Cofense Phishing Prevention & Email Security Blog

Miming, Mimecast? The latest attempt at exploiting SEGs

Power Splunk with Cofense Triage Phishing Indicators

By Mike Saurbaugh Security and operational technology teams rely on the data in Splunk. It’s also central to critical data used to make business decisions. Regardless of the industry, phishing spares no one. Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). It makes perfect sense to take all this enriched phishing data and feed it to Splunk for additional reporting and response actions. Enhanced APIs Automate Collection and Indexing Cofense Triage accelerates phishing email analysis, investigation and response by cutting through the noise automatically and surfacing the real...

Phishing Campaign Exploits Housing Boom

Is Less Really More for Email Security?

By Mark Zigadlo, Cofense According to Verizon’s Data Breach Report, 96% of breaches start with a phishing email. Though not news to us at Cofense, the statistic is still alarming. This got me thinking about some of the reasons Cofense customers, myself included, have been largely insulated from ransomware, business email compromise (BEC), credential phishing and other such attacks. While I was reviewing the Threat Policies in the Office 365 Security and Compliance center (what you get as part of your E5 license) in advance of my upcoming Mimecast renewal, I learned that all of the same security controls I was currently leveraging...

It’s Not Safe: “Security Update” Goes Phishing via PDF

Pending Documents Invite You to WeTransfer Phish

Domain Doppelgangers: Your Good Name as Phishing Bait?

Does your company have an evil twin on the web? Threat actors may be leveraging a lookalike version of your company’s name to deliver malware through phishing that plays off your brand. Say the company name is Cofense, with the internet domain name cofense[.]com. What would happen if someone registered a copycat domain name using, for example, Confense, with the domain confense[.]com? Wouldn’t the search engine just route users to the real deal, or wouldn’t it be obvious quickly that the name was misspelled?    Cofense, Confense. Big deal, right? Wrong. Here’s why.   Every day, attackers are busy registering lookalike, or doppelganger, domains that mimic reputable brands to lure users through phishing emails, malware delivery and more. The domains are designed to trick users into believing they’re...

Cofense TAP Program Still Setting the Standard for Threat Intelligence Five Years After Launching the Program

Linktree Abused to Send Phishing Links

Phishers Continue to Spoof WebEx

Available Today: The Cofense Intelligence Q1 2020 Phishing Review

Coronavirus-Themed Phish Continue to Surge

Coronavirus Redefines the Phishing Threat Landscape

This Employee Satisfaction Survey is Not so Satisfying… Except for the Credential Phishing Actors Behind It.

Threat Actors Innovate to Exploit COVID-19, Delivering OpenOffice .ODP Attachments on a Shoestring Budget

Threat Actor Uses OneNote to Learn Credential Phishing and Evade Microsoft and FireEye Detection

Phishers Are Using Google Forms to Bypass Popular Email Gateways

Emotet Gears Up to File (Your) Taxes

Miming, Mimecast? The latest attempt at exploiting SEGs

Power Splunk with Cofense Triage Phishing Indicators

By Mike Saurbaugh Security and operational technology teams rely on the data in Splunk. It’s also central to critical data used to make business decisions. Regardless of the industry, phishing spares no one. Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). It makes perfect sense to take all this enriched phishing data and feed it to Splunk for additional reporting and response actions. Enhanced APIs Automate Collection and Indexing Cofense Triage accelerates phishing email analysis, investigation and response by cutting through the noise automatically and surfacing the real...

Phishing Campaign Exploits Housing Boom

Is Less Really More for Email Security?

By Mark Zigadlo, Cofense According to Verizon’s Data Breach Report, 96% of breaches start with a phishing email. Though not news to us at Cofense, the statistic is still alarming. This got me thinking about some of the reasons Cofense customers, myself included, have been largely insulated from ransomware, business email compromise (BEC), credential phishing and other such attacks. While I was reviewing the Threat Policies in the Office 365 Security and Compliance center (what you get as part of your E5 license) in advance of my upcoming Mimecast renewal, I learned that all of the same security controls I was currently leveraging...

It’s Not Safe: “Security Update” Goes Phishing via PDF

Pending Documents Invite You to WeTransfer Phish

Domain Doppelgangers: Your Good Name as Phishing Bait?

Does your company have an evil twin on the web? Threat actors may be leveraging a lookalike version of your company’s name to deliver malware through phishing that plays off your brand. Say the company name is Cofense, with the internet domain name cofense[.]com. What would happen if someone registered a copycat domain name using, for example, Confense, with the domain confense[.]com? Wouldn’t the search engine just route users to the real deal, or wouldn’t it be obvious quickly that the name was misspelled?    Cofense, Confense. Big deal, right? Wrong. Here’s why.   Every day, attackers are busy registering lookalike, or doppelganger, domains that mimic reputable brands to lure users through phishing emails, malware delivery and more. The domains are designed to trick users into believing they’re...

Cofense TAP Program Still Setting the Standard for Threat Intelligence Five Years After Launching the Program

Linktree Abused to Send Phishing Links

Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

This Phishing Attacker Takes American Express—and Victims’ Credentials

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

UK Banking Phish Targets 2-Factor Information

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

Phishing Attacks on High Street Target Major Retailer

Houdini Worm Transformed in New Phishing Attack

By Nick Guarino and Aaron Riley The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

This ‘Voice Mail’ Is a Phish—and an Email Gateway Fail

The Zombie Phish Is Back with a Vengeance

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard. Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.