Cofense - Security Awareness Training & Email Threat Detection

Examples of Silver-bullet Technology Fails

Share This Article

Most security teams today are pretty much in the same boat: limited budget, limited man power, and limited time to defend their network against escalating threats and attacks.  Perhaps that’s why so many information security vendors claim to have the “silver bullet” to protect the customer’s environment and solve their problems. 

Regardless of what a solution promises, it’s undeniable that things continue to bypass those “silver bullet” solutions. And we have a couple of good examples to show just that.

The good news is that, in these cases, the companies being targeted had a back-up plan to utilize an existing commodity — its employees.  Conditioned employees are able to scrutinize and recognize things that haven’t been seen before while a piece of technology cannot.  Technology requires a signature that has been written, and in the right place, to catch a threat.

An intuitive human sensor who is properly conditioned can see when things are not right, report those suspicious emails, and give a trained analyst the opportunity to identify and mitigate an active threat.  A proper write up from the analyst can then be looped into logs, proxy and full packet captures to find other users that potentially did not identify the threat.

Let’s take a look at examples of threats that were identified by humans and not the email gateway technology:

Email Wasn’t Stopped by Proofpoint

Looking at this email we see that the attackers are acting as if they are from Microsoft, perhaps posing as support for the Office365 account. Using a common tactic of playing on the user’s sense of urgency, the phish is crafted to convince the user they must act quickly to save his or her account. And, conveniently, the attackers have included a link for the user to do just that.

Dashboard showing real-time phishing threat detection

Digging deeper into the HTML of the attacking email we see that the “Verify Now” link does not go to Microsoft or an attributed site, but to a malicious site that mimics Office365.

Dashboard displaying phishing threat intelligence and analysis

Dashboard displaying real-time phishing threat alerts

Looking in the header we see that it did come through the Proofpoint device and, while it scored, it was not stopped from being delivered to the inbox of an employee.

Dashboard showing metrics and analytics for phishing simulations

Luckily, this company had trained its employees to recognize phishing attempts, provided them with an easy way to report and alert IT Security and an easier way to assess, analyze, and respond to active threats.

Email Wasn’t Stopped by Ironport

The email below is the standard DocuSign phish that has been around for the past few years – so it’s a pretty well-known threat.

Blurred image of a simulated phishing email for training purposes

As indicated in the headers, this email was scanned by the Ironport engine and permitted to be delivered to the employee. Luckily, the employee was smart enough to recognize something the expensive technology did not.

Screenshot of a phishing email with embedded malicious link

We can clearly see the URL referenced in the HTML of the email.  This email reaches out to a website that is clearly not DocuSign and using a .php extension.

Screenshot of a phishing email with a suspicious attachment

The employee then reported the threat to the IT Security team using Cofense TriageTM.

The URL is clearly referenced in our platform:

Screenshot of a phishing email with social engineering tactics

We can see the multiple references from VirusTotal listing the site as clean. That’s because the threat was identified immediately and the site was taken down within a day of discovery.  This gives security vendors little incentive to update their signatures to detect threats that are only online for 24 hours or less.

Screenshot of a phishing email targeting a specific department

Cofense phishing defense solution dashboard

Your network is your castle and a few walls won’t keep it safe. You need a moat, a watch tower, and a battalion to respond to attacks.

Technology fails. Regardless of the silver bullet technology installed, attackers seem to find ways around it. Attackers are clever humans. And so are your employees. Activating your entire organization as a collective defense will ensure you have that last line of defense in place.

To learn more about the benefits of phishing awareness training, view the 2017 Cofense Phishing Resiliency and Defense Report.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.