Phish Found in Proofpoint-Protected Environments – Week ending November 20, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Credential Phishing 

DESCRIPTION:  Finance-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials. 

TYPE: Credential Phishing 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials.

Note: They were made to look like a Dropbox document notification.

TYPE: AZORult Stealer 

DESCRIPTION: Order-themed emails found in environments protected by Proofpoint deliver AZORult stealer via attached passwordprotected RAR archives. The RAR archive contains a GuLoader executable that downloads and runs an AZORult binary. 

 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending November 13, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION:  Purchase order-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via embedded links. The embedded links download an ISO archive that contains an Agent Tesla Keylogger executable. 

TYPE: Credential Phishing 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links. The embedded links download a PDF file that contains a link that leads to a credentialphishing landing page. The PDF was hosted and downloaded from SharePoint. Note: this campaign is in the Dutch language. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION: Courier-spoofed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via embedded links. The embedded links download a TGZ archive that contains an Agent Tesla Keylogger executable. The payload was hosted and downloaded from OneDrive. Note: this campaign is in the Romanian language. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending November 6, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION:  Notification-themed emails found in an environment protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs. The embedded URLs download a GZ archive that contains an Agent Tesla executable. 

TYPE: Remote Access Trojan 

DESCRIPTION: USPS-spoofing emails found in environments protected by Proofpoint deliver Quaverse Remote Access Trojan via embedded OneDrive URLs. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via embedded URLs. Note: These emails are in Spanish.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending October 30, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: LokiBot

DESCRIPTION: Shipping-spoofing emails found in environments protected by Proofpoint deliver LokiBot via an attached CVE-2017-0199 open XML exploit. The CVE-2017-0199 exploit downloads and runs a DOC file that exploits CVE-2017-11882 to download and run LokiBot.

TYPE: QakBot

DESCRIPTION: Response-themed email found in environments protected by Proofpoint deliver QakBot via malicious Office macros downloaded from an embedded URL.

TYPE: Remote Access Trojan

DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Remcos RAT via XXE attachments. The XXE archive contains a GuLoader executable that downloads and runs Remcos RAT.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending October 23, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Credential Phish 

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses a Systel Inc-spoofing email to deliver credential phishing via embedded Canva links. The embedded Canva links redirect to phishing URLs that harvest email login credentials. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses the lure of a shipping document from Maersk to deliver the Agent Tesla keylogger via embedded Dropbox links. The links download a RAR archive that contains an Agent Tesla executable.    

TYPE: Remote Access Trojan 

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses a finance-themed email to deliver Remcos RAT via XXE attachments. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week Ending October 16, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Malware, BazarBackdoor

DESCRIPTION:  This phishing attack is seen in Proofpoint environments and uses the subject of a termination list to entice recipients click on a Google Docs link and deliver BazarBackdoor via PDF link.

TYPE: Remote Access Trojan

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses a Customer Complaint-themed email and HTML attachment to deliver a Remote Access Trojan.

TYPE: Credential Theft

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses an overdue invoice themed email to deliver a credential stealer via a PDF attachment.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week Ending October 4, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Malware, ZLoader 

DESCRIPTION: This phish plays on the sensitive idea of insider details.  When a recipient clicks on the Google Docs link ZLoader is delivered via an Office macro- laden spreadsheet downloaded from an embedded URL. 

TYPE: Malware, AZORult Stealer 

DESCRIPTION: This phish relies on the familiarity people have with order confirmations sent through email.  In this case, an Excel document is used to deliver the AZORult Stealer via an embedded URL. 

TYPE: Quaverse Remote Access Trojan 

DESCRIPTION: This is another example of using an order hook to have someone open the order information in a zip file.  This attachment delivers the Quaverse Remote Access Trojan. 

TYPE:  Malware, Bazar Backdoor 

DESCRIPTION: This phish conveys there is important financial information that needs to be viewed.  When the Google Doc is clicked the BazarBackdoor is delivered via embedded URLs. 

TYPE:  Keylogger, Agent Tesla Keylogger 

DESCRIPTION: Another finance-themed phish in Spanish entices the recipient to click on the link where the Agent Tesla Keylogger is delivered via an embedded URL. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Environments Protected by Proofpoint, Microsoft, Cisco, Mimecast and Symantec

By Mark Zigadlo, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) sees tens of thousands of phishing emails that bypass secure email gateways (SEGs) every month. The PDC is an advanced managed detection and response (MDR) service that can remediate these malicious emails from mail environments within minutes.   

A few examples of phishing emails found in environments protected by SEGs can be found here. The ineffectiveness of SEGs continue to increase business risk daily. And the solution is more than high production-value awarenesstraining modules. You need a combination of people and technology to combat the innovativeness of attackers to quickly reduce/remove the business risk. 

Here’s a recent and real story about a phishing campaign (and its quickly morphed successor) that bypassed SEGs from Proofpoint (PFPT), Microsoft (MSFT), Mimecast (MIME), Cisco (CSCO) and Symantec (SYMC).   

The suspicious email below arrived in my inbox. I reported it to the PDC using Cofense Reporter.

Figure 1 – Phishing Email 

I received a response eight minutes later saying the email was malicious (BazarBackdoor malware) and removed from my mailbox. Amazing speed, eight minutes to remove the threat and stop the attack!

Detection

Drilling down further, I saw Cofense’s network effect was in full action in the PDC. The network effect is the unique combination of people and technology that allows one participant in the network to benefit from threats found by another participant in the network. At Cofense, we have over 25 million people contributing to make the network effect an unparalleled security tool. In this case, the PDC had detected similar attacks for 15 other PDC customers (people in the network), which enabled the PDC to respond with lightning speed throughout the day.

Here is the kill chain/timeline for the first customer that received this phishing campaign.

Twelve minutes between the first report and removal of malicious emails from user mailboxes, but the story gets better.   

The PDC uses a key feature of Cofense Vision called Auto Quarantine which looks for new emails matching the ones just identified and quarantined. Over the next 24 minutes, 22 additional emails were detected and removed by Cofense Vision. 

Response & Remediation 

As we know, attackers are constantly innovating to bypass security technology. This is why you need the combination of people and technology to reduce/remove the risk. This case was no different. Two hours after the first phishing campaign was identified and stopped, a slightly modified campaign was launched against the same customer. The PDC jumped back into action again. 

More amazing results. Twenty-two minutes between the first report of the modified campaign and removal of malicious emails from user mailboxes through Cofense’s Phishing Defense Center.

The Phishing Defense Center harnesses phishing intelligence from the frontlines of the world’s most active phishing campaigns to quickly protect everyone in the network. 

To learn how you can efficiently identify and remove phish that have bypassed your SEG, click here for a free demo of the Phishing Defense Center. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Twelve Flavors of Phish: Canadian Workers Targeted With Fake Covid-19 Relief Deposits

By Jake Longden and Elmer Hernandez, Cofense Phishing Defense Center

Financial aid programs continue to be popular targets in the midst of the COVID-19 pandemic, with government relief grants a particularly great one to exploit.  

The Cofense Phishing Defence Center (PDC) has observed a recent phishing campaign in Canada that aims to harvest banking credentials and other personal information from 12 different banking institutions. This was achieved by preying on employees who were expecting COVID-19 relief grants in the form of the CERB (Canada Emergency Response Benefit). These funds are supposedly sent via an electronic transfer from Interac, a legitimate Canadian interbank network. 

With multiple world governments providing such grants, and millions of people relying on these as their main source of sustenance, adversaries will continue exploiting such dependence. 

CERB Deposit

The email purports to be a notification from Interac’s e-transfer service, indicating that the Canada Revenue Agency (CRA) has made a CERB deposit of $1,957.5 CAD (approx. $1,463 USD). A fictitious expiration date is included in an attempt to instill a sense of urgency.

The CERB scheme gives financial support to employed and self-employed Canadians who have been affected by the COVID- 19 pandemic. It offers $2,000 CAD (approx. $1,490 USD) for a four-week period.

Figure 1 – Email Body 

Header

The SPF fail in the headers (Figure 2) indicates that the email is likely spoofed, and the IP address suggests that it came from a potentially compromised device using the University of South Florida network (Figure 3). The choice of the name ‘cra-cerb’ in the address is used to add credibility to the email.

Figure 2 – SPF Fail 

Figure 3 – USF IP Address 

A Phish of 12 Different Flavors

The first landing page the phish visits is an impersonation of the CRA. It has working links in both French and English like a legitimate site from the Canadian government. Once the user has selected their language choice, they will be redirected to an impersonated Interac e-transfer site in said language.

Figure 4 – CRA Spoofed Site  

Once in the spoofed Interac e-transfer site (Figure 5)the user must choose their personal bank from twelve different options in order to receive the deposit. All of these banks are actual members of the Interac network, which suggests attention to detail from adversaries: 

  • ATB Financial 
  • Bank of Montreal (BMO) 
  • Canadian Imperial Bank of Commerce (CIBC) 
  • Desjardins 
  • Laurentian Bank 
  • Meridian 
  • National Bank of Canada 
  • Royal Bank of Canada (RBC) 
  • Scotiabank 
  • Simplii Financial 
  • Tangerine 
  • TD Canada Trust 

Figure 5 – Spoofed Interac Page 

Next, the recipient is taken through a series of spoofed pages for the corresponding bankwith some offering both English and French versionsAll pages reside within compromised website of a Washington, DC area businessThe URL paths vary depending on the bank, but follow the following format:  

hxxps://lincolnrestaurant-dc[.]com/interca/{unique 32 character string}/bank/{bank name}/{html or php file} 

Although no two options are identical, most of the twelve spoofed banks ask for similar details: 

  • Usernames 
  • Card Numbers 
  • Passwords 
  • Security Questions and Answers 
  • Personal Information (PI) (Full Name, Date of Birth, Email, etc) 

Scotiabank (English) was chosen to showcase an example of the entire phish process. The initial page the user is presented with is a standard login page asking for credentials, notice the slight typo of the word “sign” on the “Sing in button (Figure 6). 

Figure 6 – Scotiabank Sign in 

The next page asks for sensitive PI and card information (Figure 7). The user is then asked for Security questions and answers (Figure 8), which might falsely provide the reassurance that some form of multi-factor authentication is being employed. The combination of PI such as a Social Insurance number, credit card numbers and MFA questions could form a fairly solid base for identity theft/impersonation. Once submitted a final page confirms the funds will be deposited in 48 hours (Figure 9).

Figure 7 – Scotia PI and Card Info 

Figure 8 – Scotia MFA Security Questions 

Figure 9 – Deposit Successful 

Figures 10 through 20 show the login pages for the remaining eleven spoofed banks.  

Figure 10 – ATB 

Figure 11 – BMO 

Figure 12 – CIBC  

Figure 13 – Desjardins  

Figure 14 – Laurentian  

Figure 15 – Meridian  

Figure 16 – National Bank 

Figure 17 – RBC  

Figure 18 – Simplii  

Figure 19 – Tangerine  

Figure 20 – TD  

Indicators of Compromise

Malicious URL:

hxxps://lincolnrestaurant-dc[.]com/interca

Associated IP:

108[.]167[.]182[.]39

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week Ending September 27, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week we see a plethora of links – most of them using trusted services – reach customer inboxes. When technology is unable to block phish because of the risk of blocking legitimate emails, it’s well-trained users that detect and report threats.

sample phish spoofs the irs to deliver a link to buer loader

TYPE: Malware – Buer Loader

DESCRIPTION: This phish uses the element of surprise and urgency with a tax theme to lure the recipient into clicking the link. The link looks trustworthy, since it’s hosted in Google Docs. It leads, however, to an install of the Buer Loader. Cofense has been writing about the use of Google Docs in phishing attacks since 2017.

sample phish uses a payment theme to deliver a link to credential theft

TYPE: Credential Theft

DESCRIPTION: Leveraging a finance theme, this phish uses trustworthy Microsoft OneDrive URLs. Okay, so they’re not quite trustworthy, since they’ll lead the recipient to a Microsoft OneNote document that redirects to a credential harvesting site. Where did you want to go today?

sample phish uses a shipment theme to deliver a link to netwire rat

TYPE: Malware – NetWire RAT

DESCRIPTION: Spoofing a logisitics company, this phish promises shipping information but hides malicious links behind innocent-looking images. Clicking the link leads the recipient to install GuLoader, which installs the NetWire Remote Access Trojan.

sample phish delivers a google doc link to buer loader that installs bazarbackdoor

TYPE: Malware – Buer Loader

DESCRIPTION: If you’re thinking this phish looks awfully familiar, it’s not you. Aside from the change to an employee termination theme, this attacks leverages the exact same tactic as our first example – a Google Docs-hosted threat. In this case, the Buer Loader goes on to install the BazarBackdoor malware. These attacks should get you all fired up.

sample phish delivers xlsx attachment leading to agent tesla keylogger

TYPE: Malware – Agent Tesla

DESCRIPTION: Using a purchase theme, this phish offers to place an order for seafood but delivers a malicious Microsoft Excel spreadsheet with a CVE-2017-0199 to CVE-2017-11882 download chain to the Agent Tesla Keylogger. I wonder if they wanted that seafood shipped COD?

sample phish delivers credential phishing link using a document theme

TYPE: Credential Theft

DESCRIPTION: Spoofing a healthcare organization, this document-themed phish delivers a link to a credential harvesting site. Although redacted to protect the innocent, this sample used a very legitimate-looking message with signature block and legal disclaimer.

sample phish spoofs salesforce to deliver credential phishing link

TYPE: Credential Theft

DESCRIPTION: This phish uses urgency and the trappings of a popular SAAS platform to lure the recipient into clicking the link. In this case, the links lead to a credential harvesting site. Although not a panacea, Multi Factor Authentication (MFA) is still an effective way to protect your organization.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.