Phish Found in Proofpoint-Protected Environments – Week Ending August 30, 2020

Share Now


100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s sampling focuses on our finances, with payments, invoices, and taxes luring recipients to click. Organizations with solid awareness and reporting programs reap the benefits of human intelligence that technology can’t match.TYPE: Credential Theft

DESCRIPTION: Everybody wants to get paid. And when an email arrives with a confirmation request, how can you resist? Fortunately, the recipient of this phish did resist. They reported it and protected their credentials, as the attached HTML file was spoofing a Microsoft login page.
Humans – 1
Technology – 0
TYPE: Malware – Loki Bot

DESCRIPTION: Looks like an invoice. Sounds like an invoice. It’s not an invoice. This phish embeds an image that only looks like an invoice, but actually links to GuLoader, which will install Loki Bot. Cofense has been seeing Loki Bot for over 3 years.
TYPE: Malware – BazarBackdoor

DESCRIPTION: Talk about bizarre. Or, in this case, Bazar. This phishing attack tells us we’re tardy on our payments and sends us to a macro-enabled Microsoft Office document hosted on Google Docs. From there, the macros install the recently discovered BazarBackdoor, believed to be the work of the same developers as TrickBot. Once again, human intelligence delivers where technology falls short.
TYPE: Malware – Async RAT

DESCRIPTION: And still the payments flow. In this case, a simple banking confirmation using a linked image with a GuLoader to Async Remote Access Trojan attack chain. The creator of this malware – NYANxCAT – is a threat actor Cofense has discussed in the past.
TYPE: Credential Theft

DESCRIPTION: They say nothing is certain but death and taxes. We’d still rather receive an email notification of the latter over the former. In this case, though, our relief is short-lived, thanks to a credential harvesting attack hosted on Microsoft OneDrive.
TYPE: Credential Theft

DESCRIPTION: Accidents happen, and when they do, lawyers can be of great assistance. This phishing attack posing as an accident report from a lawyer is an accident waiting to happen, however. The attached HTML file is designed to steal Office 365 credentials. Another near miss, thanks to an attentive human.TYPE: Malware – URL

DESCRIPTION: Here’s an excellent example of a reply chain that really makes the attack look like a legitimate email thread. We may not even notice the attachment is a Microsoft PowerPoint Show – an odd way of requesting payment. Again, technology didn’t pick this up, but an astute human did. Better luck next time, Skynet!Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.


Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.