90% of phishing emails found in domains with secure email gateways

The 2019 Phishing Threats and Malware Review reveals the key insights about how threat actors are evolving phishing campaigns, and provides direction on how to prepare for the unknown.

The report conducted by Cofense, identified that between October 2018 and March 2019, a total of 31,429 threats were reported by end users after delivery to the inbox, 23,195 of which included credential phishing; 2,681 involved business email compromise (BEC), 4,835 came from malware delivery and 718 of threats were due to other scams.

It was found that 90% of the phishing emails Cofense had verified were found in environments that run one or more secure email gateways (SEG). These figures confirm that “all nets have holes – and that end users empowered to spot and report suspicious emails are a critical layer of defense in depth”.

The report said that the tactics and techniques utilised by threat actors are evolving to evade defense technology detection, with 1-in-7 emails reported to the PDC being malicious and bypassing technical controls. The report identified a lot of activity of threat actors using public, open source tools to evade detection.

Another finding was that threat actors have become more aware that organisations are investing in technical controls to identify, analyse and remove malware attached to emails, as well as relying on file-sharing platforms (e.g. Dropbox). As a result, the survey identified that SharePoint, OneDrive and ShareFile was one of the most abused cloud providers that threat actors used to help prevent analysis by security tools or human researchers, thus allowing malware to slip through SEG’s defenses.

The report stresses that human intelligence is vital to phishing defense, stating that “it’s imperative to educate users through a phishing awareness program, focusing on threats that utilize the latest TTPs”.

“Both user education and incident response thrive when fed by threat intelligence on emerging TTPs.”

Aaron Higbee, Co-Founder and CTO at Cofense in a statement said:

“Adversaries are constantly evolving their techniques and changing their infrastructure to complicate detection, meaning that indicators of compromise (IOCs) can grow stale extremely quickly. For holistic defense, users need to be prepared to identify and report any threats that do reach their inbox.

“Automated technical defense controls must be blended with a human element in today’s threat landscape. While timely threat intelligence helps head-off attacks and drown out the noise so that SOC teams can prioritize and focus on the most pernicious threats, Cofense is observing an ever-increasing surge of malicious emails that reach user inboxes daily. Once a message reaches an inbox, that end user is your last line of defense.”


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.