SEG-Miss Database

This is the Cofense SEG-Miss sample database. Here, you will find real-world recent examples of dangerous phishing emails that bypassed popular Secure Email Gateways including the newer AI model driven products. These malicious emails landed in employee inboxes, and could pose an immediate threat to your revenue and reputation. Conversely, Cofense customers could rest easy because these threats we removed from their systems by Cofense solutions.

How did we see these failures?

Cofense’s Phishing Detection Center (PDC) is our email SOC as a Service that powers the email phishing mitigation and risk reduction programs for thousands of the world’s most important brands. Our network of over 35+ Million Cofense-trained employees, and our automated journaling, reports suspected threats in real-time to the PDC which powers our security platform. This database is driven by factual and verifiable data sent through our analysis process and vetted by our human team of experts - unique to Cofense. Please note: shown here are just samples of the SEG misses we observe everyday, no statistical value or patterns should be derived from this small randomized subset of data. 


Cisco IronPort

Phishing Email Example Description:
France Televisions-spoofing emails found in environments protected by Cisco IronPort deliver a Malicious Downloader via an embedded URL. The Malicious Downloader communicates with a C2 and downloads PureLogs Stealer.

Posted On: April 9, 2025 Tactic: Link Theme: Spoofing

Cisco IronPort

Phishing Email Example Description:
Finance-themed messages found in environments protected by Microsoft ATP and Cisco IronPort deliver an embedded link to download a PDF. The PDF contains an embedded link to a BlueTrait agent installer. BlueTrait installs ConnectWise RAT and SuperOps RAT.

Posted On: April 7, 2025 Tactic: Link Theme: Finance

Microsoft ATP

Phishing Email Example Description:
Finance-themed messages found in environments protected by Microsoft ATP and Cisco IronPort deliver an embedded link to download a PDF. The PDF contains an embedded link to a BlueTrait agent installer. BlueTrait installs ConnectWise RAT and SuperOps RAT.

Posted On: April 7, 2025 Tactic: Link Theme: Finance

Mimecast

Phishing Email Example Description:
Finance-themed emails found in environments protected by Mimecast deliver a NullSoft Installer via a URL embedded in an attached PDF. The NullSoft Installer runs VIP Keylogger in memory.

Posted On: April 7, 2025 Tactic: PDF Attachment Theme: Finance

Mimecast

Phishing Email Example Description:
Resume-themed emails found in environments protected by Mimecast and Microsoft ATP deliver a malicious Visual Basic Script via an embedded link. When run, the script delivers repurposed Nirsoft password recovery tools used as Information Stealers and a Cryptocurrency Coin Miner.

Posted On: April 3, 2025 Tactic: Link Theme: Resume

Microsoft ATP

Phishing Email Example Description:
Finance-themed emails found in environments protected by Cisco IronPort and Microsoft ATP deliver a password-protected archive containing Remcos RAT.

Posted On: April 2, 2025 Tactic: Link Theme: Finance

Cisco IronPort

Phishing Email Example Description:
Finance-themed emails found in environments protected by Cisco IronPort and Microsoft ATP deliver a password-protected archive containing Remcos RAT.

Posted On: April 2, 2025 Tactic: Link Theme: Finance

Cisco IronPort

Phishing Email Example Description:
Meeting-themed emails found in environments protected by Cisco IronPort and Microsoft ATP deliver Zoho Assist via an embedded link.

Posted On: April 1, 2025 Tactic: Link Theme: Meeting

Microsoft ATP

Phishing Email Example Description:
Meeting-themed emails found in environments protected by Cisco IronPort and Microsoft ATP deliver Zoho Assist via an embedded link.

Posted On: April 1, 2025 Tactic: Link Theme: Meeting