Ransomware Themed Phishing Attack

Countdown Timer: Ransomware Themed Phishing Attack

By Adam Martin, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) observes a large variety of phishing techniques and lures throughout our customer base. Some of those techniques are quite unique methods of getting the end user to interact with the message. As illustrated below in Figure 1, the recipient is advised about a suspicious login, alluding to login location issues, and is offered a solution in the form of email verification. The name of the proposed security software company “DNS Domain Name Server” is vague enough but “tech” sounding enough to convince the unsuspecting recipient that this could indeed be their native security service.

Figure 1 Initial Email

What sets this phish apart from other campaigns is the graphic displayed to the recipient once the malicious link is accessed. For the purposes of this example, fake information has been provided to the hosting server.

Figure 2 Example Email Address

Once accessed, the page shown in Figure 3 is displayed. The page runs in a loop with randomly generated names assigned to the domain based off the target company’s domain. Sharing some similarities with ransomware, the target company is faced with a countdown timer and the choice of stopping the deletion of potentially companywide email access or entering their credentials. The timer also shares ransomware type panic creation all designed to push the recipient into entering their credentials without second guessing. These details aren’t deleted and a merely randomly generated as part of the scare tactic. Much the same as a ransomware “timer” for permanent file deletion should the ransom not be paid.

Figure 3 Ransomware style note displayed

As is the normal case with phishing incidents, once credentials have been provided by the recipient, one of two actions generally take place. The password “input” box will return “wrong password” with the details posted to the C2 address. Alternatively, you’ll be redirected to a new page along the lines of “validating” the account, which will eventually revert to the homepage of the target organization, as seen in Figure 4. In this case, after several different variations of “validating, checking, confirming” the user was ultimately redirected back to their own company’s home page.

Ransomware Themed Phishing Attack

Figure 4 Validation loop

Indicators of Compromise IP
hXXp[:]//nameserversecurity[.]com/[account]_[verification.php]?cust_mail 199[.]188[.]205[.]252

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

How Crowdsourced Human Intelligence Stops Attacks that Bypass your Technology

By Dave Alison, VP Product, Cofense

Cofense has focused on the human side of email security for over a decade. This focus requires that we look at the threat landscape through a unique lens – not just the conditioning of employees to spot suspicious emails, but to leverage our intelligence to eliminate threats other employees in other organizations around the world have just reported.

What does that mean? At a high level, it means that crowdsourced human intelligence is stopping attacks BEFORE it happens.

Every day, thousands of novel attacks are launched via email against organizations large and small. These bypass perimeter security technology and land in unsuspecting employee inboxes, potentially causing millions of dollars in damages as threat actors trick unsuspecting employees into activating these payloads or handing over their credentials.

How It Works

Cofense has millions of trained human sensors deployed across organizations and sectors around the world actively reporting those attacks to us as these campaigns hit their inboxes. These emails, combined with other proprietary collections, are analyzed by our Cofense Intelligence team, which examines these threats in close to real time, and quickly provides intelligence derived from these verified attacks to our customers.

This intelligence subsequently feeds an Auto-Quarantine capability, which removes malicious emails from an inbox in minutes, often before users see or have a chance to open the email.

As this rich intelligence is disseminated via our Intelligence API feed, these Indicators of Compromise (IOCs) are deployed to any instance where our customers have Auto-Quarantine fully enabled. Here’s how this unfolds:

  1. A new attack that evades the secure email gateway (SEG) reaches one or multiple employee inboxes. 
  2. An employee receives the malicious email and believes it is suspicious. They use the Cofense Reporter to notify their security team or our Cofense Phishing Defense Center (PDC). 
  3. A Cofense Intelligence Analyst performs a review of malicious reported emails, building out an Active Threat Report (ATR) and extracting the Indicators of Compromise (IOC). There are over 50K of these IOCs generated every month. 
  4. The IOCs are then sent to the Cofense Vision customers, with a 5-minute check-in schedule for any new ATRs added or updated 
  5. Vision AutoQuarantine examines incoming and existing email for the new IOCs and, if found, automatically moves the emails into quarantine. 

What We’ve Found

The results are shown in the following graph, which charts the number of emails our system identified as malicious after these got through the SEGs, or other various email controls, that protect it.

As you can see, this complete loop is having a powerful impact on the threat landscape. Cofense has operationalized the human security layer, addressing the threats that inevitably make it through the technology layer.

It’s important to note that while each SEG available on the market has varying degrees of effectiveness in identifying these threats, we observe thousands of attacks that have evaded every SEG available. This includes large, well configured customer environments protected by Microsoft, Proofpoint, Cisco IronPort, Mimecast, etc. The actual attack types we see also run a broad range: malware leading to ransomware, credential phish, business email compromise, targeted attacks against VIPs, etc.

Cofense continues to make great strides in increasing the speed of that loop, getting the IOCs into the email stream quickly. Now, more than ever, Vision with Auto-Quarantine provides the best defense against the attacks that are continuing to make an impact.

Cofense Quarterly Phishing Intelligence Review: 3 Key Takeaways

The Cofense Intelligence team released its Quarterly Phishing Intelligence Review for the second quarter of 2022, which highlights significant shifts in the phishing threat landscape, with some key takeaways highlighted below.

Top five malware types in Q2 2022 and Q1 2022, by volume of emails.

  1. Emotet campaigns continued to sustain, however their overall volume dropped significantly compared to the first quarter of 2022, leading to an overall reduction in phishing activity. However, don’t get too comfortable. Four of the top five malware families most frequently delivered via phishing (FormGrabber, Agent Tesla, QakBot, and Remcos RAT) all saw increases in volume.
  2. Changes in QakBot delivery tactics made QakBot a far more potent threat. Phishing campaigns delivering QakBot became the most effective in terms of reaching end users. QakBot campaigns now go to extensive lengths to bypass security measures, avoid detection, and obstruct analysis tactics. Read the report for more details regarding these effective tactics.
  3. Business Email Compromise (BEC) campaigns continue to impart more financial loss on companies than any other cyber threat. Our team dove into what it looks like when a target interacts with a BEC actor as part of our latest strategic analysis.

BEC Campaigns Like The One Above Reach End Users Regularly

Tired of reading? Well, great news! You can watch our Quarterly Threat Briefing for Q2, which covers many of the report’s findings, on demand here.

Email Quarantine Stops Microsoft Phish after bypassing SEGs

By Schyler Gallant, Cofense Phishing Defense Center

Our analysts in the Cofense Phishing Defense Center (PDC) review thousands of phishing emails, all varying in degree of complexity. Recently, PDC analysts observed a simple Microsoft phish that was reported by several clients. One of these clients had Cofense Vision, which provided insight into how many emails from this campaign appeared in their email environment. Even with a Secure Email Gateway (SEG), there were over 130 emails from this phishing campaign. A vast majority of the emails were not reported to the PDC, however, with the power of Vision’s quarantine function, analysts were able to prevent these from being a potential threat to users.

Figure 1: Email Body

The email appears with the subject, “Mail delivery failed: return message to sender,” seen in Figure 1. This alert is a common message someone would receive when their messages are kicked back because the person who they emailed has a full inbox or that email address does not exist. The first indicator of this phish is the email sender is genelle[@]sjvma[.]org while representing itself as Microsoft.

In Figure 1, the email body appears with a Microsoft logo, giving the user extremely specific information on when three messages became undeliverable. This is to convey to the user that these emails will need to be reviewed and released for them to come into their inbox. This is a common tactic for threat actors to leverage legitimate alerts common to Microsoft users. Once ’allow messages or ‘review messages’ is clicked, the user is directed to hxxp[:]//youdeh[.]co[.]za.

Figure 2: Phishing Page.

When the user clicks this link, they are redirected to a landing page that appears as the Microsoft login in Figure 2. While this appears as the actual Microsoft login page, looking at the address will show that the URL is actually hxxps[:]//objectstorage[.]me-dubai-1[.]oraclecloud[.]com/n/ax163p6wpz8g/b/bucket-20220621-1039/o/index[.]html. It’s common for Microsoft phish to have a page that closely resembles the real one. If the user did enter their credentials, they be redirected back to the Microsoft office page.

Even with common tactics used in this campaign, Cofense was able to quarantine and protect the client in an environment despite the presence of a Secure Email Gateway (SEG). That’s why Cofense is in a unique position behind SEGs. Vision paired with the PDC can protect against a campaign with numbers like this from causing a potential incident or data breach.

Indicators of Compromise IP
hXXp[:]//youdeh[.]co[.]za 99[.]198[.]101[.]186
Phishing The Phishers

Phishing The Phishers: This is How the Number One Cybercrime Works

By: Ronnie Tokazowski, Principal Threat Advisor & Brad Haas, Cyber Threat Intelligence Analyst

How many phish does it take to get to the sugary story of the BEC (Business Email Compromise) attack? That’s exactly what we wanted to find out.

Contrary to many other types of cybercrime, BEC is a conversational-based phishing attack. Scammers simply ask users to do a favor or run that errand, and the person on the other end does just that. BEC actors can use many different pretexts to phish end users. It can be anything from pretending to be the CEO in an organization to asking someone to update payroll or even asking for gift cards for an employee. While many of these tactics are already publicly known, there’s still some confusion about how all these different pieces work together.

Do people become victims after the first email or do the scammers need to have a conversation with the victim?

That’s what we set out to discover in our most recent BEC study.

Phishing The Phishers: What We Found

We wanted to engage with the scammers and understand how these conversations worked. In hundreds of email threads, we did just that. We responded to the scammers, tracked all of our responses, and tried to gauge just how many conversations it would take to draw different conclusions.

How likely were the scammers to respond back and how many emails did it take to illicit the final pretext?

Based on the hundreds of responses to the scammers, we received responses in 58% of attacks. Many email accounts were taken down by service providers prior to engagement or we simply just didn’t receive a response from the scammers.

Of those 58% of responses, 89% of the phishers told us what they needed after our first response. In many cases this was gift card requests with the initial pretext of “I need you to run this urgent task” or “can you send me your phone number” with no other information. Once we responded back, the scammers came back and said the task was to go to the grocery store and pick up a gift card.

There is a lot more to this study than we could fit in this blog. So, for the rest of our insights from this study, here is a detailed Threat Intelligence analysis breaking down everything we discovered including examples of emails we received from BEC threat actors and percentage of webmail providers utilized.

Ransomware: Proactive Phishing Detection to Mitigate Risk

Author: Tonia Dudley

As we close out our 2022 Annual State of Phishing Report webinar series, we addressed ransomware as it relates to phishing. While we don’t see ransomware delivered in an email campaign, there are plenty of tactics used by threat actors as leading entry into the organization. As we have repeatedly addressed, we can’t stress enough that credential phish, at 67%, still remains the number one phishing threat today.

For those that missed our ransomware webinar, below are three key insights that we discussed as ways to address ransomware as an organization.

One of the highlights from this webinar was a tactic that has been seen by Cofense only twice in the past five months. This banking trojan, IcedID, is used to steal information such as credentials. What’s interesting about this email is the fact the threat actor leveraged an email from 2017, also using the reply-chain tactic. It’s no surprise the recipient thought this was suspicious and quickly reported this email to our Phishing Defense Center (PDC).

Ransomware Phishing Email

Key Takeaway #1 – Resiliency is key to defending against Ransomware

As we look at the attack chain specific to ransomware, there are several precursor steps that take place before the ransom note is delivered. The key to building a resilient workforce is providing them with relevant phishing simulation training that aligns to current threats hitting their inbox.

Key Takeaway #2 – Zero Days are in play.

As threat actors in the ransomware community have built up their resources, they are now able to step into the zero day arena to further their attacks. We briefly addressed the Microsoft zero day published in late May that has been weaponized by the QakBot group. For more on that specific threat, keep an eye out for our quarterly Threat Intelligence webinar to gain more insights.

Key Takeaway #3 – Credential Phish and HTLM attachments

We reported credential phish taking a 10-percentage point jump over the previous year in our annual report. Cofense continues to observe this as the top threat in the first half of 2022. While fewer attachments are landing in the inbox, the top file type that continues to be successful are HTML / HTM files. Organizations should look for ways to identify ways to mitigate this threat by tuning their controls.

For additional insights from our 2022 Annual State of Phishing Report webinar series:

Human, Artificial, and Email Attack Intelligence: Why You Need All Three

Human, Artificial, and Email Attack Intelligence: Why You Need All Three

By Cofense

It’s a staggering statistic: 50% of all email phishing attacks, including business email compromise (BEC) and credential theft, evade secure email gateways (SEGs). Yes, your SEG misses half of all advanced email attacks targeting your organization.

While credentials are appealing for threat actors, their end goal is far more nefarious – to compromise your business’s crown jewels such as customers’ personal identifiable information (PII) and confidential intellectual property (IP). To protect their valuable assets, organizations must deploy an intelligence-driven solution to counteract phishing attacks, which make up 91% of all cyberattacks.1 With this approach, organizations gain the upper hand against threat actors by proactively identifying trends, predicting threats and preventing attacks. However, a solution is only as effective as the intelligence that powers it. New attacks and tactics are developed every day and organizations need insights from multiple sources to identify the latest campaigns.

Cofense enables organizations to detect and respond to email phishing attacks evading traditional email security controls with a comprehensive platform powered by a combination of unique intelligence sources: human intelligence, artificial intelligence and email attack intelligence. Each of these sources, deployed through various products in the Phishing Detection and Response (PDR) platform, provides an important and necessary view into active phishing campaigns.

  • Human Intelligence is derived from a network effect of over 32 million reporters worldwide reporting real phish reaching their inboxes. More than 50% of attacks reported to the Cofense Phishing Defense Center (PDC) were reported in another PDC customer’s environment first, immediately arming the organization with the necessary indicators of compromise (IOCs) to stop the attack.


  • Artificial Intelligence comes from patent-pending “computer vision” technology deployed in Cofense Protect that reads emails as a human does and identifies if they are malicious. Of the threats identified by computer vision, 88% have never been seen before, enabling organizations deploying Protect in their environments to catch the newest attacks almost instantly.


  • Email Attack Intelligence, obtained from multiple sources, vets every single IOC distributed by Cofense. Our team of analysts reviews every IOC from our human and artificial intelligence sources, with customers experiencing – as they’ve told us – a “99.9% credibility rate.”

This unique combination of intelligence provides an unsurpassed source of insights into phishing campaigns, and powers our comprehensive platform to automatically identify and remove recently developed attacks, even if they haven’t been reported. In essence, Cofense sees threats that SEGs don’t.

Threat actors continuously evolve their tactics to bypass existing email security. To fully enable your SOC and mature from a reactive to proactive security posture, it’s imperative to deploy a solution powered by relevant data that evolves in real time to identify the next attack before it strikes your organization. Data is only as relevant as its sources, and organizations evaluating email security solutions should ask vendors to talk about how they power their technology. Data should derive from relevant, dynamic and distributable sources to ensure the solution evolves with the threat landscape and remains effective.

Cofense’s unique and relevant data ticks these boxes and fuels a cohesive solution that evolves your email security posture to stay ahead of the ever-changing threat landscape. Ask us how we can help your enterprise. Contact us today.

1 Deloitte, January 9, 2020: “91% of all cyber attacks begin with a phishing email,” https://www2.deloitte.com/my/en/pages/risk/articles/91-percent-of-all-cyber-attacks-begin-with-a-phishing-email-to-an-unexpected-victim.html.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

How Aligning Security Awareness and Security Operations can Reduce Dwell Time

Email phishing attacks pose a large threat to every organization around the world and make up 91% of all cyberattacks.1 The most effective way for organizations to reduce their risk is to ensure that all aspects of their phishing program are focused on resiliency and preparing for the attacks that have the highest likelihood of reaching them. Suggested metrics to define and understand include human resiliency, mean time to detect (MTTD), mean time to respond (MTTR), and dwell time.

While MTTR falls under the purview of Security Operations and is a central focus in analyzing and remediating attacks, MTTD also should be considered and is often a secondary metric. To fight email phishing attacks, both metrics must be primary objectives of the Information Security program. The Security Awareness function can make an impact to these metrics by increasing the resiliency of the humans at the organization to ensure that the threats bypassing traditional email controls are quickly recognized, reported, and placed in the hands of the security operations and response teams.

The first step to reducing dwell time is improving MTTD and can be accomplished by conditioning your employees to be the first line of defense by becoming human sensors to report any email they suspect is malicious. Most security awareness programs focus on susceptibility, a measure of how many employees click on a simulation. Instead, security awareness programs should focus on resiliency, which compares the number of employees who reported the simulation to the number of employees who clicked the link. Email phishing attacks can only be removed if Security Operations is aware of them – positioning Security Awareness in the center of Security Operation’s strategy.

The second step to reducing dwell time can be accomplished by enabling Security Operations to analyze the most-likely malicious emails first. While increased reporting rates are a positive change and increase visibility into the threat landscape, it also means threat analysts must spend more time reviewing emails for actual attacks. Various email security vendors provide tools for Security Operation Centers (SOCs) to respond to reported emails, but don’t provide the best approach. While most organizations take an approach of “scoring” threats based on their internal threat intelligence, this does not account for the power of your internal reporters. With highly trained employees as the first line of defense, they become the best “eyes” of an organization, and employees with the highest likelihood to spot a phishing email should have their reports analyzed first. Combining threat scoring and reporter scoring further emphasizes the importance of Security Awareness while making it easier for Security Operations to stop email phishing attacks.

Security Awareness is more than compliance – it is an integral part in reducing dwell time of the most active and successful threat vector facing every organization – email phishing attacks. With Cofense Phishing Detection and Response (PDR), organizations can create a partnership between the Security Awareness and Security Operations teams. Cofense enables Security Awareness to build resiliency across their organization with simulations derived from real phish that are updated every month and is the only vendor that delivers simulations when an employee is active in their inbox, doubling report rates across our customer base. Cofense PDR takes these reported emails and automatically helps analysts in SOCs sift through the noise by scoring reported emails based on indicator of compromise (IOC) scoring and “reporter reputation,” enabling threat analysts to investigate reported emails from employees with the greatest track record of reporting real phish. It is time Security Awareness takes its rightful place next to Security Operations as partners in reducing dwell time and keeping email phishing attacks out of employee inboxes.

Cofense PDR Solutions Now Available on Carahsoft GSA Schedule

Cofense PDR Solutions Now Available on Carahsoft GSA Schedule

New Award Makes Cofense’s Comprehensive Security Platform Available to Federal, State and Local Agencies

LEESBURG, VA. and RESTON, Va. — June 14, 2022 Cofense®, the leading provider of Phishing Detection and Response (PDR) solutions and Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, today announced that Carahsoft has added Cofense’s products to its GSA Multiple Award Schedule (MAS), making the company’s end-to-end email security platform widely available to the Public Sector through Carahsoft and its reseller partners.

Cofense’s enterprise security program protects agencies from malware threats, ransomware, and other scams that routinely bypass traditional email security platform, such as secure email gateways (SEGs). With insights from a global network of millions of users, their phishing detection and response (PDR) platform delivers strategies and tools to efficiently mitigate threats in minutes by combining the power of crowdsourced intelligence and automated technology. Cofense also offers education and simulations to train employees to recognize and report phishing attempts. To ensure the strongest defense, Cofense encourages Government agencies to layer their email security strategy to combat evolving threats.

“With over 90% of cyber attacks starting with an email, it’s imperative that all organizations have access to a comprehensive FedRAMP Moderate email security program that can detect, protect and respond to this evolving threat landscape,” said Brandi Moore, Chief Operating Officer at Cofense. “This partnership is the next step in our commitment to the public sector as we are excited to provide Federal agencies with top-of-the-line solutions to address all email security threats through our work with Carahsoft and its reseller partners.”

Carahsoft’s Indefinite Delivery Indefinite Quantity (IDIQ) General Services Administration (GSA) Multiple Award Schedule (MAS) is an IT procurement contract vehicle that provides government customers’ state-of-the-art IT products, solutions, and services needed to serve the public. In addition to the GSA MAS contract, Cofense is also available on Carahsoft’s Information Technology Enterprise Solutions – Software 2 (ITES-SW2), OMNIA Partners, The Quilt and several state-specific contracts. Cofense solutions are also available through Carahsoft’s reseller partner contracts including TX-DIR.

“As government phishing attacks continue to increase at a rapid pace, the expanded availability of Cofense’s FedRAMP-authorized solutions is well timed. Cofense’s solutions meet the FedRAMP Moderate Authorization providing over 300 controls which are vital to protect agencies’ systems,” said Alex Whitworth, Sales Director who manages the Cofense at Carahsoft. “With the Cofense platform now available on GSA through Carahsoft and our reseller partners, the Public Sector has streamlined access to advanced AI-based automation solutions to protect their agencies against phishing attacks.”

Enriched with robust threat intelligence from the Cofense Phishing Defense Center (PDC), which analyzes millions of user-reported emails, Cofense’s 2022 Annual State of Phishing Report found that more than 67% of phishing attempts reported by end users are credential phish. Catching and removing these emails before an employee even faces a phish in their inbox is critical for the success of today’s security programs. This makes Cofense’s security program which provides comprehensive email protection, attack response and threat insights invaluable to protecting critical environments, such as Federal Government infrastructure.

Cofense is available through Carahsoft’s Carahsoft’s GSA Schedule No. 47QSWA18D008F, ITES-SW2 Contract W52P1J-20-D-0042, OMNIA Partners Contract #R191902, The Quilt Master Service Agreement Number MSA05012019-F and additional State, Local, and Education Contracts. For more information, contact the Cofense team at Carahsoft at (888)-662-2724 or [email protected]

About Cofense

Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 30 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

About Carahsoft

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider®, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator® for our vendor partners, we deliver solutions for Cybersecurity, MultiCloud, DevSecOps, Big Data, Artificial Intelligence, Open Source, Customer Experience and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Visit us at www.carahsoft.com.

View source version on Globe Newswire