Share:

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs) and were reported by humans.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We continue to see various cloud hosting services used to harvest credentials.

TYPE: Credential Theft

DESCRIPTION: Email spoofs a global bank to deliver attached .ics files. When the .ics is opened, the calendar event contains a link to a .pdf file hosted on SharePoint. The .pdf file also spoofs the bank and contains a link to a phishing page, hosted on googleapis and designed to steal banking credentials.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails target credentials via an embedded link. The link is a phishing URL that spoofs a DocuSign login page targeting credentials for Office 365, Gmail, Yahoo, and other email platforms. This is only the latest example of DocuSign phish Cofense has found.

TYPE: Malware – Reconnaissance Tool

DESCRIPTION: Finance-themed emails spoof an engineering firm to deliver a reconnaissance tool. The malware is embedded in an Office macro-laden spreadsheet, downloaded via an attached HTML file. For the past few years, Cofense has tracked the dominance of Office macros in the phishing landscape.

TYPE: Malware – Cobian RAT

DESCRIPTION: Purchase order-themed emails deliver Cobian RAT, via an embedded OneDrive URL. Cofense has analyzed the use of RATs numerous times since 2014.

TYPE: Credential Theft

DESCRIPTION: Purchase order-themed emails spoof Dropbox and deliver a .pdf file via an embedded URL. The .pdf provides a link to a phishing website targeting Office 365 credentials. Cofense has warned about Dropbox links since 2014.

TYPE: Malware – Ursnif

DESCRIPTION: Finance-themed emails deliver Ursnif via attached Office macros. It’s another example of attackers using creative techniques and seemingly benign file types to bypass security controls.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails spoof both the CDC and WHO and deliver credential phishing via embedded links. The page uses a “verify your email” window title and includes an image that looks to be from the WHO web page. Cofense has compiled a database of numerous Coronavirus phish.

TYPE: Malware – Pyrogenic Stealer

DESCRIPTION: Finance-themed emails spoof a leading bank and deliver Pyrogenic Stealer via embedded URLs. Cofense has reported extensively on the use of stealer malware.

TYPE: Credential Theft

DESCRIPTION: Document-themed emails spoof Microsoft to deliver credential phishing via .html documents. The documents are either attached or downloaded via embedded URLs to target Office 365/Microsoft credentials.

TYPE: Malware – Reconnaissance Tool

DESCRIPTION: Human resources-themed emails deliver a Reconnaissance Tool. The malware is embedded in an Office macro laden spreadsheet which is downloaded via an attached HTML file. Before downloading, recipients must first pass an “are you human” test.

TYPE: Malware – Agent Tesla

DESCRIPTION: Inquiry-themed emails spoof an auto manufacturer to deliver GuLoader via an embedded link. GuLoader downloads, decrypts, and runs an encrypted Agent Tesla Keylogger binary. Cofense noted last year how Agent Tesla has become a top threat.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.