Products
Products
Awareness
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
Free Tools
Free Tools
Create Transparency
Speed Response
Resources
Resources

Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

August 7, 2019 by Cofense in Phishing

By Tej Tulachan The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works. Email Body At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the...

READ MORE

Cofense Labs Shares Research on Massive Sextortion Campaign

August 2, 2019 by David Mount in Threat Intelligence

Are you one in two hundred (or so) million?   Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them.   What’s Sextortion?  You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this:  Send an email in which they claim to have installed malware on your system and have a record of...

READ MORE

Threat Actors Subscribe To Patches

July 29, 2019 by Max Gannon in PhishingThreat Intelligence

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld....

READ MORE

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

July 25, 2019 by Cofense in Cyber Incident ResponsePhishing

By Karen Kokiko The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response. Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here. Fast and Flexible Searching Traditional email search and quarantine tools are...

READ MORE

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

July 23, 2019 by Cofense in Cyber Incident ResponsePhishing Defense Center

By Jake Longden The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work. Email Body: The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel...

READ MORE

Ransomware: A Mid-Year Summary

July 22, 2019 by Cofense in RansomwareThreat Intelligence

By Alan Rainer Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting. Ransomware Is Down...

READ MORE

This Phishing Attacker Takes American Express—and Victims’ Credentials

July 16, 2019 by Milo Salvia in Internet Security AwarenessPhishing Defense Center

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

READ MORE

UK Banking Phish Targets 2-Factor Information

July 10, 2019 by Milo Salvia in Phishing Defense Center

Recently, the Cofense Phishing Defense Center observed a wave of phishing attacks  targeting TSB banking customers in the UK. We found these consumer-oriented phishing emails in corporate environments, after the malicious messages made it past perimeter defenses. The convincing emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to bite on the phish, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards. Most UK banks implement two-factor authentication. They require users to set a standard password and...

READ MORE

Double Duty: Dridex Banking Malware Delivered with RMS RAT

July 8, 2019 by Max Gannon in Threat Intelligence

Cofense IntelligenceTM analyzes millions of emails and malware samples each day to alert organizations to emerging phishing threats. Thanks to our expansive view of the threat landscape, we recently were able to discover and investigate a campaign impersonating eFax that appeared to have an attached Microsoft Word document. The attachment was a .zip archive which contained a .xls Microsoft Excel spreadsheet. This spreadsheet included an Office macro which, when enabled, was used to download and execute two malicious executables: samples of Dridex and Remote Manipulator System Remote Access Tool (RMS RAT). What’s notable: By delivering a banking trojan and a...

READ MORE

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

June 28, 2019 by Nick Guarino in PhishingPhishing Defense Center

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics. In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place. Fast forward to this week where our Phishing Defense Center™...

READ MORE

UK Banking Phish Targets 2-Factor Information

July 10, 2019 by Milo Salvia in Phishing Defense Center

Recently, the Cofense Phishing Defense Center observed a wave of phishing attacks  targeting TSB banking customers in the UK. We found these consumer-oriented phishing emails in corporate environments, after the malicious messages made it past perimeter defenses. The convincing emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to bite on the phish, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards. Most UK banks implement two-factor authentication. They require users to set a standard password and...

READ MORE

Double Duty: Dridex Banking Malware Delivered with RMS RAT

July 8, 2019 by Max Gannon in Threat Intelligence

Cofense IntelligenceTM analyzes millions of emails and malware samples each day to alert organizations to emerging phishing threats. Thanks to our expansive view of the threat landscape, we recently were able to discover and investigate a campaign impersonating eFax that appeared to have an attached Microsoft Word document. The attachment was a .zip archive which contained a .xls Microsoft Excel spreadsheet. This spreadsheet included an Office macro which, when enabled, was used to download and execute two malicious executables: samples of Dridex and Remote Manipulator System Remote Access Tool (RMS RAT). What’s notable: By delivering a banking trojan and a...

READ MORE

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

June 28, 2019 by Nick Guarino in PhishingPhishing Defense Center

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics. In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place. Fast forward to this week where our Phishing Defense Center™...

READ MORE

Phishing Attacks on High Street Target Major Retailer

June 21, 2019 by Cofense in PhishingPhishing Defense Center

By Jake Longden The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year. With the goal of stealing your store credit card and login information, here’s how it works: All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the...

READ MORE

Houdini Worm Transformed in New Phishing Attack

June 14, 2019 by Cofense in Phishing Defense CenterThreat Intelligence

By Nick Guarino and Aaron Riley The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

READ MORE

This ‘Voice Mail’ Is a Phish—and an Email Gateway Fail

June 11, 2019 by Cofense in Phishing Defense Center

By Milo Salvia and Kamlesh Patel The Cofense Phishing Defense CenterTM has observed a phishing campaign that masquerades as a voicemail message from a well-known company. The goal is to steal your domain credentials by mimicking the Outlook Web App (OWA).  Email Body:  The message body is designed to mimic your typical VOIP “missed call” message delivered via email when a user misses a call. A simple HTML box appears with a blue hyperlink, Play Voice. One would assume it was meant to say Play Message or Play Voice Message. This could indicate that English is not the threat actor’s first language...

READ MORE

Cofense Report: 90% of Verified Phish Found in Environments Using Email Gateways

June 10, 2019 by Cofense in Cyber Incident Response

By Kaustubh Jagtap Our recently released 2019 Phishing Threat and Malware Review highlights how perimeter protection technologies can’t stop all advanced phishing threats. Email gateways are a critical first line of defense, but as attackers have continued to innovate gateways haven’t kept up.  The CofenseTM report also underscores the importance of human intelligence to identify these advanced attacks once they make it past gateways. Trained users can effectively detect and report advanced phishing to allow SOC teams to accelerate incident response. Credential Phish Are the Most Common Threat 90% of verified phishing emails were found in environments using email gateways....

READ MORE

Using Windows 10? It’s Becoming a Phishing Target

June 5, 2019 by Max Gannon in Threat Intelligence

CISO Summary Cofense IntelligenceTM has recently seen a complex phishing campaign that delivers a simple payload, FormGrabber keylogger malware. The targets are Windows 10 operating systems running Windows Anti-malware Scan Interface (AMSI). The phishing emails deliver a Microsoft Excel Worksheet containing a MS Word macro that initiates infection. What’s notable: threat actors are hitting Windows 10 instead of Windows 7, a more common target. Expect to see greater abuse heaped on the newer version as more businesses adopt it. No one aspect of this campaign is novel, but the attackers easily assembled a complex infection chain using multiple obfuscation and...

READ MORE

The Zombie Phish Is Back with a Vengeance

June 4, 2019 by Milo Salvia in Phishing Defense Center

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard. Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

READ MORE

New Phishing Attacks Use PDF Docs to Slither Past the Gateway

May 30, 2019 by Cofense in Cyber Incident Response

By Deron Dasilva and Milo Salvia Last week, the CofenseTM Phishing Defense CenterTM saw a new barrage of phishing attacks hiding in legitimate PDF documents, a ruse to bypass the email gateway and reach a victim’s mailbox. The attacks masquerade as a trusted entity, duping victims into opening what appears to be a trusted link, which in turn leads to a fake Microsoft login page. Once there, victims are tricked into providing their corporate login credentials.

READ MORE

Uncomfortable Truth #5 about Phishing Defense

March 27, 2019 by David Mount in Phishing

Last in a 5-part series.  In this blog series we’ve explored the Uncomfortable Truths about phishing defense that relate to the problem of over-relying on technology to keep us safe. We’ve also seen how empowered users can give Security Operations teams desperately needed visibility into phishing threats. This leads us to our fifth and final Uncomfortable Truth:   Most organizations are unable to effectively respond to phishing attacks.   Before you get offended and say “Hey, that doesn’t apply to me, our SOC is awesome,” stick with me on this. The reasons for ineffective phishing incident response are many and varied, but...

READ MORE

Uncomfortable Truth #4 about Phishing Defense

March 20, 2019 by David Mount in Phishing

Part 4 of a 5-part series.   I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple:  Users are NOT the problem.  There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better.  Let’s illustrate with a story from Malcolm Gladwell.   In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it...

READ MORE

Uncomfortable Truth #3 about Phishing Defense

March 18, 2019 by David Mount in Phishing

Part 3 of a 5-part series. In part 1 and part 2, we discussed the Uncomfortable Truths that no matter how good your perimeter controls, malicious emails still reach the inbox, and that security teams cannot defend against attacks they cannot see. While some still hold next-gen technologies in almost exalted status, many organizations are beginning to accept that phishing threats still reach user inboxes and that these users will be tempted to click. To address this risk, significant investments are made in awareness activities, including phishing simulation. Commonly, the primary goal or success metric of these activities is a...

READ MORE

Uncomfortable Truth #2 about Phishing Defense

March 14, 2019 by David Mount in Phishing

In Part 1, we explored the uncomfortable truth that no matter how good your perimeter controls, malicious emails still reach the inbox. While security technologies do a great job of telling us about the attacks they have stopped, they do a poor job of telling us about the threats they have let through. This segues nicely into:  Uncomfortable Truth #2: You cannot defend against attacks you cannot see.  Visibility is a core tenet of any security operations center. Afterall, if a SOC has no visibility of an attack, they cannot mitigate it.  As the threat landscape evolves, organizations deploy more...

READ MORE

Uncomfortable Truth #1 about Phishing Defense

March 11, 2019 by David Mount in Phishing

Part 1 of a 5-Part Series    The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks.   Organizations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training. Despite these efforts, the threat has not receded, in fact, it’s become more sophisticated and more effective.   It’s time for organizations to accept some uncomfortable truths about routine approaches to phishing defence and think differently – understanding that REAL phish are the REAL problem. In...

READ MORE

Efficient Phishing Programs: 3 Common Problems and 1 Awesome Solution

March 4, 2019 by Cofense in Internet Security Awareness

By Kaustubh Jagtap You hear it all the time. Teams tasked with improving phishing defense aren’t sure how many employees see, or even receive, the simulations they send. It’s why CofenseTM has introduced the Cofense PhishMe Responsive Delivery™ capability in Cofense PhishMe™ Enterprise edition. This capability allows operators to send a phishing simulation only when targeted employees are actively using email. It also delivers the phishing simulation directly to the employee inbox, thereby bypassing any technical issues including gateway configuration changes and whitelisting complications. Additionally, having this capability adds another layer of automation to your phishing program, making it more effective...

READ MORE

This Company Turned a Phishing Attack into a Teachable Moment

February 27, 2019 by Zach Lewis in Phishing

You’ve read it on this blog before. It’s not enough to simulate phishing emails and raise employees’ awareness. At the end of the day, you need to be able to stop real attacks. One key: basing simulations on phishing threats you actually see in your organization. Following is a real example of one CofenseTM customer that took these words to heart. This company is global. It operates in an extremely data-rich industry that stores Social Security numbers, email addresses, credit card information, and more. In other words, they have a lot to protect. First, the company leveraged information from a...

READ MORE

When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites

February 20, 2019 by Tonia Dudley in Internet Security Awareness

Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic. First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh: “The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be...

READ MORE

Here’s Proof that Corporate Board Members Want Stronger Phishing Defense

February 12, 2019 by Cofense in Internet Security Awareness

By Susan Mo More and more, boards of directors are security decision-makers. One example: Cofense just published a case study on a company whose board lit a fire for a stronger phishing defense—and it’s paying dividends.  This board took the lead in launching phishing simulations.  A leading aviation company in my part of the world, Australia, has a highly public presence. Translation: any security issues would likely make headlines. So the board mandated an anti-phishing program. Using Cofense PhishMeTM, the company now runs phishing simulations to condition its employees to recognize and report phishing emails.  The program is still in the...

READ MORE

Expect Credential Phishing to Continue Surging in 2019

February 6, 2019 by Tonia Dudley in Internet Security Awareness

“Hackers don’t need to break in, they only need to log in.” This was a quote mentioned at a conference I attended last December and which I repeated in an e-book Cofense™ recently published, 6 Phishing Predictions for 2019. My prediction was that hackers will continue to go full bore with credential phishing, emails that specifically ask for username and password.  

READ MORE

Examples of Silver-bullet Technology Fails

April 13, 2018 by Cofense in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

Most security teams today are pretty much in the same boat: limited budget, limited man power, and limited time to defend their network against escalating threats and attacks.  Perhaps that’s why so many information security vendors claim to have the “silver bullet” to protect the customer’s environment and solve their problems. 

READ MORE

Phishing attack shut down in 19 minutes with Cofense Triage.

April 10, 2018 by Cofense in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

Imagine a cunning phisher: he knows his craft and sends your users an email appearing to come from your CEO that bypasses all your other technology. What would you do? One of our customers faced that very scenario and relied on Cofense TriageTM and the Cofense Phishing Defense Center (PDC) to analyze and respond to the attack in less than 20 minutes after it launched.

READ MORE

Analysing TrickBot Doesn’t Have to be Tricky

March 28, 2018 by Milo Salvia in Malware AnalysisPhishing Defense Center

New additions to the TrickBot malware’s capabilities, observed by the Phishing Defence Centre, indicate that this malware tool is undergoing active development. The designers of this malware are still working hard to introduce new functionality including a network worm functionality and a screen-lock module. The worm component utilises the leaked “EternalBlue” exploit for CVE-2017-0144 to propagate itself across networks that have yet to patch or discontinue the use of SMBv1. The deployment of the screen-lock module (which appears to be still in the early phases of development) gives the threat actors the ability to change the functionality of the malware...

READ MORE

By focusing on new hires, this healthcare company lowered its phishing susceptibility.

March 23, 2018 by Zach Lewis in Internet Security AwarenessPhishing Defense Center

A regional healthcare provider started using Cofense PhishMeTM so employees could learn to recognize different types of phishing. At first, the company sent all employees simulated phishes that were tough to recognize. No surprise, susceptibility was high across the business.

READ MORE

New Name, Same People, Stronger Balance Sheet

March 20, 2018 by Rohyt Belani in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishingPhishing Defense CenterRansomwareThreat Intelligence

Rohyt Belani, CEO & Co-founder, Cofense So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products. 

READ MORE

After improving phishing detection, this company is focusing on response.

March 16, 2018 by Zach Lewis in Malware AnalysisPhishing Defense Center

A global commercial development company needed to train employees to recognize and report phishing. The company launched Cofense PhishMeTM and Cofense ReporterTM, conditioning users to identify potentially malicious emails and empowering them to report with a single click.

READ MORE

For this financial services company, tougher simulations hardened phishing resiliency

March 15, 2018 by Zach Lewis in Malware AnalysisPhishing Defense Center

After introducing Cofense PhishMeTM and Cofense ReporterTM, a financial services company had reduced susceptibility to 10% or lower across its 10,000+ employees. At the same time, reporting had climbed to almost 50% for data-entry simulated phishes and just under 25% for click-only. In other words, employees had learned to identify basic phishing attacks. Sometimes you need to “turn up the heat.” The company’s CISO realized it was time to use more complex scenarios to further harden resiliency. The CISO pointed out that attackers don’t ask permission to launch sophisticated attacks, so the company had to be ready for anything. To...

READ MORE

Careful: This “life insurance invoice” contains the Ursnif malware

March 12, 2018 by Marcel Feller in Malware AnalysisPhishing Defense Center

Over the past couple of days, the Cofense™ Phishing Defence Centre has observed multiple campaigns that prompt the user to download what appears to be a life insurance invoice. The “invoice” gets delivered in the form of a zip file that contains a LNK file with content crafted to create an effective malware downloader tool. The malware it delivers: Ursnif.

READ MORE

This financial services company increased phishing reporting to over 50%

March 9, 2018 by Zach Lewis in Internet Security AwarenessMalware AnalysisPhishing Defense Center

To lower phishing susceptibility, a major financial services company introduced Cofense PhishMeTM. By sending a strategic combination of simulated phishes, the company conditioned employees to recognize phishing scams.

READ MORE

PhishMe is now Cofense.

February 26, 2018 by Aaron Higbee in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishingPhishing Defense CenterRansomwareThreat Intelligence

On February 27th 2007, while on the phone with my friend and co-founder Rohyt Belani, I typed the name phishme.com into GoDaddy™. We couldn’t believe our good luck and immediately registered it. As the co-founder who named this company PhishMe®, the emotional attachment is real. Somewhere in the pile of entrepreneurial startup books, I have a branding book that suggested your name is a vessel that should be big enough to carry your future products and services. We outgrew that boat quite some time ago.

READ MORE