About Cofense
About Cofense
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Phish Found in Proofpoint-Protected Environments – Week Ending August 30, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s sampling focuses on our finances, with payments, invoices, and taxes luring recipients to click. Organizations with solid awareness and reporting programs reap the benefits of human intelligence that technology can’t match.

phishing example uses a finance theme to perform credential theft using a .html attachment

TYPE: Credential Theft

DESCRIPTION: Everybody wants to get paid. And when an email arrives with a confirmation request, how can you resist? Fortunately, the recipient of this phish did resist. They reported it and protected their credentials, as the attached HTML file was spoofing a Microsoft login page.
Humans – 1
Technology – 0

phishing example uses a shipment theme to deliver loki bot with a linked image

TYPE: Malware – Loki Bot

DESCRIPTION: Looks like an invoice. Sounds like an invoice. It’s not an invoice. This phish embeds an image that only looks like an invoice, but actually links to GuLoader, which will install Loki Bot. Cofense has been seeing Loki Bot for over 3 years.

phishing example uses an invoice theme to deliver a link to the bazarbackdoor malware

TYPE: Malware – BazarBackdoor

DESCRIPTION: Talk about bizarre. Or, in this case, Bazar. This phishing attack tells us we’re tardy on our payments and sends us to a macro-enabled Microsoft Office document hosted on Google Docs. From there, the macros install the recently discovered BazarBackdoor, believed to be the work of the same developers as TrickBot. Once again, human intelligence delivers where technology falls short.

phishing example uses a linked image to deliver async remote access trojan

TYPE: Malware – Async RAT

DESCRIPTION: And still the payments flow. In this case, a simple banking confirmation using a linked image with a GuLoader to Async Remote Access Trojan attack chain. The creator of this malware – NYANxCAT – is a threat actor Cofense has discussed in the past.

phishing example uses a tax theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: They say nothing is certain but death and taxes. We’d still rather receive an email notification of the latter over the former. In this case, though, our relief is short-lived, thanks to a credential harvesting attack hosted on Microsoft OneDrive.

phishing example uses an accident report theme to perform credential theft with a .html attachment

TYPE: Credential Theft

DESCRIPTION: Accidents happen, and when they do, lawyers can be of great assistance. This phishing attack posing as an accident report from a lawyer is an accident waiting to happen, however. The attached HTML file is designed to steal Office 365 credentials. Another near miss, thanks to an attentive human.

phishing example uses a finance theme to deliver a malicious ppsx attachment with an embedded url

TYPE: Malware – URL

DESCRIPTION: Here’s an excellent example of a reply chain that really makes the attack look like a legitimate email thread. We may not even notice the attachment is a Microsoft PowerPoint Show – an odd way of requesting payment. Again, technology didn’t pick this up, but an astute human did. Better luck next time, Skynet!

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.


Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.