Products
Products
Awareness
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
Free Tools
Free Tools
Create Transparency
Speed Response
Resources
Resources

Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

Is It Time to Rethink Your Phishing Awareness Program?

September 6, 2019 by Zach Lewis in Internet Security Awareness

Part 1 of 2 As seen in Cofense’sTM 2019 Phishing Threat & Malware Review, threat actors innovate relentlessly. Technologies like secure email gateways (SEGs) can’t keep up. In fact, the vast majority of phishing emails verified by the Cofense Phishing Defense CenterTM are found in environments using SEGs. With so many malicious emails making it past security controls, the human factor becomes decisive. This means your phishing awareness program needs to stay in fighting trim. In particular, it’s important to educate users on attacks that breach your perimeter, working with your SOC to focus on the most frequent threats. If...

READ MORE

Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks

September 3, 2019 by Milo Salvia in Cyber Incident Response

Hiding in plain sight by using trusted enterprise technologies almost guarantees delivery of a phishing URL. Case in point: a phishing campaign that delivered a legitimate Sharepoint URL to bypass the email gateway, in this case Symantec’s. Here’s how this increasingly popular phishing tactic works. Email Body The phishing email is sent from a compromised account at a third-party vendor asking the recipient to review a proposal document. The recipient is urged to click on an embedded URL. As seen below in figure 1, the URL has been wrapped by Symantec’s Click-time URL Protection and redirects the recipient to a...

READ MORE

Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway

August 29, 2019 by Cofense in Phishing Defense Center

By Tej Tulachan The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link. Trickbot has been making the rounds for a long time now and is still considered one of the biggest malware threats targeting business today. Threat actors frequently utilize legitimate applications or trusted file sharing sites like Google Docs to bypass the email gateway and lure users to click on the link to deliver malware. In this case, the email made it through Proofpoint’s gateway utilized by our PDC customer. Email Body The email attempts to lure curious...

READ MORE

Advanced Phishing Campaign Delivers Quasar RAT

August 26, 2019 by Max Gannon in Threat Intelligence

Cofense IntelligenceTM has uncovered an advanced campaign that uses multiple anti-analysis methods to deliver Quasar Remote Access Tool (RAT). A phishing email poses as a job seeker and uses the unsophisticated ploy of an attached resume to deliver the malware. Quasar RAT is freely available as an open-source tool on public repositories and provides a number of capabilities. Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection. Such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros. Along...

READ MORE

Why Join Us at Cofense Submerge? Here’s What Attendees Say

August 20, 2019 by Tonia Dudley in Internet Security Awareness

Next month in Orlando we’ll be hosting CofenseTM Submerge 2019, our fourth annual user conference and phishing defense summit. As we wrap up each event, we ask attendees for feedback. What did they like best? Networking and hearing other customers’ experiences are always the top responses. As a former customer who now works at Cofense, I totally agree.    Here are some of the answers we heard last year when we asked, “Why attend Submerge?”  “Sharing ideas was tremendously helpful to me—having the opportunity to meet other people from a variety of industries doing the same thing that I do.”  We’re all on this journey...

READ MORE

New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry

August 19, 2019 by Milo Salvia in PhishingThreat Intelligence

The CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee. The malware boasts the following features: Takes screen shots Harvests credentials from Chrome, IE and Edge Accesses the webcam, record video and take photos Records audio from the microphone Transfers files Collects general system and user information Steals VPN certificates Serves as a Key Logger Email Body Fig1. Email Body...

READ MORE

Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

August 14, 2019 by Marcel Feller in Phishing Defense Center

The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:

READ MORE

Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

August 13, 2019 by Aaron Riley in Cyber Incident ResponsePhishing

Cofense Intelligence™ has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular...

READ MORE

TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

August 8, 2019 by Aaron Riley in PhishingThreat Intelligence

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host. TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting...

READ MORE

This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

August 7, 2019 by Cofense in Phishing

By Tej Tulachan The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works. Email Body At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the...

READ MORE

Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

August 14, 2019 by Marcel Feller in Phishing Defense Center

The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:

READ MORE

Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

August 13, 2019 by Aaron Riley in Cyber Incident ResponsePhishing

Cofense Intelligence™ has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular...

READ MORE

TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

August 8, 2019 by Aaron Riley in PhishingThreat Intelligence

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host. TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting...

READ MORE

Cofense Labs Shares Research on Massive Sextortion Campaign

August 2, 2019 by David Mount in Threat Intelligence

Are you one in two hundred (or so) million?   Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them.   What’s Sextortion?  You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this:  Send an email in which they claim to have installed malware on your system and have a record of...

READ MORE

Threat Actors Subscribe To Patches

July 29, 2019 by Max Gannon in PhishingThreat Intelligence

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld....

READ MORE

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

July 25, 2019 by Cofense in Cyber Incident ResponsePhishing

By Karen Kokiko The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response. Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here. Fast and Flexible Searching Traditional email search and quarantine tools are...

READ MORE

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

July 23, 2019 by Cofense in Cyber Incident ResponsePhishing Defense Center

By Jake Longden The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work. Email Body: The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel...

READ MORE

Ransomware: A Mid-Year Summary

July 22, 2019 by Cofense in RansomwareThreat Intelligence

By Alan Rainer Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting. Ransomware Is Down...

READ MORE

This Phishing Attacker Takes American Express—and Victims’ Credentials

July 16, 2019 by Milo Salvia in Internet Security AwarenessPhishing Defense Center

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

READ MORE

UK Banking Phish Targets 2-Factor Information

July 10, 2019 by Milo Salvia in Phishing Defense Center

Recently, the Cofense Phishing Defense Center observed a wave of phishing attacks  targeting TSB banking customers in the UK. We found these consumer-oriented phishing emails in corporate environments, after the malicious messages made it past perimeter defenses. The convincing emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to bite on the phish, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards. Most UK banks implement two-factor authentication. They require users to set a standard password and...

READ MORE

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

July 25, 2019 by Cofense in Cyber Incident ResponsePhishing

By Karen Kokiko The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response. Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here. Fast and Flexible Searching Traditional email search and quarantine tools are...

READ MORE

This Phishing Attacker Takes American Express—and Victims’ Credentials

July 16, 2019 by Milo Salvia in Internet Security AwarenessPhishing Defense Center

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

READ MORE

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

June 28, 2019 by Nick Guarino in PhishingPhishing Defense Center

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics. In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place. Fast forward to this week where our Phishing Defense Center™...

READ MORE

Phishing Attacks on High Street Target Major Retailer

June 21, 2019 by Cofense in PhishingPhishing Defense Center

By Jake Longden The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year. With the goal of stealing your store credit card and login information, here’s how it works: All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the...

READ MORE

John Podesta’s Phish Foreshadows Doom for 2020

June 13, 2019 by Aaron Higbee in Phishing

If you haven’t read the Mueller Report, spoiler alert: the phish that netted the Clinton campaign was not sophisticated. As you may know, neither was the campaign’s phishing defense (understatement). All of which spells probable doom for the 2020 presidential candidates, despite the news that campaigns have looked at offers, some free, from cyber-security firms.

READ MORE

SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond

May 6, 2019 by Tonia Dudley in Phishing

In the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving. “What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.” The best...

READ MORE

Hey! I know I’ve never talked to you before – but can you send some money – QUICK!

April 22, 2019 by Tonia Dudley in Phishing

Business Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually. What makes BEC campaigns different? In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching...

READ MORE

When You Unsubscribe to these Emails, You ‘Subscribe’ to the Loda RAT

April 11, 2019 by Max Gannon in Phishing

CISO Summary It’s critical that anti-phishing programs reflect the latest threats. Cofense IntelligenceTM has recently observed a phishing campaign that illustrates why. It entices users to download a malicious document from a seemingly legitimate source, an insurance company whose roots go back to 1896. Through a complex chain of abuse, including the exploitation of a legit subdomain hosted by Microsoft, this threat is capable of tricking users unfamiliar with wrinkles like multiple links to the same source and malicious “unsubscribe” links. If successful, the attack activates the Loda Remote Access Trojan, underscoring the importance of educating users to stop phishing...

READ MORE

DMARC Is NOT a Fail-Safe Defense against Phishing Attacks

April 4, 2019 by David Mount in Phishing

DMARC, or Domain-based Authentication Reporting & Conformance, is an email authentication, policy and reporting protocol. It was conceived to prevent impersonation-based phishing attacks, but it doesn’t protect you 100%. Let’s examine why. What DMARC Can Do DMARC builds on the existing and widely deployed SPF and DKIM protocols. All mechanisms to protect the email infrastructure we so heavily rely upon should be gratefully received, but as with everything the benefits and limitations should be fully understood. It is this understanding that allows us to optimize our defenses against the perpetual menace of phishing attacks. DMARC has most promise to help...

READ MORE

Uncomfortable Truth #5 about Phishing Defense

March 27, 2019 by David Mount in Phishing

Last in a 5-part series.  In this blog series we’ve explored the Uncomfortable Truths about phishing defense that relate to the problem of over-relying on technology to keep us safe. We’ve also seen how empowered users can give Security Operations teams desperately needed visibility into phishing threats. This leads us to our fifth and final Uncomfortable Truth:   Most organizations are unable to effectively respond to phishing attacks.   Before you get offended and say “Hey, that doesn’t apply to me, our SOC is awesome,” stick with me on this. The reasons for ineffective phishing incident response are many and varied, but...

READ MORE

A Very Convincing Tax-Rebate Phishing Campaign Is Targeting UK Users

July 19, 2018 by Milo Salvia in Phishing Defense Center

The Cofense™ Phishing Defence Center has observed a convincing new phishing campaign targeting taxpaying UK nationals. The threat actors posing as Her Majesty’s Revenue and Customs (HMRC) have imitated the Government Gateway tool which is commonly used by UK citizens to access government services online. The threat actor attempts to convince victims that they are due a tax rebate of £458.21 using the lure below.

READ MORE

This “Man in the Inbox” Phishing Attack Highlights a Concerning Gap in Perimeter Technology Defenses

July 18, 2018 by Nick Guarino in Phishing Defense Center

“Man in the Inbox” phishing attacks come from compromised email accounts. They look like someone from within a business, for example the HR director, sent an email directing employees to do something legitimate—like logging onto a fabricated page to read and agree to a corporate policy. When employees log on, the attackers harvest their credentials. These attacks are yet another example of increasingly sophisticated credential phishing.  

READ MORE

Attackers Use a Bag of Tricks to Target Greek Banking Customers

June 27, 2018 by Milo Salvia in Phishing Defense Center

Recently, the Cofense™ Phishing Defense Center has observed a phishing campaign targeting Greek-speaking users and customers of Alpha Bank. Alpha Bank is the fourth-largest Greek bank. We observed threat actors using multiple tactics to gain login credentials which include user names, passwords, and secret questions. This information would allow threat actors to access unsuspecting victims’ accounts draining funds and perhaps reusing those credentials on other websites.

READ MORE

Another Global Phishing Campaign Distributes Malware Via Fake Invoices

June 25, 2018 by Marcel Feller in Phishing Defense Center

On Thursday June 14th, the Cofense™ Phishing Defense Center (PDC) noted a campaign targeting UK customers with several emails containing the same subject, “Invoice INV-03056,” and prompting the user to view a supposed invoice. The next day, we saw a very similar campaign that delivered French language phishing emails. Upon analyzing the emails, the PDC notified customers that received them, so they could respond as needed. We also notified all our UK customers of the IOC’s.

READ MORE

We Helped a Customer Block this Open Directory Phishing Attack

June 1, 2018 by Chance Caldwell in Phishing Defense Center

On May 22, 2018, the Cofense Phishing Defense Center observed a Microsoft credential phishing attack that was received by one of our Managed Service customers. The Phishing Defense Center’s goal is to provide our customers all the relevant information on an attack against their employees, within an hour of an email being reported, so customers can take the necessary steps to prevent further attacks. By doing a deep dive investigation into this attack we were able to find multiple other phishing attacks listed on the site, the kits used to create the phishing pages, and several other domains created by...

READ MORE

Hackers Analyse Your Capabilities. Use this Matrix to Do the Same

May 16, 2018 by David Mount in Phishing Defense Center

Regular followers of Cofense™ know that phishing threats evolve. For detailed evidence, read the Cofense Malware Review 2018 and see the techniques threat actors employ to keep security teams on their toes.

READ MORE

Russian “Troldesh” AKA Encoder.858 or Shade is back!

April 27, 2018 by Dilen Thakuri in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

On the 19th of April, the Cofense Phishing Defense Center received an email crafted to appear to be from “Sberbank Russia.” In fact, it was a phishing email containing the Troldesh malware, a variant of Russian Ransomware first seen in mid-2015. The PDC hadn’t seen this variant for quite some time.

READ MORE

5 ways we boost your anti-phishing program’s ROI.

April 25, 2018 by Zach Lewis in Cyber Incident ResponseInternet Security AwarenessPhishing Defense Center

If you’re shopping for a vendor to help with phishing awareness training, you might be thinking, “They all seem pretty similar. What’s the difference?”

READ MORE

How to Avoid Drowning in Spam and Phishing Emails

April 23, 2018 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing Defense Center

As we have continued to improve anti-phishing capabilities for clients over the past few years, we have seen a myriad of changes in phishing email composition, style, and approach. Throughout all those changes however, one thing has remained the same.

READ MORE

Their email filters missed these threats. Good thing the users didn’t.

April 19, 2018 by Cofense in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

By Jerome Doaty, Zakari Grater, and Brenda Gooshaw Samson Technology is an important part of any phishing defense, especially perimeter tech designed to filter emails. But these systems, even those billed as “next-gen email security platforms,” don’t catch everything. Some phishes always get through.

READ MORE