Filter by SEG

SEG

Tactic

Theme

A phishing attack is when a fraudster sends an email to trick the recipient. The idea is to persuade the target into giving up sensitive information, for instance, your corporate network credentials, or perhaps to authorize some type of financial transaction. The vast majority of data breaches against businesses today begin as phishing attacks.

Just a couple of famous phishing examples:

The infamous Target breach back in 2013 started with a phishing email that gave attackers a foothold in Target’s business systems for further attacks.
Phishing appeared prominently in the Mueller Report on the 2016 presidential election hacking.

Some quick phishing statistics:

Over 55% organizations experienced a successful phish last year.
$12 billion is the 5-year global cost of just one type of phishing attack, business email compromise (BEC).
The average phishing attack costs a mid-sized business $3.86 million.

Our database has thousands of phishing examples, but most fit into one of these 3 categories:

Phishing Emails with Malicious Links: Sometimes a phishing attack is simply an email with an embedded link. When you click, you either unknowingly activate malware or are directed to a webpage that looks perfectly legitimate but is designed to harvest your information.

Phishing Attacks with Malicious Attachments: Phishing attackers often send emails with attachments containing malware. When you click, look out. Many times phishing attackers use popular document types such as Microsoft Word or Excel or even Adobe PDFs. They take advantage of the trust people place in popular business tools.

Business Email Compromise (BEC): BEC emails, also known as CEO Fraud, typically don’t use malware but simply try to manipulate the target into sending money. Traditionally, BEC phishing attacks try to get employees in the finance department to authorize wire transfers, for instance, to a “vendor” or “partner.” This kind of attack often uses ‘CEO fraud phishing’ where attackers pretend to be the CEO or CFO to spur quick action.

Phishing attack examples of real phish provide highly useful intelligence that helps security teams better pinpoint attacker methods and tactics. They help protect businesses from malware-bearing phish. Because attacker campaigns change quickly, real-world phishing examples are a central component of comprehensive security. Phishing attack examples reveal the latest threat actor maneuvers as they are being launched.

Real Phishing Example: Response-themed emails found in environments protected by Microsoft ATP deliver BumbleBee via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BumbleBee

POSTED ON: 05/04/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Microsoft ATP deliver BumbleBee via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 05/04/2022

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/04/2022

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by TrendMicro deliver an LNK downloader via an attached password protected ZIP archive. The LNK downloader downloads and runs Emotet/Geodo.

ENVIRONMENTS: TrendMicro

TYPE: Emotet/Geodo

POSTED ON: 05/03/2022

TACTIC: ZIP Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by TrendMicro deliver an LNK downloader via an attached password protected ZIP archive. The LNK downloader downloads and runs Emotet/Geodo.

Real Phishing Example: Invoice-themed emails found in environments protected by Symantec MessageLabs deliver an LNK downloader via an attached password protected ZIP archive. The LNK downloader downloads and runs Emotet/Geodo.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Emotet/Geodo

POSTED ON: 05/03/2022

TACTIC: ZIP Attachment

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Symantec MessageLabs deliver an LNK downloader via an attached password protected ZIP archive. The LNK downloader downloads and runs Emotet/Geodo.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec MessageLabs deliver an LNK downloader via an attached password protected ZIP archive. The LNK downloader downloads and runs Emotet/Geodo.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Emotet/Geodo

POSTED ON: 05/03/2022

TACTIC: ZIP Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec MessageLabs deliver an LNK downloader via an attached password protected ZIP archive. The LNK downloader downloads and runs Emotet/Geodo.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver QakBot via a Microsoft Windows installer. The Microsoft Windows installer is downloaded via an embedded URL.

ENVIRONMENTS: Symantec MessageLabs

TYPE: QakBot

POSTED ON: 05/03/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver QakBot via a Microsoft Windows installer. The Microsoft Windows installer is downloaded via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/02/2022

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Krystal Hosting-spoofing emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 04/29/2022

TACTIC: Link

THEME: Krystal Hosting-spoofing emails

PHISHING EXAMPLE DESCRIPTION: Krystal Hosting-spoofing emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver BumbleBee via an embedded URL. BumbleBee downloads and runs a Reconnaissance Tool.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Reconnaissance Tool

POSTED ON: 04/28/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver BumbleBee via an embedded URL. BumbleBee downloads and runs a Reconnaissance Tool.

Real Phishing Example: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Mimecast, and Symantec MessageLabs deliver QakBot via a Microsoft Windows installer. The Microsoft Windows installer is downloaded via embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: QakBot

POSTED ON: 04/28/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Mimecast, and Symantec MessageLabs deliver QakBot via a Microsoft Windows installer. The Microsoft Windows installer is downloaded via embedded URLs.

Real Phishing Example: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Mimecast, and Symantec MessageLabs deliver QakBot via a Microsoft Windows installer. The Microsoft Windows installer is downloaded via embedded URLs.

ENVIRONMENTS: Cisco Ironport

TYPE: QakBot

POSTED ON: 04/28/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Mimecast, and Symantec MessageLabs deliver QakBot via a Microsoft Windows installer. The Microsoft Windows installer is downloaded via embedded URLs.

Real Phishing Example: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Mimecast, and Symantec MessageLabs deliver QakBot via a Microsoft Windows installer. The Microsoft Windows installer is downloaded via embedded URLs.

ENVIRONMENTS: Symantec MessageLabs

TYPE: QakBot

POSTED ON: 04/28/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Mimecast, and Symantec MessageLabs deliver QakBot via a Microsoft Windows installer. The Microsoft Windows installer is downloaded via embedded URLs.

Real Phishing Example: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver BumbleBee via an embedded URL. BumbleBee downloads and runs a Reconnaissance Tool.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Reconnaissance Tool

POSTED ON: 04/28/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver BumbleBee via an embedded URL. BumbleBee downloads and runs a Reconnaissance Tool.

Real Phishing Example: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver BumbleBee via an embedded URL. BumbleBee downloads and runs a Reconnaissance Tool.

ENVIRONMENTS: Cisco Ironport

TYPE: Reconnaissance Tool

POSTED ON: 04/28/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver BumbleBee via an embedded URL. BumbleBee downloads and runs a Reconnaissance Tool.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver a PDF via an embedded URL. The PDF contains an embedded link to a credential phishing page.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/27/2022

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver a PDF via an embedded URL. The PDF contains an embedded link to a credential phishing page.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint, Microsoft ATP, Mimecast, and Symantec MessageLabs deliver QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: QakBot

POSTED ON: 04/27/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint, Microsoft ATP, Mimecast, and Symantec MessageLabs deliver QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint, Microsoft ATP, Mimecast, and Symantec MessageLabs deliver QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: QakBot

POSTED ON: 04/27/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint, Microsoft ATP, Mimecast, and Symantec MessageLabs deliver QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint, Microsoft ATP, Mimecast, and Symantec MessageLabs deliver QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

ENVIRONMENTS: Mimecast

TYPE: QakBot

POSTED ON: 04/27/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint, Microsoft ATP, Mimecast, and Symantec MessageLabs deliver QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint, Microsoft ATP, Mimecast, and Symantec MessageLabs deliver QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

ENVIRONMENTS: Symantec MessageLabs

TYPE: QakBot

POSTED ON: 04/27/2022

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint, Microsoft ATP, Mimecast, and Symantec MessageLabs deliver QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver a PDF via an embedded URL. The PDF contains an embedded link to a credential phishing page.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 04/27/2022

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver a PDF via an embedded URL. The PDF contains an embedded link to a credential phishing page.

Real Phishing Example: Bank of Guam-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 04/26/2022

TACTIC: Link

THEME: Bank of Guam-spoofing emails

PHISHING EXAMPLE DESCRIPTION: Bank of Guam-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver a document with CVE-2017-0199.

ENVIRONMENTS: Proofpoint

TYPE: CVE-2017-0199

POSTED ON: 04/25/2022

TACTIC: DOCX Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver a document with CVE-2017-0199.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an HTML attachment.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/22/2022

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an HTML attachment.

Real Phishing Example: Docusign-spoofing campaign found in environments protected by Proofpoint and Microsoft ATP delivers BumbleBee via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Bumblebee

POSTED ON: 04/21/2022

TACTIC: Link

THEME: Docusign-spoofing

PHISHING EXAMPLE DESCRIPTION: Docusign-spoofing campaign found in environments protected by Proofpoint and Microsoft ATP delivers BumbleBee via an embedded URL.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.