Cofense - Security Awareness Training & Email Threat Detection

Phishes Found in Proofpoint-Protected Environments – Week Ending May 17, 2020

Share This Article

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint.  We note that the vast majority are Credential Theft attacks, which Cofense predicted would surge over 15 months ago. Today, they still remain a significant threat.

TYPE: Malware – Agent Tesla

DESCRIPTION: In 2019, Cofense Intelligence identified the Agent Tesla keylogger as a top phishing threat. 7 months later, this malware is still reaching inboxes. This example delivered an embedded URL, luring the victim with a purchase order.

TYPE: Credential Theft 

DESCRIPTION: Phishing threat actors love to leverage the trust that their victims and their SEGs place in online hosting platforms. This attack starts with a WeTransfer link that eventually steals email credentials via a Microsoft OneDrive-hosted file.

Credential Theft 

DESCRIPTION: This attack takes a page from the spammer’s guidebook, seeking to obfuscate the sender address to slip through perimeter defenses. It spoofs Netflix to deliver a shortened URL leading to a phishing page.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attacks are both popular and successful at reaching inboxes to victimize recipients. This phish takes advantage of familiarity with Microsoft Office365 trick victims into clicking the embedded link and giving up their email credentials.

TYPE: Credential Theft 

DESCRIPTION: Many organizations let their SEG filter questionable email and empower the recipients to review and allow or block. Crafty phishers spoof the concept to get their victims to click the links. These lead the victim to a website designed to steal their email credentials.

TYPE: Credential Theft 

DESCRIPTION: Another phish exploiting a trusted platform. This example spoofs the Adobe Document Cloud with an image linked to a website designed to steal Adobe login credentials.

TYPE: Credential Theft

DESCRIPTION: Using Coronavirus as the premise, this attack spoofs a legitimate bank informing the recipient that they need a new bank card. The attackers steal not only the victim’s banking credentials, but their address, phone number and PIN.

TYPE: Credential Theft 

DESCRIPTION: Have we mentioned attackers leverage trusted platforms? This phish offers a Microsoft OneDrive-hosted invoice in PDF form. It collects the victim’s login credentials and then sends them to a legitimate PDF hosted by the Federal Reserve.

TYPE: Credential Theft

DESCRIPTION: Yet another attack using Microsoft infrastructure – this time SharePoint – to host portions of the attacker’s campaign. This one is a hosted PDF leading to a web page designed to steal credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.


Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.