Phish Found in Proofpoint-Protected Environments – Week Ending June 21, 2020
100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.
Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.
Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We are not alone in dealing with attachment issues. This week’s batch of phish contain quite a few bearing common attachments to deliver malware and steal credentials. If only there were a better way to defend ourselves.
TYPE: Malware – NanoCore
DESCRIPTION: This purchase order-themed phish delivered a .zipx attachment that was actually a RAR archive. The attackers were kind enough to instruct the recipient what software to use to access the NanoCore Remote Access Trojan within. NanoCore resurfaced in early 2018 and still reaches inboxes.
TYPE: Malware – Dridex
DESCRIPTION: A finance-themed phish uses a macro-enabled Microsoft Excel attachment to deliver the Dridex malware. Cofense was reporting on this malware back in 2015 and it still finds success despite the latest advances in perimeter technologies.
TYPE: Malware – Agent Tesla
DESCRIPTION: The delivery-themed phishing example targets organizations in Thailand promising shipping information at the embedded link. The victim will end up with a case of Agent Tesla, a keylogger (and more) that we discussed in a recent Phish Fryday podcast.
TYPE: Malware – Remcos
DESCRIPTION: This document-themed phish includes a Microsoft Word attachment that leverages a pair of Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to download a DotNETLoader to install the Remcos Remote Access Trojan. Cofense has tracked the exploitation of these vulnerabilities since 2017.
TYPE: Malware – Dridex
DESCRIPTION: Pretending to be an international logisitics company with some shipment information, the attached .zip file contains a macro-enabled Microsoft Office document that displays a fake invoice while silently installing the Dridex malware.
TYPE: Malware – Ursnif
DESCRIPTION: Attackers love to leverage legitimate cloud services to make their phish more successful. This response-themed attack makes use of Firefox Send to deliver a password-protected archive containing VBScripts that will download and run the Ursnif malware.
TYPE: Malware – TrickBot
DESCRIPTION: Spoofing a state government office, this phish delivers macro-laden Microsoft Office documents via an embedded link to a SharePoint site requiring a password for access. The victim will download the TrickBot malware.
TYPE: Credential Theft
DESCRIPTION: Attackers haven’t forgotten about the Coronavirus and continue to leverage the theme to get recipients to engage. This attack delivers an HTML attachment that spoofs Adobe to steal credentials.
TYPE: Credential Theft
DESCRIPTION: Another document-themed attack delivering a web page (.htm). This one spoofs a Microsoft login page to harvest credentials.
Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.
Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.
Interested in seeing more? Search our Real Phishing Threats Database.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.