Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

Cofense Intelligence™ has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular Microsoft Exchange Online Protection, and make its way to the end user.

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

By Karen Kokiko

The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response.

Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here.

Fast and Flexible Searching

Traditional email search and quarantine tools are slow and inflexible, offering limited search scope like ‘Sender’ and ‘Subject.’ It’s difficult to find the entire attack fast enough and account for the way tactics, techniques, and procedures morph.

The Cofense Vision user interface allows SOC analysts to search by combinations of fields, grouping emails together by selected criteria. You can search for recipients, senders, MIME type, attachments, a specific time, and more, essentially creating your own cluster. Then quarantine one or hundreds of malicious emails with a simple click. If you later determine that emails are harmless, you can “un-quarantine” them just as easily.

Built for Companies of All Sizes

The new Cofense Vision UI supports smaller customers who don’t have engineering teams or power users to write scripts and code. You can simply search natively and quarantine quickly. An hour after installation, analysts are ready to defend.

For example, an end-user at a small business sends a suspicious email to IT for investigation. IT determines it is malicious and wants to find out if anyone else received it. With the new Cofense Vision UI, they can search on key criteria found in the malicious email to determine if more than one instance of the message is in their environment, then quarantine it in seconds.

If your company is larger, the interface improves the experience of power users and operators who are writing scripts or otherwise programmatically interacting with Cofense Vision. Proactive analysts, those with some information about where and how the bad guys are likely to attack, can use the UI to identify and quarantine malicious actors before any damage is done. SOC analysts can write rules to look for signs of malicious activity, searching criteria such as To, From, Subject, Attachment Hash, and the content of the message.

All of this shortens “dwell time” and the amount of damage an attacker can cause in your email environment. According to a SANS Institute survey, 75 percent of respondents say they reduced their attack surface by through more threat hunting. Fifty-nine percent believed that threat-hunting enhanced the speed and accuracy of their company’s incident response.1

The new Cofense Vision UI makes threat-hunting faster, easier, and more effective. Learn more or sign up for a demo now!

More Ways Cofense Can Help

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Then reduce exposure time by rapidly quarantining threats with Cofense Vision.

Be proactive against evolving phishing threats. Easily consume high-fidelity phishing-specific threat intelligence to defend your organisation with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threat than Cofense. Understand the current phishing threat – read the 2019 Phishing Threat & Malware Review.


1SANS Institute, “2018 Threat Hunting Survey”:


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

By Jake Longden

The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work.

Email Body:

The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.

WeTransfer allows for the addition of a note to the email to clarify why the file was sent. Here, the threat actor will often write a note stating that the file is an invoice to be reviewed. This is a commonly observed phishing technique to pique the user’s interest.

Fig 1. Email body

Phishing Page:

When the user clicks on the “Get your files” button in the message body, the user is redirected to the WeTransfer download page where a HTM or HTML file is hosted and thus downloaded by the unsuspecting victim. When the user opens the .html file, he or she is redirected to the main phishing page.

Fig 2. WeTransfer Hosted file

In the final stage of the attack, victims are asked to enter their Office365 credentials to login. More often than not, we see a Microsoft Service being targeted, however we have observed other targeted brands.

Fig 3. Phishing Page

Gateway Evasion

As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites. The PDC has observed this attack method to bypass multiple gateways. These include ProofPoint, Office365 Safe Links,  and Symantec.

Useful Resources for Customers

Triage Yara rule: PM_WeTransfer_File_Download
PhishMe Templates: “File Transfer”
Cofense Intelligence: 

Other Ways Cofense Can Help

The Cofense Phishing Defense Center identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.  Our solution offers a phishing simulation to protect against file-transfer attacks like the one described in this blog.

According to the Cofense Phishing Defense Center, over 91% of the credential harvesting attacks they identify bypassed email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understand, read the 2019 Phishing Threat & Malware Review.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Report: 90% of Verified Phish Found in Environments Using Email Gateways

By Kaustubh Jagtap

Our recently released 2019 Phishing Threat and Malware Review highlights how perimeter protection technologies can’t stop all advanced phishing threats. Email gateways are a critical first line of defense, but as attackers have continued to innovate gateways haven’t kept up.  The CofenseTM report also underscores the importance of human intelligence to identify these advanced attacks once they make it past gateways. Trained users can effectively detect and report advanced phishing to allow SOC teams to accelerate incident response.

Credential Phish Are the Most Common Threat

90% of verified phishing emails were found in environments using email gateways. This included over 23k credential phishing emails and approximately 5k emails that delivered dangerous malware. The Cofense Research and Cofense IntelligenceTM teams also noted a change in tactics with Business Email Compromise (BEC) attacks. Threat actors are now targeting payroll administrators, as compared to the usual CEO/CFO targets. Our teams also found an increase in extortion tactics including sextortion and bomb threats to create urgency and panic.

Threat Actor Tactics Are Evolving

As they shifted malware delivery mechanisms, threat actors showed a strong preference for the exploitation of CVE-2017-11882, an older Microsoft Equation Editor vulnerability. Over 45% of all malicious attachments over the past year exploited this CVE to deliver malware.

Between August 2018 and February 2019, Cofense observed malicious .ISO files bypassing gateways, indicating the use of novel file types to escape detection. There were also significant developments in Installation-as-a-service (IaaS). Emotet embraced the IaaS business model in 2018 to deliver other malware like TrickBot, IceID, and QakBot. Cofense Research observed 678k unique Emotet infections through April 2019.

Cloud Filesharing Services Are Being Badly Abused

Cofense saw widespread abuse of cloud filesharing platforms to host and spread malicious content, including “legitimate” links to the content embedded in the phishing email. We found 9445 phishing emails that abused cloud filesharing services to deliver a malicious payload. Threat actors preferred SharePoint (55%) and OneDrive (21%) over other cloud filesharing providers.

How to Protect against Phishing and Malware

The report details numerous ways to defend against email threats. They include:

  • Educate users – Train and condition users to spot phishing emails. Faster incident response begins with better human intelligence.
  • Focus education on new TTPs – Make sure to educate your SOC team and end users on emerging threats and phishing tactics. Threat actor TTPs are constantly evolving. Complacency can breed painful consequences.
  • Train users to spot credential phish – Pay special attention to phishing scenarios where users are asked to login and supply credentials.
  • Enable multifactor authentication- It’s especially urgent if you have single sign-on.

To see more tips and the full story on phishing and malware threats, download your copy of the Cofense Phishing Threat & Malware Review 2019.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

New Phishing Attacks Use PDF Docs to Slither Past the Gateway

By Deron Dasilva and Milo Salvia

Last week, the CofenseTM Phishing Defense CenterTM saw a new barrage of phishing attacks hiding in legitimate PDF documents, a ruse to bypass the email gateway and reach a victim’s mailbox. The attacks masquerade as a trusted entity, duping victims into opening what appears to be a trusted link, which in turn leads to a fake Microsoft login page. Once there, victims are tricked into providing their corporate login credentials.

The Cofense Phishing Defense Center Sees Threats That Most Don’t

The CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see.

Here’s a Real Example Involving Compromised Email Accounts

A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization.

In fact, they utilized a technique known as the Zombie Phish, so called because it revives a dormant email conversation the user had had to disarm the user and lure him into clicking. We provided the indicators of compromise to the customer’s point of contact, plus included a link to a Cofense blog about the Zombie Phish.

We Found Over 2000 Malicious Emails—in Just 3 Days

A couple of weeks passed uneventfully. Then, we saw a new batch of reported emails from compromised accounts, followed the next day by a spike in similar messages. In a 3-day period, we found 2053 malicious emails sent through 77 internal accounts. Subject lines varied, but every one of these emails contained a link to “Display Message,” which redirected to a login page spoofing the customer’s actual page. It asked users to enter the password for their company account.

The techniques in these emails seemed to be part of a global phishing campaign targeting UK organizations. The target’s email address was encoded in the link. When someone clicked, the login page displayed the organization’s logo. The links’ behavior varied, sometimes redirecting to a fake site instead of the spoofed login page, other times displaying a message that the URL was unavailable.

The team in the Cofense Phishing Defense Center was glad to be of assistance. Learn more about our phishing defense services.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Finding the Whole Phishing Attack: Problems and Solution

Mitigating a phishing attack is a little like zapping termites. If you don’t eliminate the whole problem, trouble continues to breed.

To help, CofenseTM has announced the general availability of Cofense VisionTM. We knew that existing email search and quarantine tools weren’t fast enough, making it hard for the SOC to find and remove every phish.

Integrated with the latest release of Cofense TriageTM, Cofense Vision lets incident responders see the entire phishing attack, including emails not reported by users. With a single click, the SOC can quarantine every bad email and stop the attack in its tracks.

Cofense Vision copies and stores all emails in the customer’s cloud, so the SOC can look for a phishing campaign without creating more work for the email team. The solution also provides a compliant, auditable workflow.

Let’s take a closer look at some of the problems it solves.

“Searching takes too long.”

Every day, phishing emails bypass perimeter defenses to land in users’ inboxes. As the Cofense Phishing Defense Center has reported, 1 in 7 reported emails is malicious. In 2018 alone, for example, our team found over 55,000 credential phishing attacks. A single well-crafted phish can cost a business big. It’s critical to perform searches quickly and efficiently, especially since threat actors are more creative in evading network security with polymorphism, encryption, and obfuscated malware.

But traditional native tools, Powershell, for instance, make email searching complex and extremely time-consuming. To search and purge with Powershell you’re limited to 50,000 mailboxes. If the mail environment is larger, you have to create multiple searches.

You also have to build searches for multiple senders or multiple subject lines, which complicates the hunt and slows it even more. It’s also tough to know that you’re hitting every mailbox and not missing any threats.

In old-school searching, emails are grouped together, or “clustered,” based on an exact match to criteria like sender and subject. This allows you to find emails that match criteria you know about. However, such an approach to clustering doesn’t account for the way malware morphs and avoids exact matching, in some cases changing the sender, subject, or content for each recipient.

“We create more work for the email team.”

Traditionally, every step described above is handled by the IT team that owns the email platform—not by the SOC, the team responsible for stopping attacks. There’s a built-in conflict, one of competing priorities. The messaging team needs to make sure legitimate emails go through, while the SOC is trying to defend the business by mitigating attacks.

In this set-up, the messaging team is doing its day job AND handling SOC requests to find and quarantine phishing emails. The issues detailed in the previous section—the limits of native search tools and the inadequacies of old-school clustering—make life even more difficult for the messaging team. They’re asked to perform searches that (a) take a lot of time because they’re so complex and (b) get in the way of their regular duties.

Without a solution that empowers the SOC to search and quarantine on its own—with no heavy lift from the messaging team besides determining the fate of quarantined emails—the hunt for phishing threats is going to be inefficient. It’s a lot easier to send a command than to make a request.

With Cofense Vision, operators search an offline copy of the email environment hosted in their own cloud. There is thorough and strict auditing of who is searching for what. The SOC team gets what it needs while the mail team doesn’t have to hand over the keys to the kingdom.

If complicated email searching is slowing your phishing response, get more details on Cofense Vision. Learn more here.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Introducing the Cofense Triage Certification Program

By Kiarra Grant

Want to be a certified expert in phishing response? Now you can.

Introducing the Cofense Triage TM Operators Certification. It’s our second industry-specific certification program, complementing our program for operators of Cofense PhishMeTM. The new program is focused on Cofense Triage, the first and only phishing-specific incident response platform. Become an expert in Cofense Triage while taking your phishing defense program to the next level.

The Cofense Triage Certification program provides:

  • Validation and certification of skills in the operation of Cofense Triage
  • Training in running a successful phishing response program
  • The ability to augment Cofense solution expertise with free threat landscape education modules
  • Complete education and testing for certification in about two hours, at the user’s pace

Upon completing the course, you may earn CPEs for your certifications by self-reporting to third-party organizations such as (ISC)² for review. This certification is included with your Cofense Triage license, so there is no charge for this program.

Users can request access to the certification by going to the “Request Cofense Triage Certification” button at the top of any Cofense Community page. Or click here.


How to Orchestrate a Smarter Phishing Response

We’ve been talking a lot recently about phishing-specific SOAR (Security Orchestration Automation and Response). It’s a capability CofenseTM has pioneered to help you mitigate phishing emails faster and more efficiently. Recently, we examined automation, the ‘A’ in the acronym. Now let’s take a deeper look at the ‘O,’ orchestration.

Involve the Right Teams Faster with Cofense TriageTM

Like a symphony conductor waving a wand, your phishing response needs to engage the right teams at the right time. To make that happen, Cofense TriageTM starts by reducing noise with an advanced spam engine, removing benign emails your employees have reported and freeing security teams to focus on real threats.

We also have out-of-the-box integrations with almost two dozen leading security solutions, including:

View the complete list.

Our integrations make it possible, for example, to connect intelligence on a suspicious URL to logs generated by your firewall and end points. Or, an operator working within Cofense Triage can push details about a phishing campaign to the help desk.

For solutions Cofense Triage isn’t integrated with (yet), we have a new API. It syncs to SIEM solutions, ticketing systems, threat intelligence system, and even sandboxing tools, so you can examine reported emails for overt threats or links to compromised servers. Email headers, which are often spoofed in phishing, can be examined too. And even the full text of the message, rendered but not actually assembled to protect the IT teams working within our solution, can be read and displayed.

Our fully documented REST API can pull information on individual emails, entire clusters (phishing campaigns), attachments, reporters, integrations, health stats and more. You can use it the preprocessing stage to notify teams of malicious attachments at soon as they’re reported.

This release also extends syslog alerting with Cofense Triage. With syslog enabled, Cofense Triage can send out alerts to other systems. Syslog alerts can be used to share information like the cluster velocity, operational SLA alerts, platform health, ingestion health and triage recipe monitoring.  This enables Cofense Triage to share alerts across the entire incident response team.

Automation is great—it’s a must in today’s world. But orchestration makes it work all the more effectively. Put the two together and your phishing defense wins. To learn more about Cofense Triage, sign up for a live 1:1 demo.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.