Why Phishing Simulation Programs Aren’t Enough

Author: Tonia Dudley

Report after report continue to highlight phishing as the top threat hitting organizations today, leading either to an incident or data breach. The most recent report published by IBM, report both Business Email Compromise (BEC) and Phishing as the leading cost of a data breach. In our recent webinar, we discussed various factors to consider in your email security program related to phishing well beyond the basics of phishing simulation.

For those that missed our webinar, below are three key insights that we discussed as ways to address ransomware as an organization.

During the webinar, we highlighted one of our recent blogs that allowed a customer to experience the ROI on their recent Vision implementation and enabling the auto-quarantine feature. With just a few users reporting this email to our Phishing Defense Center (PDC), the team was able to find another 130 emails which were automatically removed from inboxes company wide.

Key Takeaway #1 – Why we pioneer phishing simulation methodology

As organizations continue to mature their phishing defense program, there’s often many questions around how much, how frequent and when can we stop. We discussed the reason for creating a safe place for the user to experience the threat in the same place they manage their email. We highlighted several do’s and don’ts as you run your program, including the reason to align simulations to the threats your organization is experiencing.

Key Takeaway #2 – Metrics that matter to your Phishing program

Your phishing program is more than your simulation click rate. For years we’ve stressed the importance of focusing on the number of users reporting. Even more critical is combining this data with your real phishing threats. Are you looking at your program holistically to ensure you’re measuring what matters? Are you able to articulate to leadership the value you’ve invested in making sure your organization is protected against a phishing incident? Measure the time the email hits the inbox, beyond the user reporting it, to closing the ticket after full remediation of the phish (password resets, network block and end point scans or rebuild).

Key Takeaway #3 – Not everything needs to be a simulation template

There are times when a threat emerges quickly, or a sensitive topic is being used in a real phishing campaign. This is when its critical to get the word out to your users to stay on alert. This is best done using a simple newsletter with images of the real phish.

For additional insights from our 2022 Annual State of Phishing Report webinar series:

Compromised Microsoft Dynamic 365 Customer Voice account used for Phishing attack

By Nathaniel Sagibanda, Cofense Phishing Defense Center

Customer feedback is always important for organizations of all sizes. There are several well-known companies that offer different kinds of feedback tools. But what if, however, those customer feedback systems were utilized to launch Phishing attacks? The Phishing Defense Center (PDC) has observed an interesting technique in which a threat actor sends a spoofed eFax notification using a compromised Dynamic 365 Customer Voice business account to lure the recipient into credential phishing.

These credential phishing emails have been broadly disseminated, with no specific industry targeted. The campaign has hit dozens of companies in multiple sectors, including energy, financial services, commercial real estate, food manufacturing, furniture, data analytics, and professional services.”

The phishing email, as seen in figure 1, claims the recipient has received a “10-page corporate eFax”, which is a familiar tactic to lure interaction with the email. There are several interesting clues in this email that most likely encourage the recipient to quickly report. Starting at the top of the email with subject, which doesn’t seem to align with the rest of the email. The recipient most likely opened message expecting see a message related to a document signature need. However, that isn’t what we see as you read the message body. It leads the recipient to believe they received file attached via the ‘Attachment File Type: pdf’, without an actual file name 🤷🏻‍♀️, delivered from the fax. Continuing further down the email, we see a footer that indicates this email was generated from a survey site.

Figure 1: Phishing Email
When the user clicks the link, they are directed to Customer Voice survey made to look like an eFax solution page with a reasonable layout, as seen in Figure 2. The URL confirms this is a Microsoft Dynamics 365 webpage (Figure 3). In an effort to further establish the credibility of the page, the threat actor uses the words “dynamic365” and “eFaxdynamic365”.

Figure 2: Phishing page
Noticeably, the threat actor embeds a video of eFax solutions for spoofed service details, instructing the user to contact “@eFaxdynamic365” with any inquiries. The “Submit” button at the bottom of the page serves as additional confirmation that the threat actor used a real Microsoft Customer Voice feedback form template and modified with spurious eFax information to entice the recipient into clicking the link (Figure 2), leading them to a Microsoft Login page (Figure 5) which then exfiltrates their credentials to an external URL.

 

Figure 3: Phishing Page
Figure 4: Successful “Submit” button
Figure 5: Phishing Page
The above phishing campaign may follow a well-known pattern, sent using a compromised account, for a well-known customer feedback platform, making it difficult to block and simpler to bypass the SEGs to reach users’ inboxes. By reporting these types of emails to the Cofense PDC, we can help our customers to identify new phishing email patterns and techniques.

 

Indicators of Compromise IP
hXXps[:]//ncv[.]microsoft[.]com/Om5CjXwiLj 13[.]107[.]213[.]40
13[.]107[.]246[.]40
hXXps[:]//flat[-]grass-5595[.]fo4ih28x[.]workers[.]dev/ 172[.]67[.]223[.]76
104[.]21[.]86[.]177
hXXps://customervoice[.]microsoft[.]com/Pages/ResponsePage.aspx?id=nCCZRTFE60iThCT0-CyieVKNxvcj-eRNqzjVwMLt3aRUOTk5MVFaVTVWWVhCWlZSTVdENFcwUTFXRS4u&vt=4599209c-4431-48eb-9384-24f4f82ca279_f3160b43-dee8-41a8-baa7-ee24dfe7d977_637957430290000000_NAM_Hash_VhCr4kw%2bu%2b9Bs4OXTHvEBa9jcvcs3Iiq4GIiWXPncAI%3d&lang=en-us 13[.]107[.]246.69
13[.]107[.]246.70
13[.]107[.]227.40
13[.]107[.]219.40
13[.]107[.]213.51
13[.]107[.]213.70
13[.]107[.]246.57
13[.]107[.]246.18
hXXps://jaqeuhyimhbi[.]diskstation[.]org/mintreurple/libscoreassets.php 103[.]187[.]146.165

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Increases Efficiency and Visibility with Triage 1.25

With Triage 1.25, SOC teams can now supercharge their efficiency through automation, enhanced reporting, and revamped response templates to more quickly to fight back against today’s evolving threats. Here’s the breakdown of what that looks like in action.

Automate More Easily with Triggers

Playbooks, introduced in Triage 1.24.0, let you perform a reusable set of actions on a reported email or cluster of emails with a single button click. Now, automate your playbooks with triggers. When a report meets the conditions you specify in the trigger, the trigger runs your desired playbook automatically! This means less clicks and manual effort when it comes to triaging malicious emails and sending automated communications to your end users. It also means that deep YARA rule writing skills are not needed to write triggers, making it easy for any SOC team member to get into and begin using Triage quickly.

To create a trigger, you simply select one or more of the following conditions and then build the trigger around it. Analysts leverage a combination of conditions that make sense based on the type of attack, threat vector, what’s common to their industry, or more.

  • Report Content
  • Reporter Reputation
  • Reporter VIP Status
  • Risk Score
  • Rule Match
  • Rule Priority
  • Rule Count
  • Threat Indicator Value
  • Threat Indicator Count


Active Triggers Dashboard
Triggers and Playbooks allow you more flexibility and granularity when it comes to automating actions across Triage and teams. As a result, our recipes function will be sunset as Playbooks offer much deeper functionality. Not to worry though, we’ll give plenty of notice and even added a button so you can begin to convert your Recipes to Playbooks.

Enhanced Reporting

We released Dynamic Reporting in the Summer of 2021 and continue to build on our strong reporting foundation with more flexibility when it comes to building and distributing reports. The templates that generate dynamic reports are now more robust, with new sections and more options to help you format and refine the data in your output. We’ve also added PDF support so you can distribute reports to any user in an easy to consume format.


Add or Remove Sections and build a bespoke Report

Best practice categories and response templates

The default set now contains six malicious categories and five non-malicious ones. These new defaults reduce the need for customization and better reflect current phishing trends we are seeing in the field. These fields help prevent confusion and allow SOCs to more quickly understand what threats they are seeing.

And due to popular demand, we are bringing back a workflow called “Categorize Reports.” You can still use the new, quicker way to start workflows, but we wanted to bring more options for our users.

To learn more about Cofense Triage or to see these new capabilities in action, please request a demo at https://go.cofense.com/live-demo/. Cofense Customers can always reach out to their CX team for more information on upgrading.

*Please note: Customers must be Triage versions 1.24.0 or 1.24.1 in order to upgrade to 1.25.0*

Ransomware Themed Phishing Attack

Countdown Timer: Ransomware Themed Phishing Attack

By Adam Martin, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) observes a large variety of phishing techniques and lures throughout our customer base. Some of those techniques are quite unique methods of getting the end user to interact with the message. As illustrated below in Figure 1, the recipient is advised about a suspicious login, alluding to login location issues, and is offered a solution in the form of email verification. The name of the proposed security software company “DNS Domain Name Server” is vague enough but “tech” sounding enough to convince the unsuspecting recipient that this could indeed be their native security service.

Figure 1 Initial Email

What sets this phish apart from other campaigns is the graphic displayed to the recipient once the malicious link is accessed. For the purposes of this example, fake information has been provided to the hosting server.

Figure 2 Example Email Address

Once accessed, the page shown in Figure 3 is displayed. The page runs in a loop with randomly generated names assigned to the domain based off the target company’s domain. Sharing some similarities with ransomware, the target company is faced with a countdown timer and the choice of stopping the deletion of potentially companywide email access or entering their credentials. The timer also shares ransomware type panic creation all designed to push the recipient into entering their credentials without second guessing. These details aren’t deleted and a merely randomly generated as part of the scare tactic. Much the same as a ransomware “timer” for permanent file deletion should the ransom not be paid.

Figure 3 Ransomware style note displayed

As is the normal case with phishing incidents, once credentials have been provided by the recipient, one of two actions generally take place. The password “input” box will return “wrong password” with the details posted to the C2 address. Alternatively, you’ll be redirected to a new page along the lines of “validating” the account, which will eventually revert to the homepage of the target organization, as seen in Figure 4. In this case, after several different variations of “validating, checking, confirming” the user was ultimately redirected back to their own company’s home page.

Ransomware Themed Phishing Attack

Figure 4 Validation loop

Indicators of Compromise IP
hXXp[:]//nameserversecurity[.]com/[account]_[verification.php]?cust_mail 199[.]188[.]205[.]252

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

How Crowdsourced Intelligence Stops Attacks that Bypass Technology

By Dave Alison, VP Product, Cofense

Cofense has focused on the human side of email security for over a decade. This focus requires that we look at the threat landscape through a unique lens – not just the conditioning of employees to spot suspicious emails, but to leverage our intelligence to eliminate threats other employees in other organizations around the world have just reported.

What does that mean? At a high level, it means that crowdsourced human intelligence is stopping attacks BEFORE it happens.

Every day, thousands of novel attacks are launched via email against organizations large and small. These bypass perimeter security technology and land in unsuspecting employee inboxes, potentially causing millions of dollars in damages as threat actors trick unsuspecting employees into activating these payloads or handing over their credentials.

How It Works

Cofense has millions of trained human sensors deployed across organizations and sectors around the world actively reporting those attacks to us as these campaigns hit their inboxes. These emails, combined with other proprietary collections, are analyzed by our Cofense Intelligence team, which examines these threats in close to real time, and quickly provides intelligence derived from these verified attacks to our customers.

This intelligence subsequently feeds an Auto-Quarantine capability, which removes malicious emails from an inbox in minutes, often before users see or have a chance to open the email.

As this rich intelligence is disseminated via our Intelligence API feed, these Indicators of Compromise (IOCs) are deployed to any instance where our customers have Auto-Quarantine fully enabled. Here’s how this unfolds:

  1. A new attack that evades the secure email gateway (SEG) reaches one or multiple employee inboxes. 
  2. An employee receives the malicious email and believes it is suspicious. They use the Cofense Reporter to notify their security team or our Cofense Phishing Defense Center (PDC). 
  3. A Cofense Intelligence Analyst performs a review of malicious reported emails, building out an Active Threat Report (ATR) and extracting the Indicators of Compromise (IOC). There are over 50K of these IOCs generated every month. 
  4. The IOCs are then sent to the Cofense Vision customers, with a 5-minute check-in schedule for any new ATRs added or updated 
  5. Vision AutoQuarantine examines incoming and existing email for the new IOCs and, if found, automatically moves the emails into quarantine. 

What We’ve Found

The results are shown in the following graph, which charts the number of emails our system identified as malicious after these got through the SEGs, or other various email controls, that protect it.

As you can see, this complete loop is having a powerful impact on the threat landscape. Cofense has operationalized the human security layer, addressing the threats that inevitably make it through the technology layer.

It’s important to note that while each SEG available on the market has varying degrees of effectiveness in identifying these threats, we observe thousands of attacks that have evaded every SEG available. This includes large, well configured customer environments protected by Microsoft, Proofpoint, Cisco IronPort, Mimecast, etc. The actual attack types we see also run a broad range: malware leading to ransomware, credential phish, business email compromise, targeted attacks against VIPs, etc.

Cofense continues to make great strides in increasing the speed of that loop, getting the IOCs into the email stream quickly. Now, more than ever, Vision with Auto-Quarantine provides the best defense against the attacks that are continuing to make an impact.

Cofense Quarterly Phishing Intelligence Review: 3 Key Takeaways

The Cofense Intelligence team released its Quarterly Phishing Intelligence Review for the second quarter of 2022, which highlights significant shifts in the phishing threat landscape, with some key takeaways highlighted below.

Top five malware types in Q2 2022 and Q1 2022, by volume of emails.

  1. Emotet campaigns continued to sustain, however their overall volume dropped significantly compared to the first quarter of 2022, leading to an overall reduction in phishing activity. However, don’t get too comfortable. Four of the top five malware families most frequently delivered via phishing (FormGrabber, Agent Tesla, QakBot, and Remcos RAT) all saw increases in volume.
  2. Changes in QakBot delivery tactics made QakBot a far more potent threat. Phishing campaigns delivering QakBot became the most effective in terms of reaching end users. QakBot campaigns now go to extensive lengths to bypass security measures, avoid detection, and obstruct analysis tactics. Read the report for more details regarding these effective tactics.
  3. Business Email Compromise (BEC) campaigns continue to impart more financial loss on companies than any other cyber threat. Our team dove into what it looks like when a target interacts with a BEC actor as part of our latest strategic analysis.

BEC Campaigns Like The One Above Reach End Users Regularly

Tired of reading? Well, great news! You can watch our Quarterly Threat Briefing for Q2, which covers many of the report’s findings, on demand here.

Email Quarantine Stops Microsoft Phish after bypassing SEGs

By Schyler Gallant, Cofense Phishing Defense Center

Our analysts in the Cofense Phishing Defense Center (PDC) review thousands of phishing emails, all varying in degree of complexity. Recently, PDC analysts observed a simple Microsoft phish that was reported by several clients. One of these clients had Cofense Vision, which provided insight into how many emails from this campaign appeared in their email environment. Even with a Secure Email Gateway (SEG), there were over 130 emails from this phishing campaign. A vast majority of the emails were not reported to the PDC, however, with the power of Vision’s quarantine function, analysts were able to prevent these from being a potential threat to users.


Figure 1: Email Body

The email appears with the subject, “Mail delivery failed: return message to sender,” seen in Figure 1. This alert is a common message someone would receive when their messages are kicked back because the person who they emailed has a full inbox or that email address does not exist. The first indicator of this phish is the email sender is genelle[@]sjvma[.]org while representing itself as Microsoft.

In Figure 1, the email body appears with a Microsoft logo, giving the user extremely specific information on when three messages became undeliverable. This is to convey to the user that these emails will need to be reviewed and released for them to come into their inbox. This is a common tactic for threat actors to leverage legitimate alerts common to Microsoft users. Once ’allow messages or ‘review messages’ is clicked, the user is directed to hxxp[:]//youdeh[.]co[.]za.


Figure 2: Phishing Page.

When the user clicks this link, they are redirected to a landing page that appears as the Microsoft login in Figure 2. While this appears as the actual Microsoft login page, looking at the address will show that the URL is actually hxxps[:]//objectstorage[.]me-dubai-1[.]oraclecloud[.]com/n/ax163p6wpz8g/b/bucket-20220621-1039/o/index[.]html. It’s common for Microsoft phish to have a page that closely resembles the real one. If the user did enter their credentials, they be redirected back to the Microsoft office page.

Even with common tactics used in this campaign, Cofense was able to quarantine and protect the client in an environment despite the presence of a Secure Email Gateway (SEG). That’s why Cofense is in a unique position behind SEGs. Vision paired with the PDC can protect against a campaign with numbers like this from causing a potential incident or data breach.

Indicators of Compromise IP
hXXp[:]//youdeh[.]co[.]za 99[.]198[.]101[.]186
Phishing The Phishers

Phishing The Phishers: This is How the Number One Cybercrime Works

By: Ronnie Tokazowski, Principal Threat Advisor & Brad Haas, Cyber Threat Intelligence Analyst

How many phish does it take to get to the sugary story of the BEC (Business Email Compromise) attack? That’s exactly what we wanted to find out.

Contrary to many other types of cybercrime, BEC is a conversational-based phishing attack. Scammers simply ask users to do a favor or run that errand, and the person on the other end does just that. BEC actors can use many different pretexts to phish end users. It can be anything from pretending to be the CEO in an organization to asking someone to update payroll or even asking for gift cards for an employee. While many of these tactics are already publicly known, there’s still some confusion about how all these different pieces work together.

Do people become victims after the first email or do the scammers need to have a conversation with the victim?

That’s what we set out to discover in our most recent BEC study.

Phishing The Phishers: What We Found

We wanted to engage with the scammers and understand how these conversations worked. In hundreds of email threads, we did just that. We responded to the scammers, tracked all of our responses, and tried to gauge just how many conversations it would take to draw different conclusions.

How likely were the scammers to respond back and how many emails did it take to illicit the final pretext?

Based on the hundreds of responses to the scammers, we received responses in 58% of attacks. Many email accounts were taken down by service providers prior to engagement or we simply just didn’t receive a response from the scammers.

Of those 58% of responses, 89% of the phishers told us what they needed after our first response. In many cases this was gift card requests with the initial pretext of “I need you to run this urgent task” or “can you send me your phone number” with no other information. Once we responded back, the scammers came back and said the task was to go to the grocery store and pick up a gift card.

There is a lot more to this study than we could fit in this blog. So, for the rest of our insights from this study, here is a detailed Threat Intelligence analysis breaking down everything we discovered including examples of emails we received from BEC threat actors and percentage of webmail providers utilized.

Ransomware: Proactive Phishing Detection to Mitigate Risk

Author: Tonia Dudley

As we close out our 2022 Annual State of Phishing Report webinar series, we addressed ransomware as it relates to phishing. While we don’t see ransomware delivered in an email campaign, there are plenty of tactics used by threat actors as leading entry into the organization. As we have repeatedly addressed, we can’t stress enough that credential phish, at 67%, still remains the number one phishing threat today.

For those that missed our ransomware webinar, below are three key insights that we discussed as ways to address ransomware as an organization.

One of the highlights from this webinar was a tactic that has been seen by Cofense only twice in the past five months. This banking trojan, IcedID, is used to steal information such as credentials. What’s interesting about this email is the fact the threat actor leveraged an email from 2017, also using the reply-chain tactic. It’s no surprise the recipient thought this was suspicious and quickly reported this email to our Phishing Defense Center (PDC).

Ransomware Phishing Email

Key Takeaway #1 – Resiliency is key to defending against Ransomware

As we look at the attack chain specific to ransomware, there are several precursor steps that take place before the ransom note is delivered. The key to building a resilient workforce is providing them with relevant phishing simulation training that aligns to current threats hitting their inbox.

Key Takeaway #2 – Zero Days are in play.

As threat actors in the ransomware community have built up their resources, they are now able to step into the zero day arena to further their attacks. We briefly addressed the Microsoft zero day published in late May that has been weaponized by the QakBot group. For more on that specific threat, keep an eye out for our quarterly Threat Intelligence webinar to gain more insights.

Key Takeaway #3 – Credential Phish and HTLM attachments

We reported credential phish taking a 10-percentage point jump over the previous year in our annual report. Cofense continues to observe this as the top threat in the first half of 2022. While fewer attachments are landing in the inbox, the top file type that continues to be successful are HTML / HTM files. Organizations should look for ways to identify ways to mitigate this threat by tuning their controls.

For additional insights from our 2022 Annual State of Phishing Report webinar series: