This “Man in the Inbox” Phishing Attack Highlights a Concerning Gap in Perimeter Technology Defenses

Share Now


“Man in the Inbox” phishing attacks come from compromised email accounts. They look like someone from within a business, for example the HR director, sent an email directing employees to do something legitimate—like logging onto a fabricated page to read and agree to a corporate policy. When employees log on, the attackers harvest their credentials. These attacks are yet another example of increasingly sophisticated credential phishing.  

The best way to detect these types of campaigns is to train users to recognize phishing attacks, including “Man in the Inbox.” It is also important to note that perimeter defense technologies like secure email gateways are not designed to stop these attacks. More on this in a moment. 

Alert Employees Reported the Attack 

Recently, the Cofense™ Phishing Defense Center (PDC) observed a “Man in the Inbox” attack on a customer. This company had the foresight to give users phishing awareness training via Cofense PhishMeTM . The training paid off. Using Cofense ReporterTM, employees reported a suspicious email even though it was branded and seemed to come from a trusted party, as seen in Figure 1. 

Figure 1

As the campaign unfolded, we continued to correlate events across numerous user inboxes and supply up-to-the-minute intelligence to the customer’s IT team. They took the lead in attack mitigation. The attackers made things more difficult by adding new malicious links, imitating brands such as LinkedIn, DocuSign, and Microsoft.  

They also remained engaged, truly “in the middle,” by responding to skeptical email recipients. Figure 2 below shows an attacker’s assurances that the phishing message was “legit” while helpfully responding with another phishing link: 

It was a bit like fighting a wildfire. Every person who took the bait equaled another potential compromise, one more staging base for continued attacks. While it is too early to say whether the attack has been stopped completely, we have worked closely with the customer to contain the flames. 

Secure Email Gateways Miss Attacks that Come from Within 

As we’ve noted in other blogs, secure email gateways are only part of a sufficient defense strategy. In this case, the client’s secure email gateway did not block the attack because it never saw it coming—the emails came from within, from compromised accounts and other trusted sources. 

Secure email gateways are less effective in filtering internal messages. Because of the implicit trust in the sanctity of the internal domain, rules governing internal content are often lax or immature. Once inside the perimeter, a phishing email leaves the users themselves as the only remaining line of defense. As we saw in this attack, a strong response started with properly trained employees successfully reporting the attack, leading to rapid containment and mitigation. 

We offer this as an example of collective defense in action.  

  1. Properly conditioned users reported suspicious emails. 
  2. The PDC analyzed them as part of our managed service. 
  3. Within minutes, the client was armed with the information needed to contain the attack. 

Human and technical assets worked collectively to block this phishing outbreak. In-depth security means more than layers of technology: gateways, scanners, heuristic engines, and multi-factor authentication. It means choosing the right technology to identify compromised IPs and speed mitigation. It also means giving employees relevant education.  

This attack was more proof: a collective defense, not tech-only, is the smarter way to go. 

Learn more about how the Cofense PDC helps customers manage phishing incident response efforts. 


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.