About Cofense
About Cofense
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More

Cofense Blog


CSO Names Cofense Triage to “Best Security Software” List

June 12, 2018 by Cofense in Cyber Incident Response

Calling it “one of the most advanced defenses against phishing,” CSO has included Cofense TriageTM in its Best Security Software for 2018. Our incident response and phishing defense platform helps to stop attacks in progress and minimize the risk of breach—in minutes, compared to the average detection time of 100+ days.


One IP to Host Them All: Uncovering a Sprawling Crime Ring

June 5, 2018 by Cofense in Malware AnalysisThreat Intelligence

On Monday May 28, 2018, during routine operations, Cofense Intelligence™ identified traits across several campaigns that indicated they were linked. In fact, this discovery helped to reveal a sprawling criminal enterprise that uses linked infrastructure to host nearly 100 domains, along with corresponding malware campaigns.


Cofense has you covered as Office attachment attacks grow.

June 4, 2018 by Cofense in Malware AnalysisInternet Security Awareness

At Cofense™, we’ve known for some time that phishing attacks using MS Office attachments were a big problem. That’s why our solutions help you combat these attacks in important ways.


We Helped a Customer Block this Open Directory Phishing Attack

June 1, 2018 by Chance Caldwell in Phishing Defense Center

On May 22, 2018, the Cofense Phishing Defense Center observed a Microsoft credential phishing attack that was received by one of our Managed Service customers. The Phishing Defense Center’s goal is to provide our customers all the relevant information on an attack against their employees, within an hour of an email being reported, so customers can take the necessary steps to prevent further attacks. By doing a deep dive investigation into this attack we were able to find multiple other phishing attacks listed on the site, the kits used to create the phishing pages, and several other domains created by...


TrickBot Operators Rapidly Adopt “Plug In” for Delivery, Possibly Following Dreambot’s Lead

May 25, 2018 by Cofense in Threat Intelligence

Recently, Cofense IntelligenceTM reported on a new mechanism used to distribute Dreambot malware, where a malicious page impersonating Microsoft Office Online entices victims to download the banking trojan. We have noted a similar delivery technique in the distribution of a TrickBot sample where targets are required to download a “plugin” to interact with a PDF, adding to the iteration of purported “plugin” downloads for malware delivery. The detailed campaign leverages social engineering techniques to gain access to victims’ sensitive information and also contains code obfuscation to evade detection by security technologies.


Managed Service Gives SMB’s More Security without the Headcount

May 17, 2018 by Zach Lewis in Internet Security Awareness

If you do a Google search on “SMB’s and cyber-security,” one best practice is hard to miss. The experts say it’s smart to give employees security training. All employees, not just the cyber-warriors in IT. Another good idea: outsource your training. Let specialists spare you the cost of creating a security awareness program. Better security without more headcount—it’s why so many SMB’s trust Cofense PhishMeTM Managed Service.


Hackers Analyse Your Capabilities. Use this Matrix to Do the Same

May 16, 2018 by David Mount in Phishing Defense Center

Regular followers of Cofense™ know that phishing threats evolve. For detailed evidence, read the Cofense Malware Review 2018 and see the techniques threat actors employ to keep security teams on their toes.


New Month; New Sigma

May 15, 2018 by Cofense in Threat Intelligence

Cofense Intelligence has observed several recent Sigma ransomware campaigns that demonstrate either a new iteration or a fork of this malware. Prior to these new campaigns, the actors behind Sigma stuck rigidly to two very distinct phishing narratives, as detailed in Cofense’s recent blog post, and relied on the same infection process. With these newly observed changes, Sigma’s operators have eliminated various infrastructure concerns and improved the UX (User eXperience) of the whole ransom process, representing the first major shifts in Sigma tactics, techniques and procedures (TTPs).


Prevent Your Social Media Users from Arming Phishing Attackers

May 8, 2018 by Zach Lewis in Phishing

An employee goes on Facebook and makes a snarky comment about his boss. Or posts a picture of a co-worker that includes a confidential document open on her laptop. Or simply mentions your company name when sharing something online. All of these are examples of potential trouble.


Sigma Operators Craft New Techniques to Deliver Phish to Your Inbox

May 7, 2018 by Cofense in Threat Intelligence

Cofense Intelligence recently identified a large Sigma ransomware campaign that contained significant deviations from the established TTPs employed by the actors behind this prolific piece of extortionware. These changes improve Sigma’s A/V detection-evasion and demonstrate new social engineering tactics intended to increase the likelihood that a targeted user would open the phishing email and its malicious attachment.


Fortifying Defenses with Human-Verified Phishing Intelligence

December 15, 2016 by Mike Saurbaugh in Cyber Incident ResponsePhishingThreat Intelligence

Mining Phish in the IOCs PhishMe® and Palo Alto Networks® are providing security teams with the ability to ingest human-verified phishing intelligence in a standard format that can be automatically enforced as new protections for the Palo Alto Networks Next-Generation Security Platform through the MineMeld application. Through this integration, PhishMe and Palo Alto Networks are providing a powerful approach to identifying and preventing potentially damaging phishing attacks. The challenge of operationalizing threat intelligence Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it...


A Warning on Christmas Delivery Scams

November 23, 2016 by Cofense in Internet Security AwarenessThreat Intelligence

The time of year has once again arrived when post offices are busier than the freeway on a Friday evening. We buy gifts, online and in stores, and we send and expect packages to and from the far corners of the country, continent, and even the world. Yet behind this frenzy of merriment skulk a series of dangers. Although Christmas is still more than a month away, scammers of this kind have already been active in various areas across the US. For a number of years, security experts have grown to expect a hike in the number of internet scams being...


Beware: Encryption Ransomware Varieties Pack an Extra Malware Punch

November 11, 2016 by Cofense in Threat Intelligence

As the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines. Much of the innovation seen in 2016 was focused on defying the expectations for how ransomware is delivered such as steganographic embedding of ransomware binaries, other forms of file obfuscation, and requirements for command line argumentation. These were all put forward as ways...


Unscrupulous Locky Threat Actors Impersonate US Office of Personnel Management to Deliver Ransomware

November 8, 2016 by Cofense in Threat Intelligence

Update 2016-11-11: It is important to PhishMe to avoid hyperbolic conclusions whenever possible. In the interest of clarifying some conclusions that have been drawn from this blog post, it is important to keep in mind the nature of Locky distribution and how this malware is delivered to victims. We consider it a serious responsibility to report on very real threats in a way that lends itself to our credibility as well that the credibility of all information security professionals. PhishMe has no reason to believe that this set of emails was delivered only to victims of the OPM incident nor...


Macro Based Anti-Analysis

August 19, 2016 by Cofense in Malware AnalysisThreat Intelligence

Over the past several months PhishMe research has noticed an increase with Anti-Analysis techniques being included within Office macro and script files. This is the first post in a series where we look at the inclusion and effectiveness of these methods. Although the use of Anti-Analysis techniques is not new, they are generally observed within the packed payload in an effort to avoid detection by endpoint security solutions. Most recently we came across a campaign of emails which included a malicious Microsoft Word document. The document contains a standard lure using an image instructing the user to enable active content...


Reality-checking Mr.Robot Ransomware

July 13, 2016 by Cofense in Ransomware

WARNING: MAJOR SPOILER ALERT! USA Network’s television show, Mr.Robot, kicked off Season 2 with a BANG!   The program features the exploits of a hacker named Elliot Alderson (Rami Malek) who uses the alias “Mr.Robot” to work with a team of hackers who call themselves F-Society and have as their mission the destruction of a major corporation that they call “Evil Corp,” whose logo calls back to the Big Corporate Corruption of Enron. In this episode, the attack is against the “Bank of E.”


2016 Q1 Malware Review – Available Now

June 1, 2016 by Cofense in Malware AnalysisCofense News

Today, our research team released our 2016 Q1 Malware Review, detailing more than 600 Active Threat Reports and the waves of phishing emails that delivered malware to victims across the globe each day last quarter. Among the sea of threats reported, the proliferation of ransomware stood out as one of the most common types of malware used through soft targeting and massively distributed attacks.


PhishMe’s Gary Warner Featured in Threat Intelligence Thought Leadership Interview on Recorded Future

May 4, 2016 by Cofense in Cofense NewsThreat Intelligence

This week, Recorded Future published another segment in their recent “Threat Intelligence Thought Leadership Series” featuring PhishMe’s Chief Threat Scientist Gary Warner. The article titled Why You Should Launch a Threat Intelligence ‘Hunt’ Team covers a variety of perspectives on threat intelligence, from driving factors in today’s threat intelligence community, actionable intelligence trends and even advice for aspiring threat intelligence analysts on how to navigate today’s information security landscape. 


Awareness isn’t the goal, it’s just the beginning

October 27, 2015 by Aaron Higbee in Internet Security AwarenessMalware Analysis

When people refer to PhishMe as the awareness company, we smile and nod. I want to correct them, but the label ‘security awareness’ is comfortable and relatable. One of the activities that organizations commonly believe will help reduce risk is mandatory security awareness computer-based training (CBT) lessons.  The hope is that if we enroll our humans in online courses about how the bad guys hack us, they will walk away with a wealth of new-found awareness and avoid being victimized.  (Try to visualize how far in the back of my head my eyes are rolling…)


PhishMe Celebrates National Cyber Security Awareness Month 2015 and UK Based Security Serious Week

October 7, 2015 by Cofense in Internet Security AwarenessMalware Analysis

It’s that time of year again. No, it’s not the arrival of the pumpkin spiced latte at your local coffee shop. It’s National Cyber Security Awareness month (NCSAM) as proclaimed by President Barack Obama last year. “National Cyber Security Awareness Month — celebrated every October — was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online,” as stated by the National Cyber Security Alliance located on their website. At PhishMe, we are proud to once again play a lead role in the cyber...


WCry / WannaCry Ransomware Devastates Across the Globe

May 12, 2017 by Cofense in Malware AnalysisInternet Security AwarenessPhishing

A strain of encryption malware, or ransomware, is making a global presence today as numerous organizations struggle to respond. Reports of infections were found all over the globe.


Aaron Higbee Chats Google Doc Scam and other Phishing Trends on the Charles Tendell Show

May 11, 2017 by Cofense in PhishingInternet Security Awareness

This week, our co-founder and Chief Technology Officer Aaron Higbee had an opportunity to discuss the recent Google Docs phishing scam on the The Charles Tendell Show.


FireEye: Russians, Others Exploiting Zero-day Microsoft Office Vulnerabilities

May 9, 2017 by Cofense in Phishing

FireEye has identified three new zero-day vulnerabilities in Microsoft Office products that have been exploited by Russian cyber espionage entities and a yet-to-be-identified group.


Bogus Claim: Google Doc Phishing Worm Student Project

May 5, 2017 by Aaron Higbee in PhishingInternet Security AwarenessMalware Analysis

According to internet sources, Eugene Pupov is not a student at Coventry University. Since the campaign’s recent widespread launch, security experts and internet sleuths have been scouring the internet to discover the actor responsible for yesterday’s “Google Doc” phishing worm. As parties continued their investigations into the phishing scam, the name “Eugene Popov” has consistently popped up across various blogs that may be tied to this campaign. A blog post published yesterday by endpoint security vendor Sophos featured an interesting screenshot containing a string of tweets from the @EugenePupov Twitter handle claiming the Google Docs phishing campaign was not a...


Google Doc Phishing Attack Hits Fast and Hard

May 3, 2017 by Cofense in PhishingPhishing Defense Center

Google Doc Campaign Makes a Mark In the process of managing phishing threats for our customers, our Phishing Defense Center and PhishMe Intelligence teams saw a flood of suspicious emails with subject line stating that someone has “has shared a document on Google Docs with you”, which contained a link to “Open in Docs”. The “Open in Docs” link goes to one of several URLs all within the website.


April Sees Spikes in Geodo Botnet Trojan

May 2, 2017 by Cofense in PhishingPhishing Defense Center

Throughout April, our Phishing Defense Team observed an increase in malicious URLs that deliver the financial crimes and botnet trojan known as Geodo. These emails take a simple approach to social engineering, using just a sentence or two prompting the victim to click on a link to see a report or invoice that has been sent to them. An example of a typical phishing email used in these attacks is shown below: Following the malicious links will lead the victim to download a hostile JavaScript application or PDF document tasked with obtaining and executing Geodo malware. One common attribute of...


Orange is the New Hack?

May 1, 2017 by Cofense in PhishingInternet Security Awareness

One of the most popular Netflix series, Orange is the New Black, scored an early parole due to some bad behavior this weekend. TheDarkOverload, the group claiming responsibility for the hack, already released the season five premier and is threatening to release “a trove of unreleased TV shows and movies.”


BEC Scams Hit Technology Giants for over $100 Million Dollars

April 28, 2017 by Cofense in PhishingInternet Security Awareness

Even the biggest companies fall for it. This week, reports showed that Business Email Compromise (BEC) scams, sometimes referred to as CEO Fraud Emails, netted over $100 million dollars from Facebook and Google. While people are increasingly aware of phishing emails containing links and attachments, BEC scams (also known as CEO Fraud) continue to reward criminals with alarming effectiveness. These phishing scams fly past traditional security roadblocks because there are no URLs or Attachments to scan.


Off-the-shelf Zyklon Botnet Malware Utilized to Deliver Cerber Ransomware

April 24, 2017 by Cofense in Malware AnalysisPhishingThreat Intelligence

Recent, large-scale distributions of the Zyklon botnet malware mark a continuing trend of off-the-shelf malware use. This multipurpose trojan, capable of supporting numerous criminal activities, has been identified in phishing attacks more and more frequently through the month of April. The bulk of these campaign have leveraged resume- and job-applicant-themed messaging as in the phishing narrative. The most recent analyses of this distribution have shown that the threat actors are attempting to leverage the malware’s full feature set by not only using it as an information stealer, but also as a downloader used to obtain and deploy the Cerber ransomware...


Locky Stages Comeback Borrowing Dridex Delivery Techniques

April 21, 2017 by Cofense in RansomwareMalware AnalysisPhishing

The ransomware that defined much of the phishing threat landscape in 2016 raged back into prominence on April 21, 2017 with multiple sets of phishing email messages. Harkening back to narratives used throughout 2016, these messages leveraged simple, easily-recognizable, but perennially-effective phishing lures to convince recipients to open the attached file.