Cofense - Security Awareness Training & Email Threat Detection

Credential phishing IOCs increased nearly 45% in Q3

Share This Article

During Q3 of 2023, new and old techniques appeared, creating a high volume of campaigns that reached users in environments protected by secure email gateways (SEGs). Throughout this quarter, we saw an increase in volume for both credential phishing and malware campaigns. Cofense Intelligence also observed a resurgence in some malware families that have been less common in previous quarters, while the more notable families like QakBot and Emotet remained inactive.

The key highlights for Q3 2023 include:

  • Credential phishing indicators of compromise (IOCs) increased by nearly 45% in Q3 compared to Q2 and increased 85% from Q3 2022.
  • QR codes embedded in images and PDFs within phishing emails rose, likely due to the difficulty security infrastructure faces when checking links and other embedded content compared to that of raw email content.
  • PDFs remain the most popular phishing email attachment for threat actors, making up nearly 50% of the malicious file extensions seen in email campaigns this quarter.
  • Emotet and QakBot remained inactive throughout Q3 with QakBot staying silent since Q2 2023 and Emotet since Q1 2023. QakBot’s silence is likely due to the FBI takedown and may lead to QakBots replacement by a new botnet.
  • An increase in reconnaissance and utility tool malware appeared this quarter, like Browser Password Dump Utility or Email Password Dump Utility, making them the 5th most popular malware type of the quarter.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.