Phish Found in Proofpoint-Protected Environments – Week Ending July 12, 2020

Share Now


100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s theme is financial – with a large number of invoice and purchase order lures designed to trick recipients into clicking links and attachments. We’ve documented these attack types for some time now.TYPE: Credential Theft

DESCRIPTION: Mail storage-themed phish have been used for some time to frighten recipients into clicking the link so their email account isn’t suspended. This attack, in Chinese, directs the recipient to a credential harvesting page customized with the recipient’s email domain name, lending a sense of veracity to the site.TYPE: Credential Theft

DESCRIPTION: This finance-themed attack uses the ever-popular Microsoft OneDrive to host a malicious OneNote document that steals Office365 credentials before redirecting the recipient to a real Microsoft page, delaying the recognition that they were just targeted.
TYPE: Credential Theft

DESCRIPTION: Keeping with the finance theme, this attack delivers an embedded URL that leads to a credential harvesting page. Proof that if the lure looks good, the recipient can be tricked into clicking.
TYPE: Credential Theft

DESCRIPTION: This is getting repetitive, but another finance-themed attack spoofing a popular brand to convince the recipient to click. This attack targets banking credentials, potentially giving the attackers access to the bank account of the recipient.
TYPE: Malware – Pyrogenic

DESCRIPTION: Last week’s attackers really had money on their minds. This invoice-themed attack uses image links pretending to be invoices to drive the recipient to download the Pyrogenic stealer malware.
TYPE: Malware – Agent Tesla

DESCRIPTION: This attack uses a purchase order theme to deliver an attached .html file that will direct the recipient to download the Agent Tesla malware. We discussed this malware earlier this year on our Phish Fryday podcast.
TYPE: Malware – Dridex

DESCRIPTION: Another invoice, another piece of malware. This time the attacker uses a macro-enabled Microsoft Excel file to deliver the Dridex malware. Are you sure you want to enable macros?TYPE: Malware – Ursnif

DESCRIPTION: This Italian invoice-themed attack forces the victim through a few steps, which were designed with SEG evasion in mind. A password-protected .zip file is delivered, with password provided, which contains a macro-enabled Microsoft Office document. From there, the Ursnif malware is downloaded and deployed. Arrevaderci, baby.
TYPE: Malware – ZLoader

DESCRIPTION: A simple invoice. A simple .xls attachment. A complex attack that uses Microsoft Excel macros and a VBS downloader to install ZLoader on the recipient’s machine. We blogged about this tactic a few weeks ago.
TYPE: Malware – Agent Tesla

DESCRIPTION: Agent Tesla continues to be a popular threat delivered via phishing emails. This attack uses a purchase order theme to entice the recipient into clicking the embedded link to download this malicious keylogger extraordinaire.
Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.


Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.