Filter by SEG

SEG

Tactic

Theme

A phishing attack is when a fraudster sends an email to trick the recipient. The idea is to persuade the target into giving up sensitive information, for instance, your corporate network credentials, or perhaps to authorize some type of financial transaction. The vast majority of data breaches against businesses today begin as phishing attacks.

Just a couple of famous phishing examples:

The infamous Target breach back in 2013 started with a phishing email that gave attackers a foothold in Target’s business systems for further attacks.
Phishing appeared prominently in the Mueller Report on the 2016 presidential election hacking.

Some quick phishing statistics:

Over 55% organizations experienced a successful phish last year.
$12 billion is the 5-year global cost of just one type of phishing attack, business email compromise (BEC).
The average phishing attack costs a mid-sized business $3.86 million.

Our database has thousands of phishing examples, but most fit into one of these 3 categories:

Phishing Emails with Malicious Links: Sometimes a phishing attack is simply an email with an embedded link. When you click, you either unknowingly activate malware or are directed to a webpage that looks perfectly legitimate but is designed to harvest your information.

Phishing Attacks with Malicious Attachments: Phishing attackers often send emails with attachments containing malware. When you click, look out. Many times phishing attackers use popular document types such as Microsoft Word or Excel or even Adobe PDFs. They take advantage of the trust people place in popular business tools.

Business Email Compromise (BEC): BEC emails, also known as CEO Fraud, typically don’t use malware but simply try to manipulate the target into sending money. Traditionally, BEC phishing attacks try to get employees in the finance department to authorize wire transfers, for instance, to a “vendor” or “partner.” This kind of attack often uses ‘CEO fraud phishing’ where attackers pretend to be the CEO or CFO to spur quick action.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 09/14/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver Async RAT via an attached XXE which was a sample of GuLoader.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT

POSTED ON: 09/13/2021

TACTIC: XXE Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Async RAT via an attached XXE which was a sample of GuLoader.

Real Phishing Example: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 09/09/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Quotation-themed emails found in environments protected by Proofpoint deliver a VBS script via an embedded URL. The VBS script downloads a PowerShell Script which drops and runs Async RAT.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT

POSTED ON: 09/07/2021

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: Quotation-themed emails found in environments protected by Proofpoint deliver a VBS script via an embedded URL. The VBS script downloads a PowerShell Script which drops and runs Async RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via an embedded link which downloaded AutoIT Loader. AutoIT Loader then downloaded FormGrabber and executed it in memory.

ENVIRONMENTS: Proofpoint

TYPE: FormGrabber

POSTED ON: 09/02/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via an embedded link which downloaded AutoIT Loader. AutoIT Loader then downloaded FormGrabber and executed it in memory.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver an attached PDF file. The PDF contains a link to download a JS Dropper file. The JS Dropper file drops and runs a VBS script. The VBS script downloads a series of PowerShell Scripts which in turn download Modern Loader. Modern Loader downloads Revenge RAT.

ENVIRONMENTS: Proofpoint

TYPE: Revenge RAT

POSTED ON: 09/02/2021

TACTIC: PDF Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver an attached PDF file. The PDF contains a link to download a JS Dropper file. The JS Dropper file drops and runs a VBS script. The VBS script downloads a series of PowerShell Scripts which in turn download Modern Loader. Modern Loader downloads Revenge RAT.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.