Phishes Found in Proofpoint-Protected Environments – Week Ending May 24, 2020

Share Now


100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine phishing email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s examples see the continued use of macro-laden Microsoft Office documents, which have been a top delivery mechanism of malware for years.TYPE: Malware – QakBot

DESCRIPTION: Response-themed emails deliver embedded URLs to VBS scripts to download the QakBot banking trojan. Because the phishing email is a reply to a legitimate chain, these attack URLs are often skipped by URL protection methods.TYPE: Malware – Pyrogenic

DESCRIPTION: Finance-themed emails deliver embedded URLs to JAR files to download the Pyrogenic Stealer. Though obfuscated, the stealer’s code is rather straight forward, and yet frequently avoids detection.
TYPE: Credential Theft 

DESCRIPTION: Finance-themed emails a management company to deliver embedded OneNote links. The OneNote page contains different versions with links pages crafted to steal credentials. Hosted OneNote notebooks are becoming more popular in phishing attacks.
TYPE: Malware – FormGrabber

DESCRIPTION: Order-themed emails spoofing a vendor delivers the FormGrabber malware via a CVE-2017-0199 to CVE-2017-11882 download chain. This phishing campaign is included in Cofense’s free COVID-19 YARA Rules.
TYPE: Malware – NanoCore

DESCRIPTION: Finance-themed emails deliver an embedded DropBox link to a 7z archive containing the GuLoader executable. Once clicked, the GuLoader downloads and executes NanoCore RAT from Microsoft OneDrive.
TYPE: Credential Theft 

DESCRIPTION: Document-themed emails deliver embedded Google Cloud Storage (GCS) links. The links harvest email login credentials and exfiltrate to a non-GCS location.
TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails spoof the United Kingdom government and HRMC to deliver embedded URL shorteners from tinyurl and is[.]gd. The URL shorteners redirect to a phishing URL that uses disc[.]us and appears to allow you to ‘claim your tax refund’. The phishing URL harvests personal information, credit card and issuer details.
TYPE: Malware – TrickBot

DESCRIPTION: Coronavirus-themed emails deliver an attached Excel spreadsheet which exploits CVE-2017-11882 and includes an Office Macro, both of which are used to drop and run a VBS script. This script then downloads and runs TrickBot.
TYPE: Credential Theft

DESCRIPTION: Voicemail Notice-themed emails deliver an embedded link to a credential phishing landing page that is spoofed to look like a Microsoft Outlook sign in page.
Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.


Cofense recommends that organizations invest in phishing awareness training for employees and provide a tool to report phishing emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.