Cofense - Security Awareness Training & Email Threat Detection

Signature Deadline: The Creation of Panic by Phish

Share This Article

By Adam Martin, Cofense Phishing Defense Center

As threat actors phish for credentials, they continue to send emails in alignment with organizational business processes, such as demands for signatures or approvals for “sensitive” documents. A trend recently found by the Cofense Phishing Defense Center (PDC) team is a pre-set deadline for access to the given sensitive information. This represents a two-pronged approach to phishing. Element one is trust. Suspicions would be lowered because one would assume a threat actor would want the material accessible for as long as possibleElement two is urgency, given the deadline for viewing. Both aspects are illustrated in Figure 1.  

Figure 1: Cofense's Phishing Detection and Response Platform dashboard

Figure 1 

Once the provided URL is accessed, the following page is displayed. The first stage to this credential phish is a sham SharePoint page. As can be seen from the address barthe webpage is hosted by another vendor 

Figure 2: Cofense's Real Phishing Threats in 2020 report cover

Figure 2 

Further down on the same landing page, an image of an envelope labeled “proposal” is seen. Another confidence-inspiring message is also found; it bears some semblance of legal legitimacy.

Figure 3: Cofense's Spear Phishing Report infographic

Figure 3 

Upon accessing the link to the seemingly legallyprotected document, a common tactic is employed whereby the threat actor allows the recipient to choose their email providerThis is complemented by blurred content possibly to up the temptation to access the obscured information. The base URL changes to one that has little to do with the sending company or any legitimate email provider.  

Figure 4: Cofense's State of Phishing Defense report cover

Figure 4 

Once the login credentials are entered, they are exfiltrated to an external server.  

Figure 5: Cofense's Social Engineering Red Flags poster

Figure 5 

Indicators of Compromise 


13[.]32 [.] 204 [.] 55 

13 [.] 32 [.] 204 [.] 80 

13 [.] 32 [.] 204 [.] 53 

13 [.] 32 [.] 204 [.] 46 

hXXps://stickymoosestickers[.]com/austt/index.php 199 [.] 250 [.] 201 [.] 182 
All third-party trademarks referenced byCofensewhether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship betweenCofenseand the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or differentconfigurations may be effective at stopping these or similar threats. 
TheCofense® and PhishMe® names and logos, as well as any otherCofenseproduct or service names or logos displayed on this blog are registered trademarks or trademarks ofCofenseInc. 


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.