SEG-Miss Database

This is the Cofense SEG-Miss sample database. Here, you will find real-world recent examples of dangerous phishing emails that bypassed popular Secure Email Gateways including the newer AI model driven products. These malicious emails landed in employee inboxes, and could pose an immediate threat to your revenue and reputation. Conversely, Cofense customers could rest easy because these threats we removed from their systems by Cofense solutions.

How did we see these failures?

Cofense’s Phishing Detection Center (PDC) is our email SOC as a Service that powers the email phishing mitigation and risk reduction programs for thousands of the world’s most important brands. Our network of over 35+ Million Cofense-trained employees, and our automated journaling, reports suspected threats in real-time to the PDC which powers our security platform. This database is driven by factual and verifiable data sent through our analysis process and vetted by our human team of experts - unique to Cofense. Please note: shown here are just samples of the SEG misses we observe everyday, no statistical value or patterns should be derived from this small randomized subset of data. 


Cisco IronPort

Phishing Email Example Description:
Finance-themed emails found in environments protected by Cisco IronPort deliver an attached PDF with a link to download a JavaScript dropper. The JavaScript file delivers a DotNETLoader and Remcos RAT.

Posted On: May 13, 2025 Tactic: PDF Attachment Theme: Finance

Cisco IronPort

Phishing Email Example Description:
Kocián Šolc Balaštík-spoofing emails found in environments protected by Cisco IronPort and Microsoft ATP deliver an embedded link to an archive file containing PureLogs Stealer.

Posted On: May 12, 2025 Tactic: Link Theme: Spoofing

Microsoft ATP

Phishing Email Example Description:
Kocián Šolc Balaštík-spoofing emails found in environments protected by Cisco IronPort and Microsoft ATP deliver an embedded link to an archive file containing PureLogs Stealer.

Posted On: May 12, 2025 Tactic: Link Theme: Spoofing

Cisco IronPort

Phishing Email Example Description:
Finance-themed emails found in environments protected by Cisco IronPort deliver an attached PDF with a link to download a VBS. The VBS delivers Quasar RAT.

Posted On: May 12, 2025 Tactic: PDF Attachment Theme: Finance

Cisco IronPort

Phishing Email Example Description:
Petra Marine Sdn. Bhd.-spoofing emails found in environments protected by Cisco IronPort and Microsoft ATP deliver an attached PDF file containing embedded link to an archive file that contains a DBatLoader. When run, the DBatLoader delivers multiple Malicious Batch Scripts to run Remcos RAT in memory.

Posted On: May 8, 2025 Tactic: PDF Attachment Theme: Spoofing

Microsoft ATP

Phishing Email Example Description:
Petra Marine Sdn. Bhd.-spoofing emails found in environments protected by Cisco IronPort and Microsoft ATP deliver an attached PDF file containing embedded link to an archive file that contains a DBatLoader. When run, the DBatLoader delivers multiple Malicious Batch Scripts to run Remcos RAT in memory.

Posted On: May 8, 2025 Tactic: PDF Attachment Theme: Spoofing

Microsoft ATP

Phishing Email Example Description:
Finance-themed emails found in environments protected by Microsoft ATP deliver an attached PDF with a link to download an HTA file. The HTA file delivers a JavaScript file which delivers a VBS file which delivers Mispadu.

Posted On: May 8, 2025 Tactic: PDF Attachment Theme: Finance

Microsoft ATP

Phishing Email Example Description:
Midland Credit Management-spoofing emails found in environments protected by Microsoft ATP deliver an archive via an embedded link. The archive delivers either a .txt file or a .js file based on the extraction tool used. The JavaScript file downloads a PowerShell Script which drops and runs a DotNETLoader that delivers SharpHide and XWorm RAT.

Posted On: May 6, 2025 Tactic: Link Theme: Spoofing

Proofpoint

Phishing Email Example Description:
Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint deliver Poco RAT via an embedded URL.

Posted On: May 5, 2025 Tactic: Link Theme: Finance

Microsoft ATP

Phishing Email Example Description:
Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint deliver Poco RAT via an embedded URL.

Posted On: May 5, 2025 Tactic: Link Theme: Finance