New Name, Same People, Stronger Balance Sheet

Rohyt Belani, CEO & Co-founder, Cofense

So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products. 

PhishMe is now Cofense.

On February 27th 2007, while on the phone with my friend and co-founder Rohyt Belani, I typed the name into GoDaddy™. We couldn’t believe our good luck and immediately registered it. As the co-founder who named this company PhishMe®, the emotional attachment is real. Somewhere in the pile of entrepreneurial startup books, I have a branding book that suggested your name is a vessel that should be big enough to carry your future products and services. We outgrew that boat quite some time ago.

Viewing Phish with a Payload using PhishMe Intelligence and Maltego


Visualize Phishing Relationships with PhishMe Intelligence™ and Maltego

Fishing (without the “P”) is not a lot of fun when you just drop a line in the water and hope for the best. When fishermen want to see where the fish are, they look to the fish finder on the bridge to “look underwater” to find schools of fish. Similarly, when an analyst is looking to “catch” a phishing campaign, correlating the attacker’s campaigns and their payloads can benefit by being able to visually graph and link phishing threats. PhishMe Intelligence combined with Maltego can deliver the “phish finder” that an analyst needs.

Endpoint Phishing Incident Response with PhishMe and Carbon Black

Hunting Phished Endpoints with PhishMe Intelligence™ and Carbon Black® Response

While sipping coffee and reading the morning headlines, the CISO notices a global mass-phishing campaign that took place overnight. Picking up the phone and calling the SOC, the CISO asks; “Are there any computers that may have been infected with ‘X’ that I read about this morning? I need answers before my meeting in an hour”.

Catching Phish with PhishMe Intelligence and ThreatQ

PhishMe IntelligenceTM Integrates with ThreatQuotient’s ThreatQ Platform

Swimming in a sea of threat intelligence indicators and services, security teams have been working towards effective ways to centralize, de-duplicate, and correlate massive amounts of threat data. The challenge, once this is done, is acting on what matters most. This requires intelligence, not just data.

Human Phishing Defense Tackle Box – PhishMe Intelligence™ and IBM QRadar®

PhishMe® and IBM have teamed up to provide security operations with essentials for their phishing defense program. Security teams don’t want standalone security products; they need holistic security solutions and through partner integrations.

That’s why PhishMe and IBM have partnered to help enterprise businesses defend against credential-stealing, malware, ransomware, and Business Email Compromise (BEC) phishing.

Off-the-shelf Zyklon Botnet Malware Utilized to Deliver Cerber Ransomware

Recent, large-scale distributions of the Zyklon botnet malware mark a continuing trend of off-the-shelf malware use. This multipurpose trojan, capable of supporting numerous criminal activities, has been identified in phishing attacks more and more frequently through the month of April. The bulk of these campaign have leveraged resume- and job-applicant-themed messaging as in the phishing narrative. The most recent analyses of this distribution have shown that the threat actors are attempting to leverage the malware’s full feature set by not only using it as an information stealer, but also as a downloader used to obtain and deploy the Cerber ransomware to infected endpoints. This technique demonstrates threat actor resourcefulness as well as the increasing commodification and democratization of malware utilities once reserved for only the most-technically-capable threat actors.

Malware Delivery OLE Packages Carve Out Market Share in 2017 Threat Landscape

In the first quarter of 2017, PhishMe Intelligence has noted an increase in malware distributors utilizing OLE packages in order to deliver malware content to victims. This current trend was first noted in December 2016 with close association to the delivery of the Ursnif botnet malware. This technique abuses Microsoft Office documents by prompting the victim to double-click an embedded icon to access some content. These objects are used to write a script application to disk that facilitates the download and execution of a malware payload. This method adds to another iteration of techniques threat actors use to evade anti-analysis and sandbox environments and to successfully infect the intended recipient.

Dridex Threat Actors Reinvigorate Attacks with Sizable, Concurrent Campaigns

One of the most historically effective techniques for gaining new infections for the powerful Dridex botnet malware has been sizable sets of widely-distributed phishing email. While these large campaigns have been intermittent for several months, the past week’s Dridex distributions have shown a renewed vigor with several larger campaigns being launched both concurrently and repeatedly. Many of these campaigns return to well-used and previously-successful email templates and malware delivery tools that had seen earlier utilization in conjunction with both Dridex deliveries and the delivery of other malware tools.

On March 30, 2017 three distinct sets of phishing emails were identified as delivering the Dridex malware. Each was a rehashing of a previously-used phishing narrative. The emails analyzed for Threat ID 8692 pretended to represent communication from a travel agency based in the United Kingdom confirming the recipient’s vacation travel has been booked. Other emails, delivered concurrently, purposed to deliver a vaguely- described “confirmation” as analyzed in Threat ID 8693. Furthermore, Threat ID 8700 documents a set of messages purporting to deliver a notice that an image attachment was ready for sending in yet another vague phishing narrative. Examples of these messages can be seen in Figure 1.

Figure 1 – Examples of Dridex phishing emails from March 30, 2017

The message narrative used in these campaigns should be familiar to information security professionals following Dridex as they represent similar themes to earlier Dridex campaigns. The impersonation of small- and medium-sized firms based in the United Kingdom was previously a common theme among Dridex delivery emails. This preference in content may serve to indicate a preference for a population with which those emails are meant to have disproportionate appeal. However, it appears that these emails were still delivered globally. The other repeated narrative seen once again today is a vague informational message about the status of an image attachment that has been readied for sending. Similar narratives have been used a half-dozen times in the delivery of Dridex since July 2015.

While the Dridex botnet malware’s users are launching phishing campaigns with renewed vigor, their stories and tools have stayed the same. This provides a distinct advantage to threat intelligence users who have access to repositories of information on the tactics, techniques, and procedures related to earlier attacks. It also provides an advantage to organizations whose email users are prepared and empowered to identify and report suspicious emails. Empowered recipients of messages like these are able to recognize the lure and instead of becoming victims, can make a difference for their organization by reporting the email.

Emails based on the threats shown in this blog post are also available as templates in PhishMe Simulator.

For further information on the Threat ID’s mentioned in this post, PhishMe Intelligence customers can log into

For more information on PhishMe’s human vetted, phishing-specific threat intelligence request a demo today.

What is Actionable Intelligence?

Do you know what is actionable intelligence? Do you know the difference between threat intelligence and actionable intelligence? If not, read on.

The term actionable intelligence has joined the ranks of threat intelligence, big data and more words that are used in well-meaning ways, but are ultimately meaningless.

Don’t get us wrong, like many other vendors, we use these phrases to describe what we do. However, because there are so many companies out there using these terms with their own meanings attached to them, we feel the need to write this blog post and hopefully do right by the technology and service offerings that are transforming the way that we approach today’s cyber threats.

In fact, there was a recent LinkedIn discussion on this very topic. A LinkedIn user posted this question:

What exactly is “actionable intelligence”? I see a lot of start-ups being created by MBA persons who have no background or credentials in IT security. The product they offer for big fees is known as “actionable intelligence”. They are trying to duplicate for businesses what the NSA, CIA, FBI, and DHS are doing for, and within, the federal government. My question is: how can these companies have the manpower and the resources to provide services like the NSA, CIA, FBI, DHS. We all have heard of the failures in intel coming from the best intel services in the world, i.e. NSA, CIA, etc. Those big boys have failures. What should we expect from these start-ups and your companies that are jumping on the bandwagon.? And these companies do not know of the ordinary IT security practices like defense in depth, hardening systems. They are providing intelligence about the “bad guys”. How do they go about getting this intelligence? It is so secretive how does a CISO know if it is worth anything?

As the following definition from provides, actionable intelligence is not relegated to security; maybe that’s why ‘MBA person with no security credentials’ feel they can use it or may actually know something about it from usage in a different field:

“Any intelligence can be used to boost a company’s strategic position against industry peers. The acquired intelligence must be transferred into real actions which can be used to either launch a preemptive strike or prepare a counter strategy. Examples include the competitors’ price range, marketing budget, target demographic, advertising campaign and strengths over a company’s own product. Overly aggressive attempts to gather intelligence from competitors may be illegal and constitute corporate espionage.”

Now onto some of the other questions posited: Let’s get into the context of security. Here is one definition that’s pretty good:

“Actionable Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.”

Not perfect, but not bad.

As for the vendors’ size, not everyone in the market of ‘threat intelligence’ is small – by the way, the industry analyst group The 451 estimates there will be $1.2B in spending this year and IDC thinks spending will be $1.8B. Symantec, Cisco, Intel/McAfee, IBM and many other large traditional security vendors have acquired threat intelligence offerings.

As for the startups and whether or not they can compete, the question isn’t one about manpower as you refer to with major security agencies; instead it’s about their technology and its ability to provide value. If they can provide that value with one person their ‘actionable intelligence’ will be purchased. And yes, just like traditional defense in depth systems, threat intelligence is not a panacea for the woes of security. However, the reality of failures of current defense in depth, hardening and other current security techniques has to be acknowledged. Many organizations realize that ‘defending’ and ‘responding’ is no longer as effective as it used to be, and that being intelligence led is required. Why? The hackers, the bad guys, are winning more and more.

As for traditional security (defense in depth, hardening, Etc.), I don’t think anyone would ever suggest that you not use these and other network defenses. And these threat intelligence vendors don’t either. The traditional security systems and methods play a vital role in securing your network, even if they have their individual shortcomings. Their efficacy can be raised, however, when given the right kind of intelligence that has an immediate impact on network security. Threat intelligence can make these devices smarter and the security professionals who are too few and overworked, ‘smarter’ about how to stop and prevent attacks.

As for how they get their intelligence, its different by vendor and it’s a great question to ask them if you evaluate their offerings.  And try before you buy—just like anything else—and that way you will know if it has value—and so will your CISO!