You Can Respond to Phishing Threats in Seconds with Cofense and Cyware: Here’s How

Targeted and relentless. Threat actors pinpoint organizations to steal credentials, infect endpoints, encrypt data for ransom, or exfiltrate intellectual property or non-public information.

All organizations will be phished, but they don’t have to experience a reputation-damaging breach. The best defense is a combination of aware employees, purpose-built phishing solutions, automated incident analysis and response playbooks, and a repeatable process that scales as fast as attackers innovate.

Cofense and Cyware have partnered to provide organizations with the resources to collect phish that evade secure email gateways (SEGs), automate the analysis, and determine threat severity in seconds.

The security workflow is preceded by conditioning employees to recognize suspicious email and report to their security team. What happens next is a blend of technology and intelligent analysts who have the right information to make an informed decision without negatively impacting the business.

The use case is simple, and the process is effective:

  • Phish evade the SEG
  • Employees report the suspicious email
  • Cofense TriageTM ingests and analyzes one or more email clusters with similar tactics
  • Cyware CSOL (security orchestration platform) ingests indicators from Cofense Triage
  • Cyware CTIX (threat intelligence platform) enriches indicators from Cofense Triage with Cofense IntelligenceTM and other premium intelligence sources
  • Cyware CSOL runs a complete response playbook which may include blocking a URL at the network gateway to protect employees from reaching the external phishing site

Let’s look at the sequence of events and how the response is carried out.

  1. Phisher crafts their email (figure 1) and in this case is attempting to direct the employee to a malicious site where a payload could infect the endpoint.

Figure 1. Malicious link within a company-wide email portraying to be from HR

2. A conditioned employee reports the email that evaded the SEG to a predetermined abuse mailbox monitored by the SOC. Purpose-built Cofense Triage ingests all emails from the abuse mailbox and automatically analyzes to quickly remove benign reports while at the same time highlight real threats.

Figure 2. Reported email ingested into Cofense Triage for automated analysis

3. Upon ingestion into Cofense Triage, out-of-box phishing rules are applied, and automated analysis categorizes the email as ‘advanced threats’, matching Emotet indicators and tactics. Benign emails are not impairing the view and the SOC can focus on credible phishing threats from a highly reputable reporter (in this case, a VP within the company).

Figure 3. Processed email matching advanced threats Emotet rules

4. Knowing this email is dangerous, the URL is designated malicious by an analyst

Figure 4. SOC analyst verifying malicious threat indicator

5. Additional validation within Cofense Intelligence further confirms the URL is malicious and delivers analysts related phishing indicators that, in this example, are part of the Emotet malware family. Other domains, files, and URLs are returned from knowing just one threat indicator.

Figure 5. Cofense Intelligence JSON output snippet with additional threat indicators

6. Once Cofense has confirmed that the URL is malicious, the analyst can leverage the orchestration capabilities of the Cyware Security Orchestration Layer (CSOL) to take action and begin remediation and triage efforts. CSOL gives users the ability to create automated, customizable workflows that easily integrate with the other tools in their security stack.

In this example, the analyst initiated the Cofense Triage Playbook to ingest the data it received from the Cofense Triage API. The playbook parsed the available data from Cofense to find the associated indicators, and then leveraged integrations with their other enrichment tools to fully enrich all associated indicators.

Figure 6. CSOL ingests Cofense Triage phishing data

7. Once enriched, the CSOL Playbook automated the mitigative action. The sender of the malicious email was automatically blocked at the email gateway and a confirmation notification was sent to the analyst.

Figure 7. CSOL runs through remediation to block sender at the email gateway

8. In addition, the malicious IOCs were sent to the SIEM to perform a historical lookup. If any of the malicious IOCs were previously seen in the organization’s environment, a SIEM alert was created and sent to the SOC team.

Figure 8. CSOL runs through additional steps from data received from Cofense

9. Finally, proactive defensive action was taken. The malicious URL was automatically blocked at the firewall, and all associated indicators were added to CTIX, Cyware’s Threat Intelligence Platform. Adding these indicators to CTIX ensures that this intelligence is memorialized and can be used at a later time for analytics, enrichment, and further correlation by the threat intel team.

Figure 9. CSOL blocks URL at the firewall and ingests other indicators into CTIX


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Fortifying Defenses with Human-Verified Phishing Intelligence

Mining Phish in the IOCs

PhishMe® and Palo Alto Networks® are providing security teams with the ability to ingest human-verified phishing intelligence in a standard format that can be automatically enforced as new protections for the Palo Alto Networks Next-Generation Security Platform through the MineMeld application. Through this integration, PhishMe and Palo Alto Networks are providing a powerful approach to identifying and preventing potentially damaging phishing attacks.

The challenge of operationalizing threat intelligence

Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it comes to phishing, continues to weigh on the minds of businesses regardless of size. Security teams require the ability to ingest, verify and enforce new protections for potential phishing attacks, all within their existing infrastructure.

Where are the Phish?

PhishMe extends beyond a traditional data feed. Customers receive phishing intelligence. What’s the difference? Intelligence, vs. traditional data.

Information without context is data. Intelligence is information with context, and context is what security teams require in order to have confidence in their decisions.

Intelligence customers receive indicators specific to phishing and their criminal command and control (C2) and botnet infrastructure associated with malware families like Locky, Dyre, and Cerber. This is then backed up by threat intelligence reports with verbose context that provides security teams with insight into attacker TTPs.

PhishMe identifies what is nefarious, but more importantly, why, and what it means.

Integration Tackle Box for PhishMe and Palo Alto Networks

Security teams who wish to easily complement their Palo Alto Networks Next-Generation Security Platform’s security policies with PhishMe Intelligence will need an instance of MineMeld (version 0.9.26 and above) and PhishMe Intelligence API credentials (contact PhishMe for trial access MineMeld will ingest intelligence from PhishMe, and can automatically feed new prevention controls to Palo Alto Networks devices, without adding heavy operational burden.

Configuring MineMeld with PhishMe

The following is a step-by-step guide to configure MineMeld in order to ingest PhishMe Intelligence phishing URLs, aggregate them, and construct into an output capable of preventing malicious URLs in security policies within PAN-OS devices. Before we dive into the configuration of MineMeld, it is important to review the three key concepts behind the application:

  • Miners: responsible for retrieving indicators from configured sources of intelligence and data feeds. Miners will bring in new indicators on a configurable, periodic basis, and also age-out any indicators that are no longer needed.
  • Processor: The processor node will aggregate the data obtained by the Miner and conforms the data to IPv4, Ipv6, URLs, or domains. Once aggregated, the data is sent to the output nodes.
  • Output: The output nodes gather data from the processor node and convert the data into a format that is capable of being consumed by PAN-OS (and other non-PAN-OS external services)

PhishMe Intelligence Miner Node

(Image of Miner Node with API credential example and phishme.intelligence prototype)

Processor Node

(Image of Processor Node using the stdlib.aggregatorURL prototype and the PM_Intel input from the configured Miner)

Output Node

(Image of Output Node using the stdlib.feedHCRedWithValue prototype and the agg_URL_all input from the configured Processor)

Configuration Graph Summary

The configuration graph is a summary exhibiting the flow of PhishMe Intelligence. The miner collects intelligence, aggregates, and the output node structures the data to be usefully applied to prevent phishing.

(Example of PhishMe Intelligence aggregated and with output URL data for PAN-OS)

Log Detail with URL Indicator and High Confidence rating of 100

The image below represents an example of URL intelligence received in the MineMeld log. This snippet specifies a malware payload from an OfficeMacro and TrickBot (similar to Dyre) family. If they choose to, analysts can then use the URL to the Threat Report with executive and technical details that explain more about the malware.

The above summarization of the MineMeld setup portrays how easy it is to take very relevant and useful information and structure it so that it can be operationalized with other security investments. Far too often teams have underutilized technical resources or processes that place a strain on the workforce. MineMeld reduces the human burden and provides security teams with the ability to create actionable prevention-based controls.

Phishing Intelligence Operationalized = PhishOps!

Let’s review an example of how to operationalize these indicators of phishing (IoPs) and apply them to a Palo Alto Networks security policy to deny egress traffic to these phishing URLs.

Create New Object in PAN-OS

From the Objects tab, select External Dynamic Lists from the navigational pane. Analysts just need to provide the relevant information to pull in the list of URLs from MineMeld.

(Example of External Dynamic List linking to URL list from MineMeld)

Apply to PAN-OS Security Policy

With the External Dynamic List defined, security policies can now be created based on acceptable criteria. In the case below, inside sources browsing externally and matching the PhishMe Intelligence URLs will be denied.

(Example policy to deny inside to outside web-browsing against PhishMe Intelligence URLs)

FINito! Wrapping up

A similar process can be repeated like the above, with IP lists and domains, and applied according to phishing threats facing the business. The way MineMeld handles the data received makes applying it to Palo Alto Networks Next-Generation Security Platform very effective. Security teams will need to determine where they want to apply the policies once MineMeld has compiled the data.

The phishing threat is alive and very well and the ability for security teams to maximize their investments and operationalize with low administrative overhead should be enticing to tackle the threat.


More about MineMeld:

MineMeld, by Palo Alto Networks, is an extensible threat intelligence processing framework and the ‘multi-tool’ of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks Next-Generation Security Platforms.

To learn more about the Palo Alto Networks Next-Generation Security Platform, visit:

To learn more about the PhishMe Intelligence, visit: