Cofense Blog

Threat Actors Evade Proofpoint and Microsoft 365 ATP Protection to Capitalize on COVID-19 Fears

One, Two, Three Phish: Adversaries Target Mobile Users

This Employee Satisfaction Survey is Not so Satisfying… Except for the Credential Phishing Actors Behind It.

Threat Actors Innovate to Exploit COVID-19, Delivering OpenOffice .ODP Attachments on a Shoestring Budget

Going Phishing in the African Banking Sector

Utilizing YouTube Redirects to Deliver Malicious Content

The Value of Human Intelligence in Phishing Defense

By Guest Blogger, Frank Dickson, Program Vice President, Cybersecurity Products, IDC The value of humans, our fellow employees, in phishing defense has been a hotly contested topic for quite some time. Advocates say that end users play a role, be it innocent and unintended, in just about every phishing campaign. Proper behavior modification can ultimately solve the problem. Detractors only to need point to the consistent “clickiness” of end users to question that value. Yet the reality is that responsibility lies somewhere in the middle. The detractors are indeed correct. Users do continue to click on malicious links and participate...

Threat Actors Capitalize on Global Concern About Coronavirus in New Phishing Campaigns

Threat Actor Uses OneNote to Learn Credential Phishing and Evade Microsoft and FireEye Detection

Phishers Are Using Google Forms to Bypass Popular Email Gateways

Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways

Emotet Malicious Phishing Campaigns Return in Force

By Alan Rainer and Max Gannon The infamous malware family Emotet—also known as Geodo—has fully resurfaced and resumed sending phishing campaigns that trick users into clicking on links and downloading attachments that contain malicious macros. Many of the emails feature common financial themes that capitalize on an existing reply chain or contact list impersonation. In most cases, subjects for these phishing emails are rather mundane, such as “RE: Re: Contract/Invoice Count” and “Customer Statement 09/16/2019”, with attachments that use Microsoft Office macros to install malware. Upon installation of the Emotet executable, the banking Trojan TrickBot may be placed onto the...

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

Astaroth Uses Facebook and YouTube within Infection Chain

  All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Campaign Uses Captcha to Bypass Email Gateway

Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks

Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway

Advanced Phishing Campaign Delivers Quasar RAT

Cofense IntelligenceTM has uncovered an advanced campaign that uses multiple anti-analysis methods to deliver Quasar Remote Access Tool (RAT). A phishing email poses as a job seeker and uses the unsophisticated ploy of an attached resume to deliver the malware. Quasar RAT is freely available as an open-source tool on public repositories and provides a number of capabilities. Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection. Such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros. Along...

New Phishing Campaign Bypasses Microsoft 365 ATP to Deliver Adwind to Utilities Industry

Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:

Threat Actors Evade Proofpoint and Microsoft 365 ATP Protection to Capitalize on COVID-19 Fears

One, Two, Three Phish: Adversaries Target Mobile Users

Threat Actors Innovate to Exploit COVID-19, Delivering OpenOffice .ODP Attachments on a Shoestring Budget

Going Phishing in the African Banking Sector

Utilizing YouTube Redirects to Deliver Malicious Content

The Value of Human Intelligence in Phishing Defense

By Guest Blogger, Frank Dickson, Program Vice President, Cybersecurity Products, IDC The value of humans, our fellow employees, in phishing defense has been a hotly contested topic for quite some time. Advocates say that end users play a role, be it innocent and unintended, in just about every phishing campaign. Proper behavior modification can ultimately solve the problem. Detractors only to need point to the consistent “clickiness” of end users to question that value. Yet the reality is that responsibility lies somewhere in the middle. The detractors are indeed correct. Users do continue to click on malicious links and participate...

Threat Actors Capitalize on Global Concern About Coronavirus in New Phishing Campaigns

Threat Actor Uses OneNote to Learn Credential Phishing and Evade Microsoft and FireEye Detection

Phishers Are Using Google Forms to Bypass Popular Email Gateways

Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications

Attackers Use a Bag of Tricks to Target Greek Banking Customers

Recently, the Cofense™ Phishing Defense Center has observed a phishing campaign targeting Greek-speaking users and customers of Alpha Bank. Alpha Bank is the fourth-largest Greek bank. We observed threat actors using multiple tactics to gain login credentials which include user names, passwords, and secret questions. This information would allow threat actors to access unsuspecting victims’ accounts draining funds and perhaps reusing those credentials on other websites.

Another Global Phishing Campaign Distributes Malware Via Fake Invoices

On Thursday June 14th, the Cofense™ Phishing Defense Center (PDC) noted a campaign targeting UK customers with several emails containing the same subject, “Invoice INV-03056,” and prompting the user to view a supposed invoice. The next day, we saw a very similar campaign that delivered French language phishing emails. Upon analyzing the emails, the PDC notified customers that received them, so they could respond as needed. We also notified all our UK customers of the IOC’s.

We Helped a Customer Block this Open Directory Phishing Attack

On May 22, 2018, the Cofense Phishing Defense Center observed a Microsoft credential phishing attack that was received by one of our Managed Service customers. The Phishing Defense Center’s goal is to provide our customers all the relevant information on an attack against their employees, within an hour of an email being reported, so customers can take the necessary steps to prevent further attacks. By doing a deep dive investigation into this attack we were able to find multiple other phishing attacks listed on the site, the kits used to create the phishing pages, and several other domains created by...

Hackers Analyse Your Capabilities. Use this Matrix to Do the Same

Regular followers of Cofense™ know that phishing threats evolve. For detailed evidence, read the Cofense Malware Review 2018 and see the techniques threat actors employ to keep security teams on their toes.

Russian “Troldesh” AKA Encoder.858 or Shade is back!

On the 19th of April, the Cofense Phishing Defense Center received an email crafted to appear to be from “Sberbank Russia.” In fact, it was a phishing email containing the Troldesh malware, a variant of Russian Ransomware first seen in mid-2015. The PDC hadn’t seen this variant for quite some time.

5 ways we boost your anti-phishing program’s ROI.

If you’re shopping for a vendor to help with phishing awareness training, you might be thinking, “They all seem pretty similar. What’s the difference?”

How to Avoid Drowning in Spam and Phishing Emails

As we have continued to improve anti-phishing capabilities for clients over the past few years, we have seen a myriad of changes in phishing email composition, style, and approach. Throughout all those changes however, one thing has remained the same.

Their email filters missed these threats. Good thing the users didn’t.

By Jerome Doaty, Zakari Grater, and Brenda Gooshaw Samson Technology is an important part of any phishing defense, especially perimeter tech designed to filter emails. But these systems, even those billed as “next-gen email security platforms,” don’t catch everything. Some phishes always get through.

Examples of Silver-bullet Technology Fails

Most security teams today are pretty much in the same boat: limited budget, limited man power, and limited time to defend their network against escalating threats and attacks.  Perhaps that’s why so many information security vendors claim to have the “silver bullet” to protect the customer’s environment and solve their problems. 

Phishing attack shut down in 19 minutes with Cofense Triage.

Imagine a cunning phisher: he knows his craft and sends your users an email appearing to come from your CEO that bypasses all your other technology. What would you do? One of our customers faced that very scenario and relied on Cofense TriageTM and the Cofense Phishing Defense Center (PDC) to analyze and respond to the attack in less than 20 minutes after it launched.