Cofense Blog


How to Orchestrate a Smarter Phishing Response

October 1, 2018 by John Fitzgerald in Cyber Incident Response

We’ve been talking a lot recently about phishing-specific SOAR (Security Orchestration Automation and Response). It’s a capability CofenseTM has pioneered to help you mitigate phishing emails faster and more efficiently. Recently, we examined automation, the ‘A’ in the acronym. Now let’s take a deeper look at the ‘O,’ orchestration. Involve the Right Teams Faster with Cofense TriageTM Like a symphony conductor waving a wand, your phishing response needs to engage the right teams at the right time. To make that happen, Cofense TriageTM starts by reducing noise with an advanced spam engine, removing benign emails your employees have reported and...


Potential Misuse of Legitimate Websites to Avoid Malware Detection

September 28, 2018 by Max Gannon in Threat Intelligence

Sometimes, common malware will attempt to gather information about its environment, such as public IP address, language, and location. System queries and identifier websites like are often used for these purposes, but are easily identified by modern network monitors and antivirus. It’s important to know, however, that everyday interactions with legitimate websites provide much of the same information and are not monitored because the interactions are legitimate. In other words, threat actors can bypass automated defenses by abusing legitimate websites that often cannot be blocked for business purposes. First, cookies—easily accessible records of a user’s interactions with a webpage—are...


Beware of payroll-themed phishing. Here’s one example.

September 26, 2018 by Neera Desai in Threat Intelligence

Last week, the Internet Crime Complaint Center (IC3) published a public service announcement on cybercriminals disseminating payroll-themed phishing emails. These phishing emails, often imitating financial organizations, contain alluring content such as an enticing subject line or use social engineering techniques to convince targets that the email is from a legitimate source. Cofense Intelligence™ has observed payroll-themed phishing lures requesting targets to view an embedded link or download an attached file. The emails typically deliver credential phishing links or malware that is tasked with stealing the target’s financial and personal credentials. Recently, Cofense Intelligence analyzed a payroll-themed phish distributing the TrickBot...


Ouch! Our Report Shows Why the Healthcare Industry Needs Better Phishing Defense

September 24, 2018 by John Robinson in Internet Security AwarenessPhishing

Cofense™ released new research last week on phishing in the healthcare industry. It’s one of those industries that routinely gets hammered by phishing and data breaches. In fact, according to Verizon’s most recent Data Breach Investigations Report, over a third of all breaches target healthcare companies1. One recently reported example: the phishing attack on the Augusta University healthcare system, which triggered a breach that may have compromised the confidential records of nearly half a million people. None of this is surprising, considering that healthcare lives and breathes data. But our research also found this: Healthcare lags behind other industries in...


Staying King Krab: GandCrab Malware Keeps a Step Ahead of Network Defenses

September 21, 2018 by Aaron Riley in Malware Analysis

GandCrab ransomware is being rapidly developed to evade the cyber security community’s defense efforts, aid proliferation, and secure revenue for those driving the malware. Cofense Intelligence TM has identified a new campaign that is delivering GandCrab version 4.4, the newest iteration of this prolific ransomware. The developers of GandCrab are aware of the research analysis done on its past versions, and release new versions rapidly to negate the solutions. These malicious developers also release versions in direct correlation to specific security companies’ findings. In the last two months, the authors of GandCrab have released version 4, and subsequent 4.x releases...


Here’s a Free Turnkey Phishing Awareness Program for National Cybersecurity Awareness Month

September 18, 2018 by Tonia Dudley in Internet Security Awareness

So….it’s September and October is only a few weeks away. Have you started putting together your campaign for National Cybersecurity Awareness Month (NCSAM) yet? If not, you’re in luck – we’ve created a complimentary turnkey phishing awareness program for you to quickly launch and look like a super hero to your leader AND your organization! And best yet, these resources can be used all year round – BECAUSE security awareness goes beyond October. 


How to Protect Against Phishing Attacks that Follow Natural Disasters

September 14, 2018 by Cofense in Internet Security AwarenessPhishing

By Aaron Riley and Darrel Rendell With Hurricane Florence battering parts of the East Coast, here’s a reminder that phishing campaigns sometimes pretend to promote natural-disaster relief efforts in hopes of successfully compromising their target. Cofense IntelligenceTM has analyzed plenty of these campaigns, which are designed to entice the end user into credential theft or endpoint infection.


Microsoft Office Macros: Still Your Leader in Malware Delivery

September 13, 2018 by Aaron Riley in Malware Analysis

In the last month, Microsoft Office documents laden with malicious macros account have remained the malware loader-du-jour. Cofense IntelligenceTM has found they account for 45% of all delivery mechanisms analyzed.


We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan

September 10, 2018 by Cofense in Phishing Defense Center

By Jerome Doaty and Garrett Primm The Cofense™ Phishing Defense Center (PDC) has recently defended against a resurgence of Astaroth, with dozens of hits across our customer base in the last week. In just one week, some estimated 8,000 machines have been potentially compromised.


Automate Your Phishing Defense While Keeping Human Control

September 6, 2018 by John Fitzgerald in Phishing

When it comes to combatting phishing, “set and forget” is a pipe dream. You can’t, and you shouldn’t, take humans out of the picture. But thanks to CofenseTM automation, you can stop attacks while reducing man hours and saving money.


Summer Reruns: Threat Actors Are Sticking with Malware that Works

September 5, 2018 by Neera Desai in Malware Analysis

Let’s take a look back at this summer’s malware trends as observed by Cofense IntelligenceTM. Summer 2018 has been marked by extremely inconsistent delivery of TrickBot and Geodo, though volumes of lower-impact malware families like Pony and Loki Bot remained consistently high. What’s more, improvements to the delivery and behavior of Geodo and TrickBot accompanied the resurgence of two updated malware families—Hermes ransomware and AZORult stealer—in reaffirming a preference by threat actors to update previous tools instead of developing new malware.  Because threat actors will continue to improve their software to ensure a successful infection, it’s important to understand these...


Recent Geodo Malware Campaigns Feature Heavily Obfuscated Macros

August 30, 2018 by Darrel Rendell in Malware Analysis

Part 3 of 3 As we mentioned in our previous overview of Geodo, the documents used to deliver Geodo are all quite similar. Each document comes weaponised with a hostile macro. The macros are always heavily obfuscated, with junk functions and string substitutions prevalent throughout the code. The obfuscation uses three languages or dialects as part of the obfuscation process: Visual Basic, PowerShell, and Batch.


Twin Trouble: Geodo Malware URL-Based Campaigns Use Two URL Classes

August 29, 2018 by Darrel Rendell in Malware Analysis

Part 2 of 3 As discussed in our prior blog post, URL-based campaigns – that is, campaigns that deliver messages which contain URLs to download weaponised Office documents – are by far the most prevalent payload mechanism employed by Geodo. Indeed, analysis of ~612K messages shows just 7300 have attachments; a trifling 1.2% of the total. The structure of the URLs falls into two distinct classes. Cofense Intelligence™ analysed a corpus of 90,000 URLs and identified 165 unique URL paths. There are two distinct classes of URLs employed by Geodo. A detailed breakdown of these URL structures follows. 


Phishing-Specific SOAR Gets You to Mitigation Faster

August 28, 2018 by John Fitzgerald in Cyber Incident Response

When a malicious email slips past perimeter tech defenses, you need to find it and respond in minutes, not two or three months. But no one has unlimited budget or staffing to sift through phishing alerts, verify threats, and help stop attacks in progress.


Into a Dark Realm: The Shifting Ways of Geodo Malware

August 27, 2018 by Darrel Rendell in Threat Intelligence

The Geodo malware is a banking trojan that presents significant challenges. For starters, it conducts financial theft on a vast scale and enables other financially driven trojans. Also known as Emotet, Geodo has a rich history, with five distinct variants, three of which are currently active according to Feodo Tracker. Geodo’s lineage is incredibly convoluted and intertwined with malware such as Cridex as well as the later iterations known as Dridex. This blog is the first of a CofenseTM three-part series on Geodo. Our analysis of Geodo focuses not on code analysis, rather on observed behaviours, infrastructure choices and proliferation....


Another Holiday-Themed Phish: Eid al-Adha is the Pretext for an Agent Tesla Campaign

August 23, 2018 by Neera Desai in Threat Intelligence

Holidays and global events provide timely material for threat actors to use as phishing lures. This technique is a common practice, and can sometimes be convincing to targets, especially just before a major holiday. On Sunday, August 19, 2018, Cofense Intelligence™ received an Eid-themed phishing email. Eid al-Adha, the Islamic festival/holiday, began this week.


UPDATE: Necurs Botnet Banks on a Second Bite of the Apple with New Malware Delivery Method

August 22, 2018 by Jason Meurer in Malware AnalysisThreat Intelligence

Last week, Cofense™ research uncovered and broke the news that the Necurs botnet began a highly-targeted campaign aggressively attacking more than 3,000+ banks worldwide with a malicious PUB file that drops the FlawedAmmyy malware. You can read the full analysis in last week’s research blog.


The Lazy Man’s Guide to Phishing

August 16, 2018 by Cofense in Phishing Defense Center

By Lucas Ashbaugh Laziness and sloppy work are the twenty first century’s newest business model, and for phishing actors it’s a gold rush. The real winners from modern phishing have taken a chapter out of the entrepreneur’s  handbook: The Lean Startup. For them, phishing isn’t about artisanal fraud and refined skills, it’s about starting cheap, failing quickly, and getting their head back in the game. It’s horrendously brilliant. In a world where SOCs are constantly grinding to block that IP, scan for that hash, disable macros, etc., automated solutions just can’t keep up. When it comes to phishing, speed is king....


Necurs Targeting Banks with PUB File that Drops FlawedAmmyy

August 15, 2018 by Cofense in Malware Analysis

By Jason Meurer and Darrel Rendell Cofense™ Research reports that the Necurs botnet began a new campaign at approximately 7:30 EST on Aug 15, one appearing to be highly targeted at the banking industry. So far, Cofense has seen over 3,701 bank domains targeted as recipients.


July Malware Review: Geodo and TrickBot Flex Their Muscles

August 15, 2018 by Darrel Rendell in Malware Analysis

The Cofense IntelligenceTM team has wrapped up our analysis of mid-summer malware. To get this summary started, let’s look at a couple of charts.  Chart 1: Top 5 malware delivery methods, by campaign, identified in July Chart 2: Top 5 malware families, by campaign, identified in July In our Strategic Analysis released on Thursday, 26th July, it was noted that Geodo and TrickBot had been unusually active in recent weeks, following a lull in June and into early July. Charts 3 and 4 expand upon this observation via side-by-side comparisons and year-to-date trends. Prior to July, both TrickBot and Geodo tended...


Data to Dollars: “Value at Risk” Anti-Phishing Strategies

July 16, 2018 by Zach Lewis in Internet Security Awareness

Part 2 of 3 Last week,  we looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. This week let’s do a deep-dive into the “value” aspect of VAR. We’ll ask: do you know where your crown-jewel data is stored and how much it might be worth? Even if the answer is “Not exactly,” an educated guess can help set anti-phishing priorities.


This Amazon Prime Day, Keep Your Network Safe from Phishing

July 12, 2018 by Josh Bartolomie in Internet Security Awareness

Unfortunately, with the world we live in, especially with any type of highly visible promotions or sales, scammers will try to take advantage of the situation. Remember last year’s Amazon Prime Day phishing scam? Consumers around the world received an email promising a $50 bonus for writing a product review, or an email stating there was a problem with their payment method or shipping information. When they clicked on an embedded link, they went to a bogus login page designed to harvest their credentials.


“Value at Risk”: Focus Your Anti-Phishing on the Bottom Line

July 10, 2018 by John Robinson in Internet Security Awareness

Part 1 of 3: Over the past year at Cofense, we’ve introduced and discussed the importance of elevating the visibility of anti-phishing programs to the Board of Directors level. The key measures we presented included a measure of capability we refer to as ‘resilience’ and enumeration of which specific attacks your organization may be facing. As a result, the questions we are now answering for board members globally are – “What phishing threats do you need to be the most concerned with?” “How likely are you to stop those specific attacks in progress?” In the same time frame, the World...


Cofense Phishing Awareness: The Innovations Continue

June 26, 2018 by Garrett Hess in Internet Security Awareness

Every week you read about a new phishing-inflicted breach. Despite heavy spending on perimeter security, malicious emails still get through. Here’s something that can help and, best of all, costs nothing. It’s the latest in a blitz of Cofense phishing awareness innovations.


Phishing Defense: Let’s Get Personal

June 20, 2018 by Dan Marshall in Internet Security AwarenessPhishing

We all know phish aren’t just sent to corporate email accounts, yet this is what we hear about most often in the news. The reason, at least in part, is because headlines highlighting millions of dollars lost or millions of accounts compromised make for better news than “Man Has Personal Savings Account Drained After Clicking Malicious Link.”


Cofense has you covered as Office attachment attacks grow.

June 4, 2018 by Garrett Hess in Internet Security AwarenessMalware Analysis

At Cofense™, we’ve known for some time that phishing attacks using MS Office attachments were a big problem. That’s why our solutions help you combat these attacks in important ways.


Managed Service Gives SMB’s More Security without the Headcount

May 17, 2018 by Zach Lewis in Internet Security Awareness

If you do a Google search on “SMB’s and cyber-security,” one best practice is hard to miss. The experts say it’s smart to give employees security training. All employees, not just the cyber-warriors in IT. Another good idea: outsource your training. Let specialists spare you the cost of creating a security awareness program. Better security without more headcount—it’s why so many SMB’s trust Cofense PhishMeTM Managed Service.


Prevent Your Social Media Users from Arming Phishing Attackers

May 8, 2018 by Zach Lewis in Phishing

An employee goes on Facebook and makes a snarky comment about his boss. Or posts a picture of a co-worker that includes a confidential document open on her laptop. Or simply mentions your company name when sharing something online. All of these are examples of potential trouble.


That email from HR? RSA attendees say you’d better check twice for phishing.

May 3, 2018 by Cofense in Phishing

When the security world gathered at RSA 2018, CofenseTM surveyed attendees about phishing attacks and defenses. The #1 phishing concern? Malicious emails that appear to be internal communications, from your boss, HR, or the help desk, making them extra-hard to resist.


Russian “Troldesh” AKA Encoder.858 or Shade is back!

April 27, 2018 by Dilen Thakuri in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

On the 19th of April, the Cofense Phishing Defense Center received an email crafted to appear to be from “Sberbank Russia.” In fact, it was a phishing email containing the Troldesh malware, a variant of Russian Ransomware first seen in mid-2015. The PDC hadn’t seen this variant for quite some time.