence is derived from a network effect of over 32 million reporters worldwide reporting real phish reaching their inboxes. More than 50% of attacks reported to the Cofense Phishing Defense Center (PDC) were reported in another PDC customer’s environment first, immediately arming the organization with the necessary indicators of compromise (IOCs) to stop the attack.


  • Artificial Intelligence comes from patent-pending “computer vision” technology deployed in Cofense Protect that reads emails as a human does and identifies if they are malicious. Of the threats identified by computer vision, 88% have never been seen before, enabling organizations deploying Protect in their environments to catch the newest attacks almost instantly.


  • Email Attack Intelligence, obtained from multiple sources, vets every single IOC distributed by Cofense. Our team of analysts reviews every IOC from our human and artificial intelligence sources, with customers experiencing – as they’ve told us – a “99.9% credibility rate.”

This unique combination of intelligence provides an unsurpassed source of insights into phishing campaigns, and powers our comprehensive platform to automatically identify and remove recently developed attacks, even if they haven’t been reported. In essence, Cofense sees threats that SEGs don’t.

Threat actors continuously evolve their tactics to bypass existing email security. To fully enable your SOC and mature from a reactive to proactive security posture, it’s imperative to deploy a solution powered by relevant data that evolves in real time to identify the next attack before it strikes your organization. Data is only as relevant as its sources, and organizations evaluating email security solutions should ask vendors to talk about how they power their technology. Data should derive from relevant, dynamic and distributable sources to ensure the solution evolves with the threat landscape and remains effective.

Cofense’s unique and relevant data ticks these boxes and fuels a cohesive solution that evolves your email security posture to stay ahead of the ever-changing threat landscape. Ask us how we can help your enterprise. Contact us today.

1 Deloitte, January 9, 2020: “91% of all cyber attacks begin with a phishing email,” https://www2.deloitte.com/my/en/pages/risk/articles/91-percent-of-all-cyber-attacks-begin-with-a-phishing-email-to-an-unexpected-victim.html.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

How Aligning Security Awareness and Security Operations can Reduce Dwell Time

Email phishing attacks pose a large threat to every organization around the world and make up 91% of all cyberattacks.1 The most effective way for organizations to reduce their risk is to ensure that all aspects of their phishing program are focused on resiliency and preparing for the attacks that have the highest likelihood of reaching them. Suggested metrics to define and understand include human resiliency, mean time to detect (MTTD), mean time to respond (MTTR), and dwell time.

While MTTR falls under the purview of Security Operations and is a central focus in analyzing and remediating attacks, MTTD also should be considered and is often a secondary metric. To fight email phishing attacks, both metrics must be primary objectives of the Information Security program. The Security Awareness function can make an impact to these metrics by increasing the resiliency of the humans at the organization to ensure that the threats bypassing traditional email controls are quickly recognized, reported, and placed in the hands of the security operations and response teams.

The first step to reducing dwell time is improving MTTD and can be accomplished by conditioning your employees to be the first line of defense by becoming human sensors to report any email they suspect is malicious. Most security awareness programs focus on susceptibility, a measure of how many employees click on a simulation. Instead, security awareness programs should focus on resiliency, which compares the number of employees who reported the simulation to the number of employees who clicked the link. Email phishing attacks can only be removed if Security Operations is aware of them – positioning Security Awareness in the center of Security Operation’s strategy.

The second step to reducing dwell time can be accomplished by enabling Security Operations to analyze the most-likely malicious emails first. While increased reporting rates are a positive change and increase visibility into the threat landscape, it also means threat analysts must spend more time reviewing emails for actual attacks. Various email security vendors provide tools for Security Operation Centers (SOCs) to respond to reported emails, but don’t provide the best approach. While most organizations take an approach of “scoring” threats based on their internal threat intelligence, this does not account for the power of your internal reporters. With highly trained employees as the first line of defense, they become the best “eyes” of an organization, and employees with the highest likelihood to spot a phishing email should have their reports analyzed first. Combining threat scoring and reporter scoring further emphasizes the importance of Security Awareness while making it easier for Security Operations to stop email phishing attacks.

Security Awareness is more than compliance – it is an integral part in reducing dwell time of the most active and successful threat vector facing every organization – email phishing attacks. With Cofense Phishing Detection and Response (PDR), organizations can create a partnership between the Security Awareness and Security Operations teams. Cofense enables Security Awareness to build resiliency across their organization with simulations derived from real phish that are updated every month and is the only vendor that delivers simulations when an employee is active in their inbox, doubling report rates across our customer base. Cofense PDR takes these reported emails and automatically helps analysts in SOCs sift through the noise by scoring reported emails based on indicator of compromise (IOC) scoring and “reporter reputation,” enabling threat analysts to investigate reported emails from employees with the greatest track record of reporting real phish. It is time Security Awareness takes its rightful place next to Security Operations as partners in reducing dwell time and keeping email phishing attacks out of employee inboxes.

Cofense PDR Solutions Now Available on Carahsoft GSA Schedule

Cofense PDR Solutions Now Available on Carahsoft GSA Schedule

New Award Makes Cofense’s Comprehensive Security Platform Available to Federal, State and Local Agencies

LEESBURG, VA. and RESTON, Va. — June 14, 2022 Cofense®, the leading provider of Phishing Detection and Response (PDR) solutions and Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, today announced that Carahsoft has added Cofense’s products to its GSA Multiple Award Schedule (MAS), making the company’s end-to-end email security platform widely available to the Public Sector through Carahsoft and its reseller partners.

Cofense’s enterprise security program protects agencies from malware threats, ransomware, and other scams that routinely bypass traditional email security platform, such as secure email gateways (SEGs). With insights from a global network of millions of users, their phishing detection and response (PDR) platform delivers strategies and tools to efficiently mitigate threats in minutes by combining the power of crowdsourced intelligence and automated technology. Cofense also offers education and simulations to train employees to recognize and report phishing attempts. To ensure the strongest defense, Cofense encourages Government agencies to layer their email security strategy to combat evolving threats.

“With over 90% of cyber attacks starting with an email, it’s imperative that all organizations have access to a comprehensive FedRAMP Moderate email security program that can detect, protect and respond to this evolving threat landscape,” said Brandi Moore, Chief Operating Officer at Cofense. “This partnership is the next step in our commitment to the public sector as we are excited to provide Federal agencies with top-of-the-line solutions to address all email security threats through our work with Carahsoft and its reseller partners.”

Carahsoft’s Indefinite Delivery Indefinite Quantity (IDIQ) General Services Administration (GSA) Multiple Award Schedule (MAS) is an IT procurement contract vehicle that provides government customers’ state-of-the-art IT products, solutions, and services needed to serve the public. In addition to the GSA MAS contract, Cofense is also available on Carahsoft’s Information Technology Enterprise Solutions – Software 2 (ITES-SW2), OMNIA Partners, The Quilt and several state-specific contracts. Cofense solutions are also available through Carahsoft’s reseller partner contracts including TX-DIR.

“As government phishing attacks continue to increase at a rapid pace, the expanded availability of Cofense’s FedRAMP-authorized solutions is well timed. Cofense’s solutions meet the FedRAMP Moderate Authorization providing over 300 controls which are vital to protect agencies’ systems,” said Alex Whitworth, Sales Director who manages the Cofense at Carahsoft. “With the Cofense platform now available on GSA through Carahsoft and our reseller partners, the Public Sector has streamlined access to advanced AI-based automation solutions to protect their agencies against phishing attacks.”

Enriched with robust threat intelligence from the Cofense Phishing Defense Center (PDC), which analyzes millions of user-reported emails, Cofense’s 2022 Annual State of Phishing Report found that more than 67% of phishing attempts reported by end users are credential phish. Catching and removing these emails before an employee even faces a phish in their inbox is critical for the success of today’s security programs. This makes Cofense’s security program which provides comprehensive email protection, attack response and threat insights invaluable to protecting critical environments, such as Federal Government infrastructure.

Cofense is available through Carahsoft’s Carahsoft’s GSA Schedule No. 47QSWA18D008F, ITES-SW2 Contract W52P1J-20-D-0042, OMNIA Partners Contract #R191902, The Quilt Master Service Agreement Number MSA05012019-F and additional State, Local, and Education Contracts. For more information, contact the Cofense team at Carahsoft at (888)-662-2724 or [email protected]

About Cofense

Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 30 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

About Carahsoft

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider®, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator® for our vendor partners, we deliver solutions for Cybersecurity, MultiCloud, DevSecOps, Big Data, Artificial Intelligence, Open Source, Customer Experience and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Visit us at www.carahsoft.com.

View source version on Globe Newswire

Monkeypox Phishing: Outbreak Becomes Latest Lure

By Elmer Hernandez, Cofense Phishing Defense Center

As the world recovers and learns to live with Covid-19, use of the pandemic as a phishing theme has started to wane. However, public wariness and anxiety surrounding an emerging medical concern will remain exploitable. Enter the current monkeypox outbreak. The Phishing Defence Center (PDC) has seen attempts to deceive enterprise staff with a series of monkeypox themed phishing emails. As this rare infection spreads around the globe and gains media attention, attackers are likely to continue tweaking their tactics.

In the last week at least two PDC customers have reported emails such as the one displayed in Figure 1. Both the employee’s and company’s names change depending on who is targeted, but the email body stays the same.

The pretence is similar to what we have already seen with Covid-19 themed phishing emails. It opens up mentioning updates from reputable health organizations to give the impression of veracity and seriousness. It stresses the importance of keeping staff and the company safe, in an attempt to make the employee feel like they share part of the collective responsibility. Finally, it asks all employees of the company to comply with mandatory safety awareness training.

Figure 1 – Phishing Email

Users are taken to a compromised website and are directed to either a spoofed domain or already compromised website. Looking at the URL, it’s clear the threat actor wanted to add validity to the page by naming the directory as “health”. It is the standard Microsoft credential phishing otherwise. It first asks the user for the email address (Figure 2) and subsequently the password (Figure 3), adding confidence this is necessary due to the sensitive nature of the information being accessed. Once the user has provided all credentials a confirmation page appears for a few seconds (Figure 4) before being redirected to the real Office 365 website.

Figure 2 – Phishing Site


Figure 3 – Password


Figure 4 – Confirmation


BEC Insights: The Need for Better Business Controls

Author: Tonia Dudley

In our 2022 Annual State of Phishing Report, we observed the Business Email Compromise (BEC) threat category inch up from 6% to 7% of overall threats, with the Healthcare sector still leading the way at 16%. With increased attention and speculation around BEC, otherwise known as CEO fraud, Cofense CTO & Co-Founder, Aaron Higbee, BEC specialist and Principal Threat Advisor, Ronnie Tokazowski, and myself sat down to go in-depth on our findings and insights around this threat.

One of the highlights from this webinar was a new tactic we recently observed at Cofense related to direct deposits. As you can see from the message below, this threat actor leverages what many companies use as a best practice, utilizing self-service to update direct deposit information, making this tactic more effective.

This is just one of many samples highlighted in the webinar. Below is a brief list of takeaways and topics discussed. You can hear the entire discussion on demand, plus register for additional annual report webinars on topics such as Secure Email Gateways and Ransomware.

Key Takeaway #1 – Evolution of the Threat

In late 2015, Cofense first wrote about BEC as we ourselves observed our CFO received a spoofed email from our CEO, Rohyt Belani, asking for a wire transfer. As we continue to follow the tactics related to this threat, as with any other threat, threat actors have constantly adjusted their templates to minimize the detection of the secure email gateway (SEG) and spam filters. Many of the conversational starter emails are quite vague and take 2-3 follow emails to lure the recipient to execute the desired task (i.e. purchase gift cards).

Key Takeaway #2 – Top BEC Threats for Enterprise

We dig a bit deeper into each of these topics on the webinar, but these are the top themes we have observed related to BEC.

  • Invoice Fraud – this isn’t surprising as we continue to observe this is a top theme for threat actors to gain access to one of their top objectives – MONEY.
  • Thread Hijacking – nothing adds more creditability for a recipient to interact with a threat actor than an email chain that appears as three threads deep into a conversation.
  • Gift Cards – while this threat tends to be small in currency, it tends to cost the employee directly as they’re unable to get reimbursed for this inadvertent purchase. Threat actors tend to make their request for gift card brand based on the exchange rate on the bitcoin marketplace.
  • Direct Deposit – also known as payroll diversion, where the threat actor attempts to redirect your paycheck to their bank account instead of yours.

Key Takeaway #3 – Ways to mitigate against BEC

We closed out the webinar with a few quick actions you can take to help protect your organization against this threat.

  • Education. While we promote the optimal way to train your employees against phishing threats is phishing simulation campaigns, this threat is a bit more difficult to train using this methodology. When it comes to BEC, use your security awareness newsletters to include this topic, as well as real email images observed by your organization. By sharing a real email, it makes the threat real to your users.
  • CEO Messaging. Ensure that your users understand that your executive team isn’t going to ask them to get gift cards to award clients or their family members. Be sure to include this in your New Hire Orientation (NEO) onboarding as this group of your employees are likely to be as familiar with your business practices or executive team.
  • Implement and Enforce business process changes. When it comes to BEC, victims of these threats are all linked back to a breakdown in business controls to prevent large amounts of cash to be sent out of the organization.