About Cofense
About Cofense
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
Free Tools
Free Tools
Create Transparency
Speed Response

Cofense Blog


Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

August 13, 2019 by Aaron Riley in Cyber Incident ResponseMicrosoft 365 EOPPhishingSEG Misses

Cofense IntelligenceTM has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular...


TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

August 8, 2019 by Aaron Riley in PhishingThreat Intelligence

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host. TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting...


This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

August 7, 2019 by Cofense in PhishingSEG MissesSymantec

By Tej Tulachan The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works. Email Body At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the...


Cofense Labs Shares Research on Massive Sextortion Campaign

August 2, 2019 by David Mount in Threat Intelligence

Are you one in two hundred (or so) million?   Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them.   What’s Sextortion?  You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this:  Send an email in which they claim to have installed malware on your system and have a record of...


Threat Actors Subscribe To Patches

July 29, 2019 by Max Gannon in PhishingThreat Intelligence

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld....


Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

July 25, 2019 by Cofense in Cyber Incident ResponsePhishing

By Karen Kokiko The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response. Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here. Fast and Flexible Searching Traditional email search and quarantine tools are...


Ransomware: A Mid-Year Summary

July 22, 2019 by Cofense in RansomwareThreat Intelligence

By Alan Rainer Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting. Ransomware Is Down...


This Phishing Attacker Takes American Express—and Victims’ Credentials

July 16, 2019 by Milo Salvia in Internet Security AwarenessMicrosoft 365 ATPPhishing Defense Center

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.


Exploiting an Unpatched Vulnerability, the Ave_Maria Malware Is Not Full of Grace

January 10, 2019 by Max Gannon in Threat Intelligence

CISO Summary CofenseTM has seen a rise in phishing campaigns designed to deliver a type of stealer malware called Ave_Maria. It contains a capability, DLL hijacking, that uses a vulnerability with no forthcoming fix. With origins in a publicly available utility, DLL lets Ave_Maria gain greater admin privileges and avoid detection, then steal information so it can download additional plugins and potentially other payloads. This malware can bypass detection and privilege restrictions on many endpoints.


The Vjw0rm Malware Does It All. Here’s What to Watch For.

January 9, 2019 by Aaron Riley in Threat Intelligence

CISO Summary  It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure.   


In 2018, Cheap and Easy Malware Flooded Corporate Inboxes

January 8, 2019 by Cofense in Threat Intelligence

CISO Summary Sometimes it’s the simple things that make life hard. In 2018, over 2/3 of unique malware campaigns Cofense IntelligenceTM observed were simple, inexpensive “stealers” or remote access trojans (RATs). With exceptionally low barrier-to-entry—an email account or website can handle distribution and communication—these malware types make data theft a viable career choice for threat actors without the skills to use more advanced varieties.


Threats of Terror Pervade Recent Extortion Phishing Campaigns

December 20, 2018 by Cofense in Phishing Defense Center

By Lucas Ashbaugh “There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”


Domain Fronting, Phishing Attacks, and What CISOs Need to Know

December 13, 2018 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM is seeing continued use of a cyber-attack technique known as domain fronting. It’s yet another way hackers conceal their malicious activity, in this case using work-arounds to evade security controls and gain access to command-and-control (C2) infrastructure (scroll down for a technical explanation). Cozy Bear, the Russian threat actors, used similar tactics when they hacked the Democratic National Committee in 2016. Today, businesses are dealing with phishing and malware attacks that domain fronting enables. While Google and Amazon have taken measures in their CDNs to curtail this trend, we have seen an uptick in C2 infrastructure...


TV-License Phishing Scam Tricks UK Users Into Giving Personal Information

December 5, 2018 by Milo Salvia in Threat Intelligence

Cofense Intelligence™ recently observed a new phishing scam making the rounds in the United Kingdom. It poses as the TV licensing authority better known as the British Broadcasting Corporation. The premise behind the scam is to trick the user into believing that he or she is breaking the law by not owning a valid license to receive TV, a criminal offense in the UK with a maximum penalty of a £1000 fine plus any legal costs incurred during prosecution.  


2018: A Reverse-Course for Ransomware

December 5, 2018 by Cofense in Threat Intelligence

By Mollie MacDougall The overall number of ransomware campaigns and active families has declined precipitously in 2018 as compared to last year, almost certainly due to multiple deterrents and a better alternative for profit-minded hackers. This reverse-course in ransomware trends follows years of sustained growth in the number of ransomware families and unique campaigns. Still, ransomware attacks make headlines and will likely continue into next year.


Bah HumBUG: 5 Recent Holiday Phishing Samples You Need to Watch Out For

November 21, 2018 by Aaron Riley in Threat Intelligence

Along with more online shopping, correspondence, and travel, the holiday season sees an increase in phishing operators eager to capitalize on a more-active attack surface. With Thanksgiving tomorrow, Cofense Intelligence and the Cofense Phishing Defense Center have seen a bombardment of Thanksgiving-themed phishing lures this week. Threat actors use this inundation of emails to their advantage—hoping to trick anyone looking for a good deal or eager to partake in the season’s merriment.


Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

November 19, 2018 by Cofense in PhishingThreat Intelligence

By Darrel Rendell, Mollie MacDougall, and Max Gannon Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection. Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively. Figure 1:...


Phishing Emails with .COM Extensions Are Hitting Finance Departments

November 15, 2018 by Aaron Riley in Threat Intelligence

Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized. The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.)...


Uncomfortable Truth #5 about Phishing Defense

March 27, 2019 by David Mount in Phishing

Last in a 5-part series.  In this blog series we’ve explored the Uncomfortable Truths about phishing defense that relate to the problem of over-relying on technology to keep us safe. We’ve also seen how empowered users can give Security Operations teams desperately needed visibility into phishing threats. This leads us to our fifth and final Uncomfortable Truth:   Most organizations are unable to effectively respond to phishing attacks.   Before you get offended and say “Hey, that doesn’t apply to me, our SOC is awesome,” stick with me on this. The reasons for ineffective phishing incident response are many and varied, but...


Uncomfortable Truth #4 about Phishing Defense

March 20, 2019 by David Mount in Phishing

Part 4 of a 5-part series.   I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple:  Users are NOT the problem.  There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better.  Let’s illustrate with a story from Malcolm Gladwell.   In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it...


Uncomfortable Truth #3 about Phishing Defense

March 18, 2019 by David Mount in Phishing

Part 3 of a 5-part series. In part 1 and part 2, we discussed the Uncomfortable Truths that no matter how good your perimeter controls, malicious emails still reach the inbox, and that security teams cannot defend against attacks they cannot see. While some still hold next-gen technologies in almost exalted status, many organizations are beginning to accept that phishing threats still reach user inboxes and that these users will be tempted to click. To address this risk, significant investments are made in awareness activities, including phishing simulation. Commonly, the primary goal or success metric of these activities is a...


Uncomfortable Truth #2 about Phishing Defense

March 14, 2019 by David Mount in Phishing

In Part 1, we explored the uncomfortable truth that no matter how good your perimeter controls, malicious emails still reach the inbox. While security technologies do a great job of telling us about the attacks they have stopped, they do a poor job of telling us about the threats they have let through. This segues nicely into:  Uncomfortable Truth #2: You cannot defend against attacks you cannot see.  Visibility is a core tenet of any security operations center. Afterall, if a SOC has no visibility of an attack, they cannot mitigate it.  As the threat landscape evolves, organizations deploy more...


Uncomfortable Truth #1 about Phishing Defense

March 11, 2019 by David Mount in Phishing

Part 1 of a 5-Part Series    The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks.   Organizations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training. Despite these efforts, the threat has not receded, in fact, it’s become more sophisticated and more effective.   It’s time for organizations to accept some uncomfortable truths about routine approaches to phishing defence and think differently – understanding that REAL phish are the REAL problem. In...


Efficient Phishing Programs: 3 Common Problems and 1 Awesome Solution

March 4, 2019 by Cofense in Internet Security Awareness

By Kaustubh Jagtap You hear it all the time. Teams tasked with improving phishing defense aren’t sure how many employees see, or even receive, the simulations they send. It’s why CofenseTM has introduced the Cofense PhishMe Responsive Delivery™ capability in Cofense PhishMe™ Enterprise edition. This capability allows operators to send a phishing simulation only when targeted employees are actively using email. It also delivers the phishing simulation directly to the employee inbox, thereby bypassing any technical issues including gateway configuration changes and whitelisting complications. Additionally, having this capability adds another layer of automation to your phishing program, making it more effective...


This Company Turned a Phishing Attack into a Teachable Moment

February 27, 2019 by Zach Lewis in Phishing

You’ve read it on this blog before. It’s not enough to simulate phishing emails and raise employees’ awareness. At the end of the day, you need to be able to stop real attacks. One key: basing simulations on phishing threats you actually see in your organization. Following is a real example of one CofenseTM customer that took these words to heart. This company is global. It operates in an extremely data-rich industry that stores Social Security numbers, email addresses, credit card information, and more. In other words, they have a lot to protect. First, the company leveraged information from a...


When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites

February 20, 2019 by Tonia Dudley in Internet Security Awareness

Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic. First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh: “The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be...


Here’s Proof that Corporate Board Members Want Stronger Phishing Defense

February 12, 2019 by Cofense in Internet Security Awareness

By Susan Mo More and more, boards of directors are security decision-makers. One example: Cofense just published a case study on a company whose board lit a fire for a stronger phishing defense—and it’s paying dividends.  This board took the lead in launching phishing simulations.  A leading aviation company in my part of the world, Australia, has a highly public presence. Translation: any security issues would likely make headlines. So the board mandated an anti-phishing program. Using Cofense PhishMeTM, the company now runs phishing simulations to condition its employees to recognize and report phishing emails.  The program is still in the...


Expect Credential Phishing to Continue Surging in 2019

February 6, 2019 by Tonia Dudley in Internet Security Awareness

“Hackers don’t need to break in, they only need to log in.” This was a quote mentioned at a conference I attended last December and which I repeated in an e-book Cofense™ recently published, 6 Phishing Predictions for 2019. My prediction was that hackers will continue to go full bore with credential phishing, emails that specifically ask for username and password.