It Starts with a Phish

Just as we were getting ready to put a bow on 2020, we were hit with the news of SolarWinds. Incident Response teams were barely coming up for air after the CISA advisory regarding Ryuk. Our incident response teams are exhausted. And now its Microsoft Exchange vulnerability affecting on-premises servers. While organizations have been migrating to hosted O365, there is still the need to maintain a hybrid model.

By Tonia Dudley

Cofense customers are able to leverage the solutions we’ve pioneered over the past few years to improve incident-response capabilities and mitigate these phishing threats. For starters, we’ve helped enable every one of your users to quickly identify and report a suspicious email. We found that 52% of the malicious emails processed by our Managed Phishing Detection and Response (PDR) were reported within the first five minutes of hitting your users’ inbox.

Year after year, the annual Verizon Data Breach Investigations Report (DBIR) points to phishing as the top vector leading to a breach. While the past few months of incidents haven’t been linked back to a phish, threat actors haven’t stopped sending phishing emails to your staff. It may be a while before we see threat actors leverage these vulnerabilities in their phishing campaigns, but we continue to see them CVE-2017-11882 as a top delivery.

Ultimately the best way to defend against these threats is conditioning your users with simulation training. In our recently published annual report, we found that 52% of well-conditioned users reported malicious emails within the first five minutes of the email landing in their inbox.

Sure, when you make it easy for users to report, they may over-report emails as it can be difficult to distinguish between spam, legitimate email or a phish. With the power of Cofense Triage, analysts are able to quickly sift through the noise of emails reported by users. When properly closing the loop with the user by providing a response to the reported email, we found that organizations supported by our PDR are far more resilient.

Business Email Compromise (BEC) – AKA CEO Fraud

There are three categories of phish we focus on here at Cofense. In each of these categories, we consistently see threat actors continue to innovate. They have one goal – make it to the inbox. And, in order to be successful, they are constantly tuning their tactics to bypass the secure email gateways (SEGs).

This category appears very simplistic, but it’s harder for technology to detect. According to the annual 2020 FBI Internet Crime Report, this phishing tactic has raked in nearly $2 billion, yes billion, this past year. And we know that some don’t report loses. While this type of email is more difficult to truly simulate, there are still actions you can take to inform your employees to avert this threat. As a start, educate your executive leadership team about the threat and ask them to talk about this in your organization’s all-hands meetings. Point out that anyone on the team won’t be asking anyone in the organization to purchase gift cards or send funds on their behalf. And don’t forget to continuously remind your new hires – they are more likely to take action to make a good impression.

While we see less of this tactic being used by threat actors due to the increased level of investment to detect malicious files, threat actors are continuously looking for unique ways to leverage it.


URL Link

As organizations increase the move to trusted hosting providers, it becomes even more difficult to detect malicious links that threat actors use to bypass the SEG. Many organizations have enabled URL defense to increase the detection rate; however, threat actors have moved the delivery of malicious content to stages beyond the initial link.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

You can learn more about these threats and how to align your security awareness phishing program to real threats hitting your users’ inbox by reading our 2021 Annual Report. To optimize and simplify phishing threat detection and analysis, check out the Cofense Managed Phishing Defense and Response platform for a comprehensive suite of solutions.

This post was first first published on Cofense’s website by Cofense. You can view it by clicking here