Cofense Email Security

Want to simulate a holiday phish? This one’s from your friends at Emotet.

By Tonia Dudley

Tis the season when organizations are looking to send out the year’s last phishing simulation. Often the Security Awareness team lands on a holiday theme – holiday party, holiday raffle, or even the fun ugly sweater lure.

In the past, when I worked with teams to advance their phishing defense programs, I would recommend staying away from holiday themed scenarios. I’ll explain why in a moment. But my opinion has changed, thanks to the threat actors behind Emotet.

We first saw Emotet using a holiday theme in late October as Halloween approached. This was an interesting shift, as not only did it include a macro enabled MS Word attachment, but it was one that they had created. Many of the templates they used came from scrapped inboxes to leverage real email conversations. Fast forward to the year-end holiday season when organizations host parties to celebrate. Our Cofense LabsTM team closely monitors the Emotet botnet, and thus we began seeing the holiday theme hit the wire. Within a few days, we also saw the additional language translations. Ah! They enlist translators!

Figure 1: Emotet Holiday Themed Email

When you look at the email in Figure 1, it’s not pretty or well formatted – unlike the templates used in simulation campaigns. What else do you notice about this attachment? Does your organization still use .doc for MS Word? Not likely. I can imagine if you’re required to get management approval for your campaigns, you would be told to go back to the drawing board and get more creative.

However, if your phishing defense program is aligned with active threats hitting organizations, then this is exactly the template you should be using to train your users to identify a real phish. We don’t do justice for our organizations when we craft really fancy templates that don’t align to what threat actors are sending to your users’ inbox. When we took a look at one of our fancy social media invites, the susceptibility rate was around 7%.

However, when we looked at a template that modeled a real active threat, the susceptibility rate is almost 52%.

Figure 2: Examples of Simulated Holiday Phish

During the month of December, Cofense sees an uptick in requests from customers to create “custom” holiday phishing simulations. Again, these are typically fancy made up emails that mimic an eCard (and are blocked by most Secure Email Gateways), the type of email we don’t see hitting our active threats queue when we’re monitoring real phish in the wild.

Until now. So by all means, go ahead and simulate a holiday phish. Just remember to keep it real.



100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center were reported by end users and bypassed technical controls that were in place to protect them.

Cofense PhishMe offers a simulation template, “Christmas Party – Emotet,” to educate users on the phishing tactic described in this blog. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34972.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Share This Article


We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.