About Cofense
About Cofense
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More

Cofense Blog


Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

August 14, 2019 by Marcel Feller in Phishing Defense CenterProofpointSEG Misses

The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:


Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

August 13, 2019 by Aaron Riley in Cyber Incident ResponseMicrosoft 365 EOPPhishingSEG Misses

Cofense IntelligenceTM has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular...


TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

August 8, 2019 by Aaron Riley in PhishingThreat Intelligence

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host. TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting...


Cofense Labs Shares Research on Massive Sextortion Campaign

August 2, 2019 by David Mount in Threat Intelligence

Are you one in two hundred (or so) million?   Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them.   What’s Sextortion?  You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this:  Send an email in which they claim to have installed malware on your system and have a record of...


Threat Actors Subscribe To Patches

July 29, 2019 by Max Gannon in PhishingThreat Intelligence

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld....


Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

July 25, 2019 by Cofense in Cyber Incident ResponsePhishing

By Karen Kokiko The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response. Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here. Fast and Flexible Searching Traditional email search and quarantine tools are...


Ransomware: A Mid-Year Summary

July 22, 2019 by Cofense in RansomwareThreat Intelligence

By Alan Rainer Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting. Ransomware Is Down...


This Phishing Attacker Takes American Express—and Victims’ Credentials

July 16, 2019 by Milo Salvia in Internet Security AwarenessMicrosoft 365 ATPPhishing Defense Center

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.


Analysing TrickBot Doesn’t Have to be Tricky

March 28, 2018 by Milo Salvia in Malware AnalysisPhishing Defense Center

New additions to the TrickBot malware’s capabilities, observed by the Phishing Defence Centre, indicate that this malware tool is undergoing active development. The designers of this malware are still working hard to introduce new functionality including a network worm functionality and a screen-lock module. The worm component utilises the leaked “EternalBlue” exploit for CVE-2017-0144 to propagate itself across networks that have yet to patch or discontinue the use of SMBv1. The deployment of the screen-lock module (which appears to be still in the early phases of development) gives the threat actors the ability to change the functionality of the malware...


By focusing on new hires, this healthcare company lowered its phishing susceptibility.

March 23, 2018 by Zach Lewis in Internet Security AwarenessPhishing Defense Center

A regional healthcare provider started using Cofense PhishMeTM so employees could learn to recognize different types of phishing. At first, the company sent all employees simulated phishes that were tough to recognize. No surprise, susceptibility was high across the business.


New Name, Same People, Stronger Balance Sheet

March 20, 2018 by Rohyt Belani in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishingPhishing Defense CenterRansomwareThreat Intelligence

Rohyt Belani, CEO & Co-founder, Cofense So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products. 


After improving phishing detection, this company is focusing on response.

March 16, 2018 by Zach Lewis in Malware AnalysisPhishing Defense Center

A global commercial development company needed to train employees to recognize and report phishing. The company launched Cofense PhishMeTM and Cofense ReporterTM, conditioning users to identify potentially malicious emails and empowering them to report with a single click.


For this financial services company, tougher simulations hardened phishing resiliency

March 15, 2018 by Zach Lewis in Malware AnalysisPhishing Defense Center

After introducing Cofense PhishMeTM and Cofense ReporterTM, a financial services company had reduced susceptibility to 10% or lower across its 10,000+ employees. At the same time, reporting had climbed to almost 50% for data-entry simulated phishes and just under 25% for click-only. In other words, employees had learned to identify basic phishing attacks. Sometimes you need to “turn up the heat.” The company’s CISO realized it was time to use more complex scenarios to further harden resiliency. The CISO pointed out that attackers don’t ask permission to launch sophisticated attacks, so the company had to be ready for anything. To...


Careful: This “life insurance invoice” contains the Ursnif malware

March 12, 2018 by Marcel Feller in Malware AnalysisPhishing Defense Center

Over the past couple of days, the Cofense™ Phishing Defence Centre has observed multiple campaigns that prompt the user to download what appears to be a life insurance invoice. The “invoice” gets delivered in the form of a zip file that contains a LNK file with content crafted to create an effective malware downloader tool. The malware it delivers: Ursnif.


This financial services company increased phishing reporting to over 50%

March 9, 2018 by Zach Lewis in Internet Security AwarenessMalware AnalysisPhishing Defense Center

To lower phishing susceptibility, a major financial services company introduced Cofense PhishMeTM. By sending a strategic combination of simulated phishes, the company conditioned employees to recognize phishing scams.


PhishMe is now Cofense.

February 26, 2018 by Aaron Higbee in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishingPhishing Defense CenterRansomwareThreat Intelligence

On February 27th 2007, while on the phone with my friend and co-founder Rohyt Belani, I typed the name into GoDaddy™. We couldn’t believe our good luck and immediately registered it. As the co-founder who named this company PhishMe®, the emotional attachment is real. Somewhere in the pile of entrepreneurial startup books, I have a branding book that suggested your name is a vessel that should be big enough to carry your future products and services. We outgrew that boat quite some time ago.


Be Careful Who You Trust: Impersonation Emails Deliver Geodo Malware

November 16, 2017 by Marcel Feller in Malware AnalysisPhishing Defense Center

Over the past weeks, the Phishing Defence Centre has observed several reports that pretend to come from an internal sender. While this impersonation tactic is not new, we have only recently observed an influx in emails used to deliver the Geodo botnet malware. Figure 1 demonstrates an example of an email we have received.


Threat Actors Put a Greek Twist on Ransomware with Sigma

November 10, 2017 by Cofense in Malware AnalysisPhishing Defense Center

When we think of Greek-themed malware, the trojan family generally comes to mind. Not anymore, Sigma is a new ransomware delivered via phishing email.