About Cofense
About Cofense
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Cofense Phishing Prevention & Email Security Blog


Microsoft Office Macros: Still Your Leader in Malware Delivery

September 13, 2018 by Aaron Riley in Malware Analysis

In the last month, Microsoft Office documents laden with malicious macros account have remained the malware loader-du-jour. Cofense IntelligenceTM has found they account for 45% of all delivery mechanisms analyzed.


We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan

September 10, 2018 by Cofense in Phishing Defense Center

By Jerome Doaty and Garrett Primm The Cofense™ Phishing Defense Center (PDC) has recently defended against a resurgence of Astaroth, with dozens of hits across our customer base in the last week. In just one week, some estimated 8,000 machines have been potentially compromised.


Phishing Automation: Automate Your Phishing Defense While Keeping Human Control

September 6, 2018 by Cofense in Phishing

When it comes to combatting phishing, “set and forget” is a pipe dream. You can’t, and you shouldn’t, take humans out of the picture. But thanks to CofenseTM automation, you can stop attacks while reducing man hours and saving money.


Summer Reruns: Threat Actors Are Sticking with Malware that Works

September 5, 2018 by Cofense in Malware Analysis

Let’s take a look back at this summer’s malware trends as observed by Cofense IntelligenceTM. Summer 2018 has been marked by extremely inconsistent delivery of TrickBot and Geodo, though volumes of lower-impact malware families like Pony and Loki Bot remained consistently high. What’s more, improvements to the delivery and behavior of Geodo and TrickBot accompanied the resurgence of two updated malware families—Hermes ransomware and AZORult stealer—in reaffirming a preference by threat actors to update previous tools instead of developing new malware.  Because threat actors will continue to improve their software to ensure a successful infection, it’s important to understand these...


Recent Geodo Malware Campaigns Feature Heavily Obfuscated Macros

August 30, 2018 by Cofense in Malware Analysis

Part 3 of 3 As we mentioned in our previous overview of Geodo, the documents used to deliver Geodo are all quite similar. Each document comes weaponised with a hostile macro. The macros are always heavily obfuscated, with junk functions and string substitutions prevalent throughout the code. The obfuscation uses three languages or dialects as part of the obfuscation process: Visual Basic, PowerShell, and Batch.


Twin Trouble: Geodo Malware URL-Based Campaigns Use Two URL Classes

August 29, 2018 by Cofense in Malware Analysis

Part 2 of 3 As discussed in our prior blog post, URL-based campaigns – that is, campaigns that deliver messages which contain URLs to download weaponised Office documents – are by far the most prevalent payload mechanism employed by Geodo. Indeed, analysis of ~612K messages shows just 7300 have attachments; a trifling 1.2% of the total. The structure of the URLs falls into two distinct classes. Cofense Intelligence™ analysed a corpus of 90,000 URLs and identified 165 unique URL paths. There are two distinct classes of URLs employed by Geodo. A detailed breakdown of these URL structures follows. 


Phishing-Specific SOAR Gets You to Mitigation Faster

August 28, 2018 by Cofense in Cyber Incident Response

When a malicious email slips past perimeter tech defenses, you need to find it and respond in minutes, not two or three months. But no one has unlimited budget or staffing to sift through phishing alerts, verify threats, and help stop attacks in progress.


Into a Dark Realm: The Shifting Ways of Geodo Malware

August 27, 2018 by Cofense in Threat Intelligence

The Geodo malware is a banking trojan that presents significant challenges. For starters, it conducts financial theft on a vast scale and enables other financially driven trojans. Also known as Emotet, Geodo has a rich history, with five distinct variants, three of which are currently active according to Feodo Tracker. Geodo’s lineage is incredibly convoluted and intertwined with malware such as Cridex as well as the later iterations known as Dridex. This blog is the first of a CofenseTM three-part series on Geodo. Our analysis of Geodo focuses not on code analysis, rather on observed behaviours, infrastructure choices and proliferation....


Ask the DNC: #fakephishing Phishing Pen-Tests Are Still a Bad Idea.

August 24, 2018 by Aaron Higbee in Internet Security Awareness

Cliff notes: Phishing “tests” at best are a waste of time, and at worst, disruptive and weaken your ability to defend against real phishing.


Team Up Against Phishing at PhishMe Submerge 2017

September 27, 2017 by Cofense in PhishingCyber Incident ResponseInternet Security Awareness

Anti-phishing, like all security, is a team sport. (Apologies for that metaphor, but football season is here.) So join PhishMe® and other security professionals at PhishMe Submerge 2017, our second annual User Conference and Phishing Defense Summit, Nov. 29 – Dec. 1, Gaylord Hotel, Washington National Harbor.


Take Advantage of Our Free Tools and Resources During National Cyber Security Awareness Month

September 26, 2017 by Cofense in Internet Security AwarenessPhishing

It’s fitting that National Cyber Security Awareness Month ends on Halloween. October is the time to contemplate scary things, whether ghouls, folks in lederhosen stumbling about with steins or real-deal cyber threats: phishing emails loaded with ransomware.


The Phishing Kill Chain – Simulation Delivery

September 25, 2017 by Cofense in PhishingCyber Incident ResponseInternet Security Awareness

Part 4 in a series on being “Left of Breach” in the Phishing Kill Chain. In part 3 we looked at Simulation Design, where we discussed utilization of simulation results analysis and active threat intelligence in anti-phishing programs. We will now take a closer look at simulation delivery practices.


A Song of Ice and Ransomware: Game of Thrones References in Locky Phishing

September 22, 2017 by Cofense in Malware AnalysisCyber Incident ResponsePhishing

We rarely find out the identities of online attackers. As a result, it is often easy to picture attackers as impartial and emotionless devices instead of humans or groups of people. However, attackers often reveal small bits of information about themselves and their personalities in the tactics, techniques, and procedures they select.


Tune Your Phishing Defense at Submerge 2017

September 21, 2017 by Cofense in PhishingCyber Incident ResponseInternet Security Awareness

Attention incident responders: PhishMe® Submerge is for you. Submerge 2017, our second annual User Conference and Phishing Defense Summit, offers over a dozen sessions on phishing defense alone. Overall the event will offer 30+ sessions, including another track covering phishing resilience.


TrickBot Targeting Financial and Cryptocurrency Data

September 21, 2017 by Cofense in PhishingInternet Security AwarenessMalware Analysis

While a great deal of focus for research into botnet trojans is on the multipurpose utility of this malware, many of these same tools are still utilized for direct financial crimes and fraud. This configuration data, provides a prima-facie insight into some of the preferred means for monetary gains by threat actors. An example of this can be found in the most recent rounds of TrickBot malware configurations. These XML documents describe the targeted login pages for online services and the action the malware is to take when a victim visits one. Many of the targeted resources reference the login...


5 Reasons Our UK Phishing Report Would Make Winston Churchill Scowl

September 20, 2017 by Cofense in PhishingCyber Incident ResponseInternet Security Awareness

The US and UK share a lot of things. History. Political traditions. A language, if one is feeling generous. And now some worrisome phishing data that jumps out of two reports PhishMe® has commissioned, most recently in the UK.


Endpoint Phishing Incident Response with PhishMe and Carbon Black

September 19, 2017 by Cofense in Threat IntelligenceCyber Incident ResponsePhishing

Hunting Phished Endpoints with PhishMe Intelligence™ and Carbon Black® Response While sipping coffee and reading the morning headlines, the CISO notices a global mass-phishing campaign that took place overnight. Picking up the phone and calling the SOC, the CISO asks; “Are there any computers that may have been infected with ‘X’ that I read about this morning? I need answers before my meeting in an hour”.


Customized Phishing Simulations Keep You “Left of Breach”

September 18, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing

Part 3 in a series on being “Left of Breach” in the Phishing Kill Chain. In part 2 we looked at Self-Enumeration, assessing security and business process gaps that phishing attackers exploit. It’s the first step in being “Left of Breach” (see figure below), the process that builds a proactive phishing defense strategy.