By Mark Zigadlo, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) sees tens of thousands of phishing emails that bypass secure email gateways (SEGs) every month. The PDC is an advanced managed detection and response (MDR) service that can remediate these malicious emails from mail environments within minutes.
A few examples of phishing emails found in environments protected by SEGs can be found here. The ineffectiveness of SEGs continue to increase business risk daily. And the solution is more than high production-value awareness–training modules. You need a combination of people and technology to combat the innovativeness of attackers to quickly reduce/remove the business risk.
Here’s a recent and real story about a phishing campaign (and its quickly morphed successor) that bypassed SEGs from Proofpoint (PFPT), Microsoft (MSFT), Mimecast (MIME), Cisco (CSCO) and Symantec (SYMC).
Figure 1 – Phishing Email
I received a response eight minutes later saying the email was malicious (BazarBackdoor malware) and removed from my mailbox. Amazing speed, eight minutes to remove the threat and stop the attack!
Drilling down further, I saw Cofense’s network effect was in full action in the PDC. The network effect is the unique combination of people and technology that allows one participant in the network to benefit from threats found by another participant in the network. At Cofense, we have over 25 million people contributing to make the network effect an unparalleled security tool. In this case, the PDC had detected similar attacks for 15 other PDC customers (people in the network), which enabled the PDC to respond with lightning speed throughout the day.
Here is the kill chain/timeline for the first customer that received this phishing campaign.
Twelve minutes between the first report and removal of malicious emails from user mailboxes, but the story gets better.
The PDC uses a key feature of Cofense Vision called Auto Quarantine which looks for new emails matching the ones just identified and quarantined. Over the next 24 minutes, 22 additional emails were detected and removed by Cofense Vision.
Response & Remediation
As we know, attackers are constantly innovating to bypass security technology. This is why you need the combination of people and technology to reduce/remove the risk. This case was no different. Two hours after the first phishing campaign was identified and stopped, a slightly modified campaign was launched against the same customer. The PDC jumped back into action again.
More amazing results. Twenty-two minutes between the first report of the modified campaign and removal of malicious emails from user mailboxes through Cofense’s Phishing Defense Center.
The Phishing Defense Center harnesses phishing intelligence from the frontlines of the world’s most active phishing campaigns to quickly protect everyone in the network.
To learn how you can efficiently identify and remove phish that have bypassed your SEG, click here for a free demo of the Phishing Defense Center.