Phish Found in Proofpoint-Protected Environments – Week ending December 18, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Credential Phish 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP and Symantec deliver credential phishing via an embedded link. 

TYPE: Trojan 

DESCRIPTION: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via a OneDrive embedded link. 

TYPE: Ransomware 

DESCRIPTION: Copyright violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Now has Automated Phishing Detection and Response Capability

Auto Quarantine can identify and automatically remove malicious emails from recipients’ inboxes – often before users see or have a chance to open them. Auto Quarantine is powered by the Cofense Intelligence network of Cofense researchers, the Phishing Defense Center (PDC) team of analysts, and millions of people around the world identifying and reporting suspected phish. This high degree of automation significantly reduces the time to identify and resolve attacks, provides protection from threats that bypassed the secure email gateways (SEGs) every day, and lessens a security analyst’s time spent hunting malicious email.  

How it Works 

The Cofense team closely monitors the threat landscape and is able to leverage a global network of over 25 million human sensors identifying and reporting on suspicious emails, and a team of advanced researchers and intelligence analysts to create an unparalleled view of threats happening in real time around the world. The moment a threat is identified, Cofense analysts generate an Indicator of Compromise (IOC) tuned to stopping that threat. With Vision’s Auto Quarantine feature, these IOCs are used to identify malicious emails that have bypassed the SEG seconds after they are received. When a match is found, the email is auto quarantined where it can then be examined and, if appropriate, removed permanently. Current Cofense Vision users are observing several such threats being automatically addressed every day, thus significantly reducing the window of vulnerability to active email-borne threats like ransomware, business email compromise (BEC), malware attacks and credential theft.  

Here are some real customer stories: 

Fortune 500 Retail Organization: 

A large retail customer was an early adopter of Cofense Vision with Auto Quarantine. The account team provided an email to the customer with a recently identified public malicious phishing link. The email completely bypassed all the existing email security controls.  But within seconds, and before the recipient could open the email, Vision identified the email as a threat and auto quarantined it. This happened without any human intervention. 

Large, Full-service Mortgage Provider: 

This enterprise organization deployed Vision with the new Auto Quarantine feature across its organization.  During the first week, Vision identified six separate phishing campaigns. Each of these campaigns contained approximately 500 phishing emails that had bypassed existing email security technology and made it to recipient inboxes. The Vision Auto Quarantine functionality immediately quarantined the thousands of emails without analyst interaction and, before a recipient could open the email, quickly and effectively reduced risk to the organization. Prior to Vision, the team did not have visibility into the extent of phishing campaigns, nor any systematic way to identify and remove them.  

Global Construction Company: 

When this global construction company enabled Auto Quarantine, they saw an immediate impact.  A phishing campaign disguised as a Microsoft Teams invitation to a holiday party appeared shortly after Auto Quarantine was configured. The email was immediately identified as a phishing campaign and more than 200 emails were auto quarantined.  After the initial detection, the company continued to be targeted with the same phishing campaign and the auto quarantine functionality in Vision has continued to detect and remove several dozen more attacks. 

 In addition to the Auto Quarantine feature, Vision, a key component of the Cofense PDR platform, has additional enhancements that include:  

  • Reduced remediation time:Cofense Vision actively scans new and existing emails and automatically quarantines malicious emails in near real time. Updates to the user interface enabling Approve and Reject actions in more places in the UI, thus saving valuable time spent on threat remediation and IOC management, and reducing risk to the organization.   
  • Flexibility: Cofense Vision can be set to quarantine emails containing IOC matches automatically or, for more control, operator approval can be required. Cofense Vision also lets teams define an allowed IOCs list – a list of indicators that an organization knows to be safe.   
  • Visibility: Complete visibility into all events associated with Auto Quarantine. The Cofense Vision Audit page contains entries for configuration changes, creation of quarantine jobs, operator approvals, changes to the allowed IOCs list, and any updates to IOCs.   
  • Network effect: The power of Cofense Intelligence services provides IOCs in real time – the moment they are vetted and released by Cofense.  

 Andfor customers of the Managed Phishing Detection and Response (PDR) service, if a threat is found in one customer’s environment, that intelligence is used to detect and quarantine attacks in other customer environments. 

Phishing threats are human-developed, which is why Cofense is helping organizations out-human the phishing threat. By continuously updating our solutions with capabilities to remove real-world threats before anyone in the organization even sees them, Cofense is greatly reducing the risk of a phishing attack. 

Learn more about Cofense Vision and Auto Quarantine, here. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

 

Cofense Unveils Automated Phishing Detection and Response Capability

Leesburg, Va. – Dec. 21, 2020Cofense, the leading provider of phishing detection and response (PDR) solutions, today announced new product innovations to Cofense Vision. Most notably, the addition of an Auto Quarantine feature that identifies and automatically removes malicious emails from recipients’ inboxes – often before users see or have a chance to open them, based on our knowledge of similar threats in other customer environments. This high degree of automation significantly reduces the time to identify and resolve attacks, provides protection from threats that bypass Secure Email Gateways (SEGs) every day, and lessens a security analyst’s time spent hunting malicious email. Auto Quarantine is powered by the Cofense Intelligence™ network of Cofense researchers, the Phishing Defense Center® (PDC) team of analysts, and millions of people around the world identifying and reporting suspected phish. 

How it Works

The Cofense team closely monitors the threat landscape and is able to leverage a global network of over 25 million human sensors identifying and reporting on suspicious emails, and a team of advanced researchers and intelligence analysts to create an unparalleled view of threats happening in real time around the world. The moment a threat is identified, Cofense analysts generate an Indicator of Compromise (IOC) tuned to stopping that threat. With Vision’s Auto Quarantine feature, these IOCs are used to identify malicious emails that have bypassed the SEG seconds after they are received. When a match is found, the email is auto quarantined where it can then be examined and if appropriate, removed permanently. Current Cofense Vision users are observing several such threats as being automatically addressed every day, thus significantly reducing the window of vulnerability to active email-borne threats like ransomware, business email compromise (BEC), malware attacks, and credential theft. 

Cofense Vision with Auto Quarantine Proven Effective in Enterprise Organizations  

Fortune 500 Retail Organization:

A large retail customer was an early adopter of Cofense Vision with Auto Quarantine. The account team provided an email to the customer with a recently identified public malicious phishing link. The email completely bypassed all of the existing email security controls. But within seconds, and before the recipient could open the email, Vision identified the email as a threat and auto quarantined it. This happened without any human intervention.

Large, Full-service Mortgage Provider:

This enterprise organization deployed Vision with the new Auto Quarantine feature across its organization. During the first week, Vision identified six separate phishing campaigns. Each of these campaigns contained approximately 500 phishing emails that had bypassed existing email security technology and made it to recipient inboxes. The Vision Auto Quarantine functionality immediately quarantined the thousands of emails without analyst interaction and before a recipient could open the email, quickly and effectively reducing risk to the organization. Prior to Vision, the team did not have visibility into the extent of phishing campaigns nor any systematic way to identify and remove them.  

Global Construction Company:

When this global construction company enabled Auto Quarantine, they saw an immediate impact. A phishing campaign disguised as a Microsoft Teams invite to a holiday party appeared shortly after Auto Quarantine was configured. The email was immediately identified as a phishing campaign and over 200 emails were auto quarantined. After the initial detection, the company continued to be targeted with the same phishing campaign and the auto quarantine functionality in Vision has continued to detect and remove several dozen more attacks.  

“Phishing threats are human-developed, which is why Cofense is helping organizations ‘out-human’ the phishing threat. By continuously updating our solutions with capabilities to remove real-world threats before anyone in the organization even sees them, Cofense is greatly reducing the risk of a phishing attack,” says Aaron Higbee, Co-Founder and CTO of Cofense. “With the newest version of Cofense Vision, organizations can immediately operationalize Cofense’s indicators of compromise and automatically remove malicious email from an environment even before a team member tags them as suspicious. Customers are quickly adopting Auto Quarantine for its effectiveness in stopping threats that bypass SEGs, and for delivering immense productivity gains for SOC and IR teams.”

To learn more about Cofense’s PDR platform, designed to deploy as an integrated suite of products or delivered as a comprehensive managed PDR service through the Cofense Phishing Defense Center (PDC), please visit www.cofense.com/.

About Cofense
Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 25 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact

[email protected]

Phishing Emails Found in Proofpoint-Protected Environments

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Trojan

DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint and Symantec deliver the Dridex banking trojan via Microsoft Office macro-laden documents downloaded from embedded links.

TYPE: Agent Tesla Keylogger 

DESCRIPTION: Bank-spoofing emails found in environments protected by Proofpoint deliver an Agent Tesla Keylogger binary in an attached .iso archive.
Note: these are in the German language. 

TYPE: Credential Phish 

DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Ironport deliver credential phishing via an attached HTM file. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week ending December 4, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Remote Access Trojan 

DESCRIPTION:  Finance-themed emails found in environments protected by Proofpoint deliver NanoCore RAT via embedded links. The embedded Dropbox links download a .Z archive that contains a NanoCore RAT executable. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION: Inquiry-themed emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded links. The embedded Microsoft OneDrive links download a .RAR archive that contains an Agent Tesla executable. 

 

TYPE: Trojan 

DESCRIPTION:  Finance-themed emails found in environments protected by O365-ATP and Proofpoint deliver the banking trojan Dridex via Office macro laden documents downloaded from embedded links. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

You Must Quarantine! Fake Office 365 Email Leads to Curiosity

By Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has discovered a recent phishing campaign that has targeted Office 365 users and includea convincing Microsoft quarantine notification reference. The campaign was found in an environment protected by Microsoft’s own secure email gateway (SEG).  

Threat actors continue to leverage standard Microsoft notifications to entice the recipient into interacting with the email. We noticed two variants of this campaign.

The first example displayed above in Figure 1 showcases a fairly persuasive “Digest Summary Notification.” It displays the same HTML used within the legitimate notifications sent. However, if we look past the display name and dive a little deeper into the actual “from” address, we can see that it belongs to a compromised account belonging to an environmental firm: [email protected] [.]com. We can only assume the attacker was hoping the reader wouldn’t notice the domain has no relation to Microsoft.

The example in question also illustrates a move away from the traditional narrative used to lure recipients. This attacker has opted out of using urgency language with terms such as “urgent” or “you must.” As a result, the reader may overlook the threat and become curious enough to engage with the email, opting to review the “important message.”   

Should the user hover over the “Review” option, the URL path will clearly display the redirect that has no relation to Office or Microsoft. It will instead direct the user to “googleads,” taking them immediately to the phishing landing page. We can assume the reason for this is to evade detection and bypass existing security measures with whitelisted URLs.

Figure 2  Encoded body of email 

The second campaign is a little more unusual at first glance as the entire email body has been encoded. The attacker may have done this to evade existing security controls, assuming that, once the email was opened, it would decode to reveal the email message in plain textThe email message did not decode, revealing a rather confusing layout and raising red flags immediately. This may have been caused by a bug in the threat actors toolkit. We later decoded the text to reveal several links of which most were benign, to which we narrowed down the malicious link through trial and error that led to the matching phishing landing page below:   

 hXXps://authsignin[.]website[.]yandexcloud[.]net/ 

As seen above in Figure 3, the phishing landing page has been carefully designed to replicate the official Office 365 login page, luring users into thinking they are authenticating via a genuine service. Assuming users logged in with their true Microsoft credentials, their personal data could unfortunately be in the hands of the threat actor. 

 Attackers are always exploring new sophisticated tools and techniques, as demonstrated in the above examples, to bypass the SEG. Cofense PDC uses human detection and auto response to remediate and quarantine such threats, and continues to evolve to stay ahead of the latest phishing and malware threats. 

Indicators of Compromise 

 

Network IOC   IP 
hXXps://googleads[.]g[.]doubleclick[.]net/pcs/click?xai=AKAOjssIdZGtK2LGw4coQMwtQcONuf8cVZUVHUrlFgT33_wiLCuxpoweUvHdBH9neY4iW-CZh2SzgITptx6j64F0B2pEU0uoeRfmKTeyn7LSG5Irubqjv6IFl9MeqTp84ZT99WRJlZDMgrwUaUI7QjgNwL22AVveJm980wuVNryiILT2WhxCPmcY8M7PVIOygAXT_382p7PUn7bIByn2OjlTfCiaqta3tAhZWCuROeXZPznm5cGhgUYspVywPb8Y8GbuT5pyEUyF89icmqe5zg&sig=Cg0ArKJSzFtr0kI2Y6Ll&adurl=https:%2F%2Fauthsignin.website%E2%80%8B.yandexcloud.net%23  172[.]217[.]7[.]226 
hXXps://authsignin[.]website[.]yandexcloud[.]net/  213[.]180[.]193[.]247 
hXXps://auth-1304164361[.]cos[.]ap-seoul[.]myqcloud[.]com/index.html  119[.]28[.]148[.]128 

119[.]28[.]148[.]172 

119[.]28[.]148[.]150 

hXXps://authsignin[.]website[.]yandexcloud[.]net/  213[.]180[.]193[.]247 
All third-party trademarks referenced byCofensewhether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship betweenCofenseand the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or differentconfigurations may be effective at stopping these or similar threats.
  
TheCofense® and PhishMe® names and logos, as well as any otherCofenseproduct or service names or logos displayed on this blog are registered trademarks or trademarks ofCofenseInc.    

Cofense Phishing Detection and Response Platform

The phishing story is not new. In fact, if anything, we are far more aware of phishing threats than we’ve ever been. Here are some things to think about: 

  • Attackers are human and constantly innovating to bypass technology 
  • 96% of breaches start with a phish 
  • Phish are easily bypassing gateway technology 
  • Business email accounts are routinely compromised (BEC) 
  • Many organizations are forced to pay ransomware bounties 
  • Large financial losses are occurring from compliance fines, loss of customers, IP theft, and recovery costs 
  • SOC analysts are overwhelmed performing incident response 
  • Awareness training can be ineffective if it is not aligned with real threats 
  • Artificial Intelligence that is deployed to detect phish is failing 

We’ll stop there – it’s 2020 after all, and there’s been enough bad news. So, here’s something good: 

Today, Cofense introduced its Phishing Detection and Response (PDR) platform, a solution designed specifically for enterprise organizations. As phishing attacks continue to become more sophisticated, persistent, and adaptive to legacy security defenses, demand for an extensive phishing defense solution is at an all-time high, and the need is critical. The Cofense PDR platform provides a comprehensive approach to stop phishing attacks through globally crowd-sourced phishing intelligence from 25 million people, combined with advanced automation.   

Cofense’s PDR platform can be deployed as an integrated suite of products or as comprehensive managed PDR service through our Phishing Defense Center (PDC). Both options effectively stop phishing attacks and combat the acuity of attackers through a combination of people and automated technology that quickly reduces and removes the risk.  

Cofense’s PDR platform is the most holistic solution on the market, and includes: 

  • PhishMe: Completely rearchitected to address the needs of enterprise-size organizations, users can more easily and efficiently run phishing simulations and manage their security awareness program; carefully crafted simulations based on real – not theoretical – phish immerse users in the experience of being phished from end to end, improving an organization’s resiliency to attacks. 
  • Triage: The first phishing-specific orchestration, automation and response solution that helps identify active phishing attacks in progress; suspected phish are rapidly clustered and analyzed by SOC analysts who queue indicators for remediation. 
  • VisionDriven by automation, Vision quickly identifies all recipients of phishing attacks and automatically quarantines and removes the threat from all mailboxes; enables SOC and IR teams to proactively hunt for unreported threats, IOCs and TTPs, and creates transparent audit and governance of mitigation actions. 
  • Reporter: Report suspicious emails and notify security teams in real time — with just one click. Users flag potential threats and the original email and other valuable information is sent directly to an organization’s SOC be quickly analyzeand the attack stoppedInstant feedback reinforces user training, strengthening the front line of defense. And with quick deployment and PC, Mac, and mobile device compatibility, it’s easy to get any team up and running. 
  • Intelligence: Proprietary global collection sources provide an extensive real-time view into threat campaigns observed in the wild; delivers high-fidelity, phishingspecific alerts and intelligence, providing accurate and timely assessments of both the current phishing threat landscape and emerging trends. Information from the Intel solution can be easily integrated with existing SOARs, SIEMs and TIPs.

Cofense Managed PDR 

  • For enterprise organizations that prefer to seek managed solutions, the Cofense PDC team delivers Managed PDR, handling the entire phishing detection and response process. Security operators gain the expertise and resources — and the peace of mind — needed to proactively defend against current or emerging threats with unparalleled outcomes when they engagCofense’s Managed PDR. In fact, you can read about how the PDC team stopped and removed an attack in less than 10 minutes.

 With the Cofense PDR Platform, you get:  

  • A global network of 25 million people actively identifying and reporting suspected phish 
  • Automation technology to quickly analyze, verify and quarantine phish throughout an organization 
  • Shared intelligence across teams and with others in a global network  
  • Effective, real-world phish simulation training 
  • Solutions delivered as integrated products or managed service 

 The Cofense combination of human detection with automated response and intelligence allows organizations to detect phish in their environment, educate employees on how to identify and report phish, and respond quickly to remediate the threats before there is harm done to their organization. Cofense is the only PDR platform, and the only one to provide all of these capabilities in one solution. Our goal is to enable every company to defend itself against phishing threats. And with the strength of our global Cofense network, together we can OutHuman the Threat.  

Learn more about Cofense and PDR, here.  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

PDR Platform: Cofense Introduces Industry Changing Phishing Detection and Response Platform

Leesburg, Va. – Dec. 7, 2020 – Cofense®, the global leader in intelligent phishing defense solutions, today introduced its Phishing Detection and Response (PDR) platform, a solution designed specifically for enterprise organizations. As phishing attacks continue to become more sophisticated, persistent, and adapt to legacy security defenses, demand for end-to-end phishing defense solutions is at an all-time high. The Cofense PDR platform provides a comprehensive approach to stopping phishing attacks through global crowd-sourced phishing intelligence from 25 million people combined with advanced automation.

Cofense’s new PDR platform is designed to deploy as an integrated suite of products or delivered as a comprehensive managed PDR service through the Cofense Phishing Defense Center (PDC). Both options effectively stop phishing attacks and combat the savviness of attackers through a combination of people and automated technology to quickly reduce and remove the risk.

Despite massive investments in secure email gateways (SEGs) and awareness training across industries, phishing attacks continue to reach users. Gartner’s report* “How to Respond to the 2020 Threat Landscape” (17 June 2020; John Watts), mentions:

·       “Phishing is still the No.1 initial access vector for malware attacks”

·       “Phishing and other human-facing social engineering tactics remain the primary vectors of successful attacks”

·       “Spear phishing, as well as whaling using business email compromise (BEC) are becoming more common and, potentially, more destructive. The FBI reported that BEC accounted for more than $26 billion in losses from 2016 through 2019.”

“Cofense is the leading provider of PDR as a result of our approach in combining technical innovations with a network of over 25 million people around the world who identify, report and share suspected phish information. Human Intelligence will always be greater than Artificial Intelligence, and when combined with technology, Cofense delivers unparalleled protection for organizations,” said Rohyt Belani, Co-Founder and CEO, Cofense.

Cofense’s PDR platform is the most holistic solution on the market, and includes:

  • PhishMe: Completely rearchitected to address the needs of enterprise-size organizations, users can more easily and efficiently run phishing simulations and manage their security awareness program; carefully crafted simulations based on real – not theoretical – phish immerse users in the experience of being phished from end to end, improving an organization’s resiliency to attacks.
  • Triage: The first phishing-specific orchestration, automation and response solution that helps identify active phishing attacks in progress; suspected phish are rapidly clustered and analyzed by SOC analysts who queue indicators for remediation.
  • Vision: Driven by automation, Vision quickly identifies all recipients of phishing attacks and automatically quarantines and removes the threat from all mailboxes; enables SOC and IR teams to proactively hunt for unreported threats, IOCs and TTPs, and creates transparent audit and governance of mitigation actions.
  • Intelligence: Proprietary global collection sources provide an extensive real-time view into threat campaigns observed in the wild; delivers high-fidelity, phishing-specific alerts and intelligence, providing accurate and timely assessments of both the current phishing threat landscape and emerging trends. Information from the Intel solution can be easily integrated with existing SOARs, SIEMs and TIPs.

Cofense Managed PDR

  • For enterprise organizations that prefer to seek managed solutions, the Cofense Phishing Defense Center team delivers Managed PDR, managing the entire phishing detection and response process. Security operators gain the expertise, resources and peace of mind needed to proactively defend against current or emerging threats with unparalleled outcomes by engaging Cofense Managed PDR. As recently discussed, the PDC team stopped and removed an attack in less than 10 minutes.

The Gartner Market Guide for Email Security (published September 8, 2020, Mark Harris, Peter Firstbrook, Ravisha Chugh) recommends that “Security and risk management leaders responsible for email security should: Address gaps in the advanced threat defense capabilities of an incumbent secure email gateway (SEG) by either replacing them or supplementing them with complementary capabilities via API integration.”

By integrating all components of the Cofense PDR platform, organizations can detect phish in their environment, educate employees on how to identify and report phish, and respond quickly to remediate the threats before there is harm done to their organization. To learn more about Cofense and PDR, please visit cofense.com/product-overview.

*Gartner, How to Respond to the 2020 Threat Landscape, John Watts, 17 June 2020

 

About Cofense
Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 25 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

 

Media Contact

[email protected]

Emergency Financial Aid Phish

By Dylan Main, Cofense Phishing Defense Center

With widespread financial uncertainty and talks of further stimulus funding in the newsmany are desperate for some form of monetary relief. Threat actors have begun taking advantage of this desperation by creating campaigns tailored to these uncertain times. The Phishing Defense Center (PDC) has discovered a phishing attack that attempts to obtain personal information by exploiting hopes for economic relief.  

Figure 1: Email Body 

The email itself presents itself as a reply to a filled-out contact form and attempts to get the recipient’s attention through a tone of familiarity. By beginning with “Thank you for contacting us,” the threat actor has made it appear as though the recipient had previously expressed interest in a third party by filling out the form with their email address. The message body then lures the victim with a link to details of an emergency grant of $5,800 available from the U.S. government. By appealing to the current fiscal concerns of many Americans, the threat actor wants to entice the target into clicking the “Read details” link. 

Figure 2: Landing Page of Phish 

Clicking the link redirects to a detailed page that appears to be a legitimate federal government website (Figure 2). Unlike many campaigns, this one goes a step further in terms of attention to detail to make it look like a real government page. The threat actor has added several items to advance its validity, including financial statistics and a detailed outline of this “Emergency Financial Aid.” The page also has a button that allows the person interacting with it an option to verify their data to collect funds. 

Figure 3: Second Step of Phish 

Clicking the button takes the viewer to the actual phishing page, seen above in Figure 3. Much like the other page, it is detailed and is unlike generic phishing pages. This page asks the user to check compensation eligibility by providing their Social Security Number, address, date of birth and other personally identifiable information (PII). Another detail to note is the form gives a warning that checking another person’s data is strictly prohibited, adding to the seeming authority. By entering data into the requested fields and clicking the “Run Check” button, all of this private information is then sent to the threat actor. 

Figure 4: Phishing Page 

The Cofense Phishing Defense Center has also identified a new phishing page that redirects from the same infection URL (Figure 4). This page is similar to the original phish; however, it uses the allure of tax relief for the current coronavirus pandemic to lure people into giving their personal information.   

Figure 5: Phishing Page 

As you can see above, Figure 5 resembles Figure 3 in that it collects PII. However, on this page, a chat window at the bottom right appears to simulate actual conversations between other users apparently excited about the potential tax relief. This is an interesting tactic and adds to the illusion of authenticity.  

Figure 6: Final Confirmation Page 

After data is entered into either of the two phishing pages, it redirects to a confirmation page thanking the victim for providing their information and promising them a prompt reply. This is just the last of many tricks the threat actor uses to trick the victim into believing that this application is legitimate. It shows that they will attempt to take advantage of any, and all, situations to gain confidential information. 

 Indicators of Compromise 

hXXps://gynexivo[.]page[.]link/HoMkDxuaa5hTwWtg6  172[.]217[.]15[.]110 
hXXp://ungodsirealnighchis[.]gq/us/protecting-americas-consumers-covid/  104[.]24[.]101[.]186 
hXXps://otasasbetiscu[.]tk/us/korona  172[.]67[.]168[.]232 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.