Cofense Labs Shares Research on Massive Sextortion Campaign

Are you one in two hundred (or so) million?  

Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them.  

What’s Sextortion? 

You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this: 

Send an email in which they claim to have installed malware on your system and have a record of your browsing history to some websites of an adult nature, and also footage from your webcam. If you don’t pay the stated ransom in bitcoin, they will release the footage to your family, friends, and co-workers. To add credibility to their threats, they include passwords hoovered up from data breaches of old that they have found littering the web.  

Show me the money! 

Find Out If Your Business Is at Risk 

During the research into this campaign, Cofense Labs identified over 200m recipients on the target list. Over 7.8m sextortion emails have been analysed and bitcoin payments have been tracked. In this single campaign, over 17,000 bitcoin wallets were identified, with 1,265 payments being made across 321 of them, with one payment = one victim. At the time of analysis, these payments were worth over $1.8m.   

We have made it possible for you to check whether your email address, or email domain, is on the list. Just visit https://cofense.com/sextortion to perform the lookup and download an infographic and educational guide regarding sextortion campaigns and how to defend against them. 

Why Cofense Labs? 

Knowing is everything, and to be able to effectively defend against the fast-evolving phishing threat landscape, you’ve got to have a deep understanding of it. Cofense Labs allows us to share the results and the output of the pioneering research that our R&D team undertakes to provide this knowledge. By sharing what we know, we can hopefully enable organizations of all sizes to collaborate and protect their most precious assets against the latest phishing threats. 

If you’re at Black Hat in Las Vegas this week, come and see us at Booth 938 in the Shoreline Business Hall. You can meet members of the Cofense Labs team, and see whether your email address or domain is on the target list. 

 OTHER WAYS COFENSE CAN HELP 

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM. 

Quickly turn userreported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. 

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeekerTM. 

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

DMARC Is NOT a Fail-Safe Defense against Phishing Attacks

DMARC, or Domain-based Authentication Reporting & Conformance, is an email authentication, policy and reporting protocol. It was conceived to prevent impersonation-based phishing attacks, but it doesn’t protect you 100%. Let’s examine why.

What DMARC Can Do

DMARC builds on the existing and widely deployed SPF and DKIM protocols. All mechanisms to protect the email infrastructure we so heavily rely upon should be gratefully received, but as with everything the benefits and limitations should be fully understood. It is this understanding that allows us to optimize our defenses against the perpetual menace of phishing attacks.

DMARC has most promise to help organisations defend against Business Email Compromise (BEC) type attacks, as successful impersonation can be an imperative for success. As a result, DMARC should be evaluated as a mitigating control for these types of attacks, protecting both outbound as well as inbound email.

DMARC aims to get email senders and receivers working together in a standardized, coordinated way to determine whether a given email is legitimately from the sender—and the actions to be taken if it isn’t.

Therefore, if alice@sender.com sends an email to bob@receiver.com, appropriate DMARC policies can help remove the guesswork and answer the question “Has this email really been sent by alice@sender.com?”. By protecting their messages with SPF and DKIM, and using DMARC, sender.com can tell receiver.com what to do if these authentication methods fail, for example, reject the message.

What DMARC CAN’T Do

It all sounds good, but what if the email comes from alice@sendr.com, or alice@sencler.com—does DMARC help then? Unfortunately, not. What about if the message is sent by alice@sendr.com, but the From: field has been modified to look like it comes from alice@sender.com—does DMARC keep Bob safe? No again.

While display-name abuse and adjacent-domain abuse are well recognized, there’s another growing phishing tactic that neutralizes DMARC completely. DMARC has capabilities to validate the sender’s authenticity, but it has no capability to validate the authenticity, of the email content.

Recently, the Cofense™ Phishing Defense Center has seen a significant rise in Man-in-the-Inbox style attacks. These attacks typically occur when user credentials have been compromised and are used to gain access to the compromised user’s mailbox and send malicious emails. These emails might be sent internally (no DMARC there…) or to a trusted third-party (DMARC might be configured, but as the message is coming from a legitimate user, SPF and DKIM check out, and the message is delivered…). The recent PDC zombie phish blog post discusses one style of Man-In-The-Inbox attack in more detail.

Given this, it’s important that emails teams don’t expect more from DMARC. It’s equally important that security teams ensure that end users are empowered to be “human sensors,” to identify and report emails that look suspicious. Users need to be alert to visual clues, such as adjacent sender domains, peculiar content, or unusual or unexpected emails, even if the emails come from internal senders or trusted third-parties.

We all need to remember that real phish are the real problem. This means knowing what real phish look like as they evolve day to day—and not expecting DMARC to do more than it really can.

Want to learn more about the DMARC protocol? Take a look at https://dmarc.org for the juicy details.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Uncomfortable Truth #5 about Phishing Defense

Last in a 5-part series. 

In this blog series we’ve explored the Uncomfortable Truths about phishing defense that relate to the problem of over-relying on technology to keep us safe. We’ve also seen how empowered users can give Security Operations teams desperately needed visibility into phishing threats. This leads us to our fifth and final Uncomfortable Truth:  

Most organizations are unable to effectively respond to phishing attacks.  

Before you get offended and say “Hey, that doesn’t apply to me, our SOC is awesome,” stick with me on this. The reasons for ineffective phishing incident response are many and varied, but in my experience, tend to fall into one of two buckets: 

  1. Not enough time 
  2. Not enough experience/understanding

Not enough time  

This is already well understood. SOC teams are perpetually spinning multiple plates, trying to make sense of the stream of data they are presented with from an abundance of tools. This problem can be compounded when users are empowered and enabled to report suspicious emails. The CofenseTM Phishing Defense Center (PDC) sees differing reporting volumes across the customers who use us for phishing email analysis. While reported mail volumes differ, they tend to fall within common low and high watermarks – equivalent to around 10% and 35% of users reporting at least one email per month.  

For every 1,000 users, that’s the SOC having to consume and analyze between 100 and 350 reported emails per month. The PDC also observes that 1 in 7 of the emails reported to us contain malicious content. Therefore, 6 out of 7 are false positives, or noise. The largely unstructured nature of these reported emails and the sheer volume of noise can make analysis a thankless task that gets de-focused in favour of other more immediate priorities.  

Not enough experience/understanding 

Effective phishing email analysis is much harder than many people imagine. One of the biggest issues that organizations face is the risk of false-negative results, post-analysis. These false negatives occur when a reported phishing email is considered to be benign, and is returned to the reporting user with a message that says, “Thanks for reporting, this email was found to be safe.” The subsequent click delivers a missed payload and compromise occurs.  

To remain razor sharp in your analysis skills, you have to maintain an understanding of the constantly evolving threat landscape and threat actor TTPs. All too often, I see organizations relying on an already overburdened service desk to perform initial, or complete, analysis of reported phishing emails. Without adequate skills, they rely on tools such as VirusTotal to tell them whether something is bad or not. However, as useful as these tools are for information and context, they should never be considered a source of absolute truth.   

Effective phishing analysis and response 

Simply sending a file or URL to a sandbox or checking online threat analysis tools and databases is not good enough. SOC teams and threat analysts must be able to consume reports of suspicious emails from users and turn them into actionable intelligence quickly.  

This means they must be able to prioritize what is being reported to cut through the noise of false-positives, such as legitimate marketing or internal emails, and automatically be able to understand risk based on: the attributes of the email content and any attachments; the status of the user reporting the email (are they high-risk employees with access to sensitive information or processes); the reputation of the user (have they demonstrated an ability to identify and report suspicious emails in the past – essential to help prioritize zero-day threats); and use information from third-party threat analysis tools to help build a fuller picture  

Once a threat is analyzed and understood, SOC teams need to be able to quickly hunt for the threat within all user mailboxes and quarantine it when found. In addition, they must be able to communicate IOCs to other teams, such as those responsible for proxies, mail gateways, and endpoint security tools, to take further defensive or mitigating actions. Finally, they must close the loop by providing timely feedback to users to encourage further reporting behavior, thus supporting awareness activities. 

The Cofense Phishing Defense Center can help.  

For organizations who still struggle to devote the time to phishing email analysis, but who recognize the need to regain visibility of threats that bypass perimeter controls, the Cofense Phishing Defense Center can help. Operating 24×7, the PDC is staffed by experienced phishing threat analysts to handle all elements of analysis of reported emails.   

Supported by Cofense Research and Intelligence teams, the PDC is able to utilize as needed an array of proprietary, open source, and commercial threat analysis tools. Benefitting from a global perspective of threats across all PDC customers, our analysts are able to maintain the most up to date understanding of evolving phishing threat actor tactics, along with techniques for capturing all IOCs, even when automated approaches fail.  

Once threats have been identified, actionable intelligence is passed to customer teams. By utilizing the PDC, organizations can focus their resource-constrained SOC teams on mitigation and proactive protection, versus phishing email analysis. Learn more about the Cofense Phishing Defense Center here. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Uncomfortable Truth #4 about Phishing Defense

Part 4 of a 5-part series.  

I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple: 

Users are NOT the problem. 

There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better. 

Let’s illustrate with a story from Malcolm Gladwell.  

In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it turned out 

To cut a long story short, the museum was offered what they considered to be one of the finest examples of a Greek Kouros statue the world had seen. They were understandably excited, but cautious – the asking price was $10m – a lot of money now, but a more considerable amount in 1982.   

The statue was borrowed, and tests were organised to verify authenticity. The stone was analysed, providing its age and an assertion to where it came from. Scientists confirmed that the calcification on the stone was merely the result of being in the ground for hundreds of years. The accompanying paperwork checked out, and the museum agreed to the purchase.  

But despite the museum’s checks, upon viewing the statue, many art historians and specialists had the same reaction. An ‘intuitive repulsion’ in the first few seconds of seeing it that led them to react –  “it’s a fake. None of the doubters could quite put their finger on what specifically it was about the statue that made them react so quickly the way they did, other than it just didn’t look right.  

What does a story about a Greek statue have to do with phishing defense?  

The museum relied on technology and science to confirm authenticity. However, subsequent analysis based on human intuition found that (1) the calcification of the stone could be replicated with potato mould, and (2) addresses on the supplied paperwork just didn’t exist when the documents were claimed to have been created. Despite all the available technology and science, gut reaction yielded a better conclusion 

Harnessing this intuition can be transformational to phishing defense. Rather than try to cut our users out of the loop and rely upon technology to keep us safe from phishing threats, we must exploit this natural intuition or gut feel. We have to recruit our users into a network of human sensors to provide visibility to phishing attacks that have made it to the inbox. Afterall, if the user doesn’t tell us, nothing will.  

Your users can and should help detect real attacks. 

Phishing simulation is an essential element of an overall phishing defense strategy, but it should never be used to ‘test’ our users – phish testing is the antithesis of phishing defense. Phishing simulation must be used to keep the threat of phishing front and center in users’ minds and keep them conditioned to constantly evolving threat actor tactics and techniques – particularly those specific tactics and techniques that we see being used against our organisations.  

The primary outcome of phishing simulation should be ensuring that users understand the role they play in protecting the organisation by providing visibility of phishing attacks. Like most users, I occasionally receive emails that don’t look right. I could just delete them. However, that action protects me as an individual, but it doesn’t protect the organisation as a whole. To do this, I must sound the alarm, and help our security teams get visibility of an attack, so they can take the actions to disrupt it.  

I can do this because I’ve been enabled to recognize something as suspicious, and it’s been made easy for me to report it. A single click of a button within the email client ensures that there is no process to forget, and if I really do catch one, I get timely feedback thanking me. I pat myself on the back, and am motivated and more inclined to report in the future as I know I’m making a difference. 

Next and last in this series, we’ll look at Uncomfortable Truth #5 – Most organizations are unable to effectively respond to phishing attacks. Until then, learn more about anti-phishing trends in our State of Phishing Defense 2019 report.  

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Uncomfortable Truth #3 about Phishing Defense

Part 3 of a 5-part series.

In part 1 and part 2, we discussed the Uncomfortable Truths that no matter how good your perimeter controls, malicious emails still reach the inbox, and that security teams cannot defend against attacks they cannot see. While some still hold next-gen technologies in almost exalted status, many organizations are beginning to accept that phishing threats still reach user inboxes and that these users will be tempted to click.

To address this risk, significant investments are made in awareness activities, including phishing simulation. Commonly, the primary goal or success metric of these activities is a reduction in susceptibility, or click rate. However, before we commit to a low click-rate as an indicator of improved security posture, and thus an ability to better defend against phishing threats, let’s consider…

Uncomfortable Truth #3 – The best security awareness program in the world will NEVER deliver a zero click rate.

As the pioneers of phishing simulation used to educate employees, we at Cofense™ know quite a bit about it. Effective phishing simulation (i.e. a phishing simulation program that actually conditions the desired behavior in a REAL attack situation) is more than just sending a few spoofed emails to users to see who clicks and who doesn’t.

While lower overall susceptibility, or click rate, is a desirable benefit, it should not be the primary objective. When reviewing data based on >2000 enterprise customers using the Cofense PhishMeTM phishing simulation platform over the last few years, we’ve seen average susceptibility flatten at about 11.5%. Here’s how the math works out:

Imagine a phishing attack that targets 1000 employees in the same organization (attacks like this are common). With an average susceptibility rate of 11.5%, this attack could easily net the threat actor 115 sets of credentials, or 115 endpoints compromised with malware. Even an industry-leading susceptibility rate of 3% in simulations results in a compromise of 30 individuals – more than enough to cause significant disruption and damage, such as Man in The Inbox attacks directed at business partners and customers. And if security teams are not aware of the attack, how can they stop it?

When investing time, effort and resources in phishing simulation activities, it’s critical to remember that REAL phish are the REAL problem. While the CISO, security awareness, and security operations stakeholders might have differing day to day responsibilities, they all have the overarching responsibility to improve organizational security posture. By breaking down silos and working more closely together, they can challenge current thinking and ask, “How can we ensure our phishing simulation activities are truly representative of the actual threats we receive?”

When you approach your program this way, you can encourage the right user behavior. Click rate alone becomes less important, and you begin to wrestle back an element of control in how users respond to real attacks.

In part 4, we’ll take a look at perhaps the most contentious uncomfortable truth of all: Users are NOT the Problem. We will attempt to bust the myth that the problem exists between the keyboard and chair.

Until then, learn more about anti-phishing trends in our State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Uncomfortable Truth #2 about Phishing Defense

In Part 1, we explored the uncomfortable truth that no matter how good your perimeter controls, malicious emails still reach the inbox. While security technologies do a great job of telling us about the attacks they have stopped, they do a poor job of telling us about the threats they have let through. This segues nicely into: 

Uncomfortable Truth #2: You cannot defend against attacks you cannot see. 

Visibility is a core tenet of any security operations center. Afterall, if a SOC has no visibility of an attack, they cannot mitigate it.  As the threat landscape evolves, organizations deploy more and more layers of technology – panacea-promising point products aimed at the threat du jour. Sometimes these products generate so much noise they create a fog that obscures the threat. Sometimes they just don’t realize it’s there at all. 

If some of the controls we have in place to protect us from phishing threats are failing to deliver on their promises, what next? I’m certainly not advocating that we rip out our secure email gateways and ditch them into the dumpster of derision. As I said in part 1, they do a good job of stopping known threats and patterns, and I for one am grateful for them stopping unwanted and unsolicited spam reaching my inbox 

Yet I’ve had many conversations with people who are placing blind faith in the promises of technical controls to keep them safe from phishing. While such enthusiasm is admirable, in this context it’s misplaced. The scale and sheer pace of evolution within the phishing threat landscape means that like any other control, it’s not going to be 100% effective. Bad stuff will get through, right under your noses. 

Therefore, we have to remember that when technology fails, the only sensor that can give us visibility of attacks that have bypassed perimeter controls is the recipient themselves. Yet visibility of an attack is more than merely getting a report of a suspicious email from an end user. In future posts, we’ll look at this in more detail, and discuss enabling and empowering users to report suspicious emails, along with the capabilities needed to get visibility of phishing attacks. 

 Next up: Uncomfortable Truth #3 – The best security awareness program in the world will NEVER deliver a zero click rate. Until then, learn more about the expertise of Cofense Phishing Defense Center.  

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Uncomfortable Truth #1 about Phishing Defense

Part 1 of a 5-Part Series   

The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks.  

Organizations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training. Despite these efforts, the threat has not receded, in fact, it’s become more sophisticated and more effective.  

It’s time for organizations to accept some uncomfortable truths about routine approaches to phishing defence and think differently – understanding that REAL phish are the REAL problem. In this blog series, we’ll explore these uncomfortable truths and perhaps challenge conventional thinking. Ultimately, we’ll aim to equip you with a refreshed perspective on how to stop phishing attacks in their tracks. 

 Uncomfortable Truth #1 – No matter how good your perimeter defenses, phishing emails are still reaching the inbox. 

Contrary to much of the marketing hype we see in the cybersecurity industry, technology does not, and cannot, stop all phishing emails from reaching a user’s inbox. Sure, technologies like secure email gateways do a good job at stopping known threats and risk patterns, and machine learning and artificial intelligence may live up to expectations for certain attack types such as business email compromise.  

But, and it’s a big but, as defensive technologies become more pervasive, threat actors simply evolve their tactics and techniques to neutralise them. Added to that, any security control is a balance of protection over usability – i.e. being frictionless to the user. Here at Cofense, we see this every day.  

The Cofense Phishing Defense Center currently receives and analyzes suspicious emails from some 2 million enterprise users globally. That’s quite a network of human sensors. 1 in 7 of the emails reported by these users is found to have malicious content. The important thing to remember is that every email our analysts examine has bypassed one or more layers of technical controls that were put in place to prevent threats from reaching the inbox. 

The tactics and techniques used to maximize chances of successful delivery and payload execution are evolving all the time. Some of these tactics pit technology against technology, while others remain surprisingly low tech.  

Waxing Lyrical about the Brazilian Phish.  

Recently, the Cofense Phishing Defense Center began receiving reported emails that followed the somewhat unimaginative but proven theme of ‘Attached Invoice.’ Upon analysis, the attachment appeared benign – no malicious behavior was observed.  

However, it had all the hallmarks of a phish, and the analysts could see more reports arriving – all from Brazil. With this in mind, they put on their metaphorical Brazilian hat, and gave their analysis workstation a Brazilian IP address.   

This time, upon execution, the analysts observed different behavior with the attachment. A connection was made to payload infrastructure, and a malicious script was downloaded. The script didn’t execute, but deeper analysis identified further location validation checks. After configuring the analysis workstation with a Brazilian locale and keyboard layout, the sample was executed again, and, voila, IOCs were captured. The net result? Automated analysis would have had a hard time identifying this threat, as this customer’s perimeter controls clearly did.  

Zombie Apocalypse. Now. 

Here’s another example of how phishing tactics evolve. Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date, and now there is a weird error message. 

Meet the Zombie Phish, a devious tactic that revives a long-dead email conversation.
Fraudsters hijack a compromised email account, and using that account’s inbox, reply to dormant conversations with a phishing link or malicious attachment. Because the subject of the email is directly relevant to the victim, a curious click is highly likely to occur. 

These types of attacks are dangerous as they can involve internaltointernal communication, or communication between trusted third parties. When combined with other techniques such as malicious content being hosted in cloud-sharing services like Dropbox, OneDrive, or Sharepoint.com, inline controls can be rendered ineffective. Learn more about this attack in this Cofense blog: Re: The Zombie Phish

Next in this series: Uncomfortable Truth #2: You cannot defend against attacks you cannot see. In the meantime, learn more about the expertise of Cofense Phishing Defense Center.  

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Finding the Whole Phishing Attack: Problems and Solution

Mitigating a phishing attack is a little like zapping termites. If you don’t eliminate the whole problem, trouble continues to breed.

To help, CofenseTM has announced the general availability of Cofense VisionTM. We knew that existing email search and quarantine tools weren’t fast enough, making it hard for the SOC to find and remove every phish.

Integrated with the latest release of Cofense TriageTM, Cofense Vision lets incident responders see the entire phishing attack, including emails not reported by users. With a single click, the SOC can quarantine every bad email and stop the attack in its tracks.

Cofense Vision copies and stores all emails in the customer’s cloud, so the SOC can look for a phishing campaign without creating more work for the email team. The solution also provides a compliant, auditable workflow.

Let’s take a closer look at some of the problems it solves.

“Searching takes too long.”

Every day, phishing emails bypass perimeter defenses to land in users’ inboxes. As the Cofense Phishing Defense Center has reported, 1 in 7 reported emails is malicious. In 2018 alone, for example, our team found over 55,000 credential phishing attacks. A single well-crafted phish can cost a business big. It’s critical to perform searches quickly and efficiently, especially since threat actors are more creative in evading network security with polymorphism, encryption, and obfuscated malware.

But traditional native tools, Powershell, for instance, make email searching complex and extremely time-consuming. To search and purge with Powershell you’re limited to 50,000 mailboxes. If the mail environment is larger, you have to create multiple searches.

You also have to build searches for multiple senders or multiple subject lines, which complicates the hunt and slows it even more. It’s also tough to know that you’re hitting every mailbox and not missing any threats.

In old-school searching, emails are grouped together, or “clustered,” based on an exact match to criteria like sender and subject. This allows you to find emails that match criteria you know about. However, such an approach to clustering doesn’t account for the way malware morphs and avoids exact matching, in some cases changing the sender, subject, or content for each recipient.

“We create more work for the email team.”

Traditionally, every step described above is handled by the IT team that owns the email platform—not by the SOC, the team responsible for stopping attacks. There’s a built-in conflict, one of competing priorities. The messaging team needs to make sure legitimate emails go through, while the SOC is trying to defend the business by mitigating attacks.

In this set-up, the messaging team is doing its day job AND handling SOC requests to find and quarantine phishing emails. The issues detailed in the previous section—the limits of native search tools and the inadequacies of old-school clustering—make life even more difficult for the messaging team. They’re asked to perform searches that (a) take a lot of time because they’re so complex and (b) get in the way of their regular duties.

Without a solution that empowers the SOC to search and quarantine on its own—with no heavy lift from the messaging team besides determining the fate of quarantined emails—the hunt for phishing threats is going to be inefficient. It’s a lot easier to send a command than to make a request.

With Cofense Vision, operators search an offline copy of the email environment hosted in their own cloud. There is thorough and strict auditing of who is searching for what. The SOC team gets what it needs while the mail team doesn’t have to hand over the keys to the kingdom.

If complicated email searching is slowing your phishing response, get more details on Cofense Vision. Learn more here.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.