Download Cofense

Author: m | 2025-04-25

Solutions: Cofense PhishMe, Cofense Reporter, Cofense Triage, Cofense Validator. Results: Delivering a customized phishing education program to reduce the Cofense Reporter and Cofense Professional Services . AES also uses Cofense Reporter, a solution that allows for quick user reports of phishing attempts. With Cofense

Cofense Triage and Cofense Intelligence with Logrhythm

Privacy by keeping emails local and never requiring exportation to external cloud data lakes. This helps with compliance attestations and supports best-practice security methods.To learn more about Cofense PhishMe email security solutions, and how we uniquely stop advanced phishing attacks that bypass the technology of all SEGs – visit us at cofense.com.About CofenseCofense is the leader in intelligence-driven email defense solutions, powered by the world’s largest active phishing threat reporting network of more than 35 million Cofense-trained employees. Cofense protects the world’s largest enterprises against thousands of daily phishing attacks that evade traditional SEGs and AI-based perimeter defenses. Cofense PhishMe Email Security Awareness Training (SAT) goes far beyond basic awareness, training employees to recognize and report the latest and most dangerous threats that bypass SEGs. Cofense Phishing Threat Detection and Response (PDR) solutions include powerful automation tools as well as managed services that convert threat intelligence into rapid remediation and mitigation. Unique to Cofense, all customer deployments are force multiplied by global, collective SEG-miss intelligence. For more information, visit cofense.com or connect with Cofense on X and LinkedIn. New advancements to the Cofense Phishing Detection and Response (PDR) platform improve visibility of dangerous email-based threats helping SOC teams respond faster.LEESBURG, Va. – October 23, 2024 – Cofense®, the leading provider of intelligence-driven phishing defense solutions, today announced the release of new AI-driven spam reduction capabilities to its Phishing Detection and Response (PDR) platform. These enhancements reduce workload so SOC analysts can concentrate on genuine threats that could quickly harm an organization’s revenue or reputation. “As phishing attacks continue to evolve, security teams demand tools that improve efficiency but also give them an edge in identifying and responding to threats,” said Jason Reinard, Senior Vice President of Product Engineering. “With these new AI features, Cofense is making it easier for analysts to cut through the noise, focus on what matters, and act faster when it counts.” Cofense has been testing and validating AI models in email phishing scenarios for nearly four years. These AI enabled updates to the Cofense PDR platform have been designed to reduce SOC workload and significantly improve the highlighting of today’s most dangerous email-based phishing attacks. “Cofense customers represent some of the most sophisticated organizations in the world. The bar we have is set very high, and this AI-based addition to our solution represents a major leap in our forward-looking technology,” concludes Reinard.AI-Powered Spam FilterDesigned to reduce SOC analyst spam overhead by 30% or more in this first iteration, this new feature of our PDR solution leverages Bayesian Machine Learning (ML) to orchestrate the customization of the AI spam filter. The process “learns” your SOC’s unique environment, identifying and automatically filtering out spam that previously inundated analysts’ inboxes. Each Cofense customer benefits from true local learning to their unique environment.Notably, and unlike many other AI-driven products, the Cofense PDR AI Spam Filter ensures complete data

In Their Own Words: Cofense Customer Reviews - Cofense

To run the DLL which is the main Mekotio payload. A new variant of Mekotio is utilizing a DLL side-loading technique where DLLs related to legitimate applications are run, which then load in Mekotio.Subject: Subjects were predominantly made to look like Spanish invoices. Attachment: Mekotio is delivered mainly as a URL instead of an attachment. Behavior: URL delivers an MSI which, when clicked, will pull the stage 2 .exe. Brand: Fractur // Spanish Infection Chain: 5. RemcosRemcos was originally a remote desktop connection tool that has since been repurposed as a remote access trojan capable of taking control of a user's system. Its chief capabilities include key logging, information stealing, and audio/visual monitoring. Subject: Remcos was delivered as a fake invoice for a payment. Typically, the emails were delivered in Spanish, however some were delivered in other languages as well. Attachment: Remcos was delivered using Google docs URLs instead of attached malware. Behavior: Once the archive (either .tar or .rar) is downloaded and the contained .exe is executed, it waits in processes while reachine out to C2 for further instruction. Brand: Fractur // Invoices // Google Docs Infection Chain: SummaryThis month we observed the return of QakBot and a large increase in the delivery of Ursnif. Of note, we have seen a decrease in the overall prevalence of banking trojans such as Banload and it has fallen off the top list for now. The Cofense Phishing Defense Center (PDC) will continue to watch these threats as they evolve and deal with situations as they arise. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.. Solutions: Cofense PhishMe, Cofense Reporter, Cofense Triage, Cofense Validator. Results: Delivering a customized phishing education program to reduce the Cofense Reporter and Cofense Professional Services . AES also uses Cofense Reporter, a solution that allows for quick user reports of phishing attempts. With Cofense

Cofense PhishMe Pricing 2025: Is Cofense PhishMe Worth It?

For a variety of malicious purposes. In 2019 up until around 2021, LokiBot would often be the most common malware family, followed by Agent Tesla Keylogger. At the time of this report, other malware families have appeared more often, and therefore pushed LokiBot down in the rankings. However, LokiBot is still in the top five malware families seen at Cofense. Figure 2 shows the percentage of LokiBot malware seen among other malware families in our Active Threat Reports (ATR), and although there was a small dip over the past year and a half, LokiBot has remained around eight percent of all malware seen each month. Figure 2: Loki Bot’s relative value seen at Cofense between January 2022 and July 2023. Delivery MechanismsLokiBot is often seen by itself when it is delivered via email, however, as can be seen in Figure 2, there is still quite a large amount of LokiBot that is accompanied by a delivery mechanism. Out of the delivery mechanisms seen by Cofense, an overwhelming 82% of LokiBot accompanied by a delivery mechanism is delivered by CVE-2017-11882. However, out of all the LokiBot samples seen by Cofense, over half of the LokiBots are seen delivered as a direct attachment. Figure 3: Delivery Mechanisms used to deliver Loki Bot between January 2022 and July 2023. Very rarely will LokiBot be delivered via embedded URLs or other forms of delivery mechanisms except for CVE-2017-11882, such as Visual Basic Scripts (VBS) or Windows Shortcut File (LNK), as just over one percent of LokiBot samples were seen to be delivered via both delivery mechanisms combined between January 2022 to July 2023.BehaviorLokiBot has a very straightforward and simplistic way of behaving. Once LokiBot has been downloaded and run, LokiBot will unpack itself onto the system. From there, this malware will start collecting sensitive Low price and ease of use. Since then, lokistov has released LokiBot 2.0 and is currently selling it on underground forums. This newer version of the Information Stealer includes more evasive techniques and expands further into Keylogger, Remote Access Trojan (RAT), and even ransomware attributes.Notable UsesDue to LokiBot being around for a while, there have been a sizeable number of media pieces revolving around LokiBot, however none of them revolve around the campaigns that APT (Advanced Persistence Threat) groups are using this malware to conduct. The most recent use was in February of 2020, where LokiBot impersonated a Fortnite launcher, which was one of the most popular video games at the time. Since LokiBot is simple, adaptable and easily accessible, this malware has remained in the top 5 malware families seen at Cofense since 2019. During 2019 and 2020, LokiBot was a high competitor for the top malware family seen, constantly switching places with the ever-popular Agent Tesla.CapabilitiesAlthough LokiBot originated as an Information Stealer, it has been cracked and edited several times. LokiBot can have RAT or keylogger capabilities. However, the majority of LokiBot seen in the wild only demonstrates Information Stealer capabilities. LokiBot is capable of stealing credentials from over 100 different clients, including but not limited to:Email ClientsFTP ClientsVNC ClientsHTTP BrowsersPassword ManagersIM ClientsSpecific examples of what these applications are can be found in Table 1, however the list is not limited to just these specific applications.Mozilla FirefoxInternet ExplorerGoogle ChromeK-MeleonComodo DragonSeaMonkeySafariCoolNovoOperaChromiumTitan BrowserYandex BrowserSuperbird BrowserChrome CanaryWaterfoxFlash FXPNexus FileJaSFtpSyncoveryRemmia RDPFileZilaCyberDuckNovaFTPFTPShellNETFilemSecure WalletFlingKiTTYPuTTYWinSCPOutlookMozilla ThunderbirdPocomailGmail Notifier ProyMailPidginAI RoboFormKeePassEnPass1PasswordTable 1: List of examples that LokiBot has the capability to steal from. In the WildLokiBot has always been seen at Cofense as one of the most popular malware families used by threat actors. Due to its simplistic nature and usage, low-skill threat actors can use LokiBot

GitHub - nxkennedy/cofense-export-parser: Scripts to Parse Cofense

The Cofense Phishing Defense Center (PDC) employs threat analysts to analyze emails on behalf of enterprise customers across the globe, in various industries, with users reporting suspicious emails hitting their inboxes. To help keep up with evolving tactics and top ongoing malware threats affecting customers, we’ve created a breakdown of the top five malware families we have observed across our customers over the past thirty days. Top Malware Families in February: 1. UrsnifUrsnif is a multi-purpose trojan that is primarily used to harvest banking credentials. Delivery methods can range from VBS downloaders to Excel files that utilize OfficeMacros to download DLLs. One primary objective is to conduct man-in-the-browser attacks by loading itself into legitimate windows processes.Subject: Many of the Ursnif samples delivered this month were made to look like communications from the government agency ‘Companies house’. Attachment: Most Ursnif were delivered using a URL instead of an attachment. Behavior: Victim is tricked into opening a PDF, delivered via a URL embedded in the email, where a DLL and set of instructions in the .hta filetype are sent over. Brand: Legal // Companies House Infection Chain: 2. QakBotQakBot is a modular banking trojan with worm-like features that enable its propagation across a network. Once installed, it will use a man-in-the-browser technique to harvest credentials. The campaigns delivering QakBot re-use legitimate emails to deliver zip files containing the malicious word document.Subject: The deliveries of QakBot this month are using replies/Fwd to previous emails to make them seem more legitimate. Because of this, the subjects are varied. Attachment: QakBot was primarily delivered using URLs this month.Behavior: URL downloads a .img file containing a large number of various files that make the malware work. Each file contains a section of the functionality. Brand: Re: // FWD: // Etc. Infection Chain: 3. Agent TeslaThis keylogger is known for checking browser activity to steal banking information and will send the data through various methods. The most recent variants will use SMTP, Telegram, and mail servers under the control of the threat actor.Subject: Subjects delivering Agent Tesla this month were mostly made to appear as purchase inquiries and asked the user to give them their best price and click a link. The language used was varied. Attachment: Agent Tesla was delivered this month using a Malicious URL instead of an attachment. Behavior: URL delivers an .tar archive containing an exe which, when launched, will run in the background and act as a keylogger. Brand: Inquiries // Purchasing Director Infection Chain: 4. MekotioThis trojan targets Spanish speaking users and will download its payload using various methods. After infection, it will download a ZIP file which contains JS, DLL, and an AHK file. The JS will use AutoHotKey (AHK)

Cofense Triage v2.0.0

Author: Kahng An, Intelligence TeamWhile virtual hard drive files like .vhd and .vhdx are typically used for virtual machines, they can also be opened in Windows to mount the virtual image as if it were a physical volume. Recently, threat actors appear to be avoiding detection from Secure Email Gateways (SEGs) and commercial antivirus (AV) by embedding malicious content within virtual hard drive files. The threat actors send emails with .zip archive attachments containing virtual hard drive files or embedded links to downloads that contain a virtual hard drive file that can be mounted and browsed through by a victim. From there, a victim can be misled to running a malicious payload. Even worse, the virtual hard drive can be configured to automatically execute the malicious payload in versions of Windows prior to Windows Vista via AutoRun, a component of Windows that allows the operating system to automatically perform an action when the volume is mounted. When SEGs and antivirus scanners analyze virtual hard drive files, they struggle to detect malicious content contained within the hard drive image.Campaign TrendsThroughout 2024, mountable virtual hard drive files have been utilized as a delivery mechanism across multiple distinct email campaigns delivering various malware families. While the email themes may differ from campaign to campaign, they all appear to be delivering Remcos Remote Access Trojan (RAT) and/or XWorm RAT. These RATs have recently been featured in Cofense Intelligence’s Executive Phishing Summaries for being some of the most common RATs in SEG protected environments.Tax-Themed May 2024 Campaign Using Embedded LinksThis campaign targeted victims with an embedded download link to a virtual hard drive file purporting to be the sender’s tax documents. Upon downloading the virtual hard drive file, a potential victim would run the main payload, Tax_Organizer.exe, which delivers Remcos RAT by loading a malicious DLL. Figure 1 is a sample of one of the emails within this campaign. Figure 1: Sample email for a tax-themed campaign from May 2024 that utilized legitimate embedded URLs to bypass SEGs.Notably, the virtual hard drive files in all the emails within this campaign contain the same Tax_Organizer.exe payload that delivers Remcos RAT, but the virtual hard drive files themselves have varying file hashes because their size and contents can be easily manipulated by threat actors.Shipping-Themed June and July of 2024 Campaign Using VHDX in Attached ZIP ArchivesThis campaign spoofed Canada Post and other postal services to deliver attached .zip archives containing a virtual hard drive file purporting to be a package label photo. The threat actors targeted victims with emails claiming that a package was not delivered and that the postal service requires the victim to review their address and contact information on an attached photo of the. Solutions: Cofense PhishMe, Cofense Reporter, Cofense Triage, Cofense Validator. Results: Delivering a customized phishing education program to reduce the Cofense Reporter and Cofense Professional Services . AES also uses Cofense Reporter, a solution that allows for quick user reports of phishing attempts. With Cofense

Figure-3-.exe-download-32x32 - Cofense

The Ingenious Manipulation of LinkedIn Smart Links in Phishing Scams: How Cybercriminals are EvolvingCybersecurity has always been a cat-and-mouse game between defenders and attackers. One such battleground that has emerged is on the LinkedIn platform, particularly its Smart Links feature. Designed to make it easier for professionals to share content and track user engagement, Smart Links have been weaponized by cybercriminals to bypass security measures and launch sophisticated phishing attacks. In this comprehensive article, we'll delve into how hackers are exploiting LinkedIn Smart Links, the mechanics behind these phishing schemes, and what measures can be taken to defend against them. Our primary focus will be on the “LinkedIn Smart Links Phishing” phenomenon, a new frontier in cybersecurity threats.What Are LinkedIn Smart Links?Originally introduced in 2016, LinkedIn's Smart Links are a feature in the Sales Navigator tool. They allow users to share links that lead to their blogs, websites, or social media platforms. When other LinkedIn users click on these links, the person who posted the Smart Link can gain insights into who interacted with the link and how.Companies have increasingly been using Smart Links for driving online traffic, as well as for targeted marketing and analytics. This feature is equipped with tracking parameters, enabling businesses to customize their outreach based on the geographical location of the clicker or their interaction behavior. While designed to be beneficial, the feature has opened up a Pandora's box of cybersecurity issues.The Traditional Use of Smart LinksBefore diving into the phishing aspect, it's crucial to understand the primary use-case of Smart Links. Businesses and professionals use them as a part of their LinkedIn Sales Navigator strategy, aiming to establish brand presence and increase revenue. The Smart Links feature enables a more focused marketing approach. It offers analytics on who clicked the links, how many times they were clicked, and even what parts of the shared content were most engaging.How Smart Links Are Being ExploitedHowever, the utility of Smart Links has also attracted the attention of cybercriminals. In a stunning revelation, Cofense, an email security firm, disclosed that hackers have been employing LinkedIn's Smart Links to launch large-scale phishing attacks. Initially, these attacks were masquerading as communications from the Slovakian Postal Service requesting shipping fees. Fast forward to a year later, the same Smart Links are now being used in a far more extensive phishing campaign aimed at stealing Microsoft Office credentials.Anatomy of a LinkedIn Smart