Cofense Report: 90% of Verified Phish Found in Environments Using Email Gateways
By Kaustubh Jagtap
Our recently released 2019 Phishing Threat and Malware Review highlights how perimeter protection technologies can’t stop all advanced phishing threats. Email gateways are a critical first line of defense, but as attackers have continued to innovate gateways haven’t kept up. The CofenseTM report also underscores the importance of human intelligence to identify these advanced attacks once they make it past gateways. Trained users can effectively detect and report advanced phishing to allow SOC teams to accelerate incident response.
Credential Phish Are the Most Common Threat
90% of verified phishing emails were found in environments using email gateways. This included over 23k credential phishing emails and approximately 5k emails that delivered dangerous malware. The Cofense Research and Cofense IntelligenceTM teams also noted a change in tactics with Business Email Compromise (BEC) attacks. Threat actors are now targeting payroll administrators, as compared to the usual CEO/CFO targets. Our teams also found an increase in extortion tactics including sextortion and bomb threats to create urgency and panic.
Threat Actor Tactics Are Evolving
As they shifted malware delivery mechanisms, threat actors showed a strong preference for the exploitation of CVE-2017-11882, an older Microsoft Equation Editor vulnerability. Over 45% of all malicious attachments over the past year exploited this CVE to deliver malware.
Between August 2018 and February 2019, Cofense observed malicious .ISO files bypassing gateways, indicating the use of novel file types to escape detection. There were also significant developments in Installation-as-a-service (IaaS). Emotet embraced the IaaS business model in 2018 to deliver other malware like TrickBot, IceID, and QakBot. Cofense Research observed 678k unique Emotet infections through April 2019.
Cloud Filesharing Services Are Being Badly Abused
Cofense saw widespread abuse of cloud filesharing platforms to host and spread malicious content, including “legitimate” links to the content embedded in the phishing email. We found 9445 phishing emails that abused cloud filesharing services to deliver a malicious payload. Threat actors preferred SharePoint (55%) and OneDrive (21%) over other cloud filesharing providers.
How to Protect against Phishing and Malware
The report details numerous ways to defend against email threats. They include:
- Educate users – Train and condition users to spot phishing emails. Faster incident response begins with better human intelligence.
- Focus education on new TTPs – Make sure to educate your SOC team and end users on emerging threats and phishing tactics. Threat actor TTPs are constantly evolving. Complacency can breed painful consequences.
- Train users to spot credential phish – Pay special attention to phishing scenarios where users are asked to login and supply credentials.
- Enable multifactor authentication- It’s especially urgent if you have single sign-on.
To see more tips and the full story on phishing and malware threats, download your copy of the Cofense Phishing Threat & Malware Review 2019.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.