Criminals do their own recon to study how vendors craft their emails and how they can structure them to match. Scammers know employees are busy and that they want to act promptly on requests, but they also understand it takes time to verify the validity of the email. How do we train employees to know what is real and what isn’t?
Today’s guest is Josh Bartolomie. After joining Cofense in 2018 as the Director of Research and Development, Josh currently serves as the Vice President of Global Threat Services. He has over 25 years of IT and cybersecurity experience. He designed, built, and managed security operations centers, incident response teams, security architecture, and compliance for global organizations.
“We keep increasing the reliance on email and as such, the threat actors are just shifting over to things we’re already comfortable with.” - Josh Bartolomie Share on XShow Notes:
- [1:08] – Josh shares his background and what he does in his current role at Cofense.
- [4:06] – After all these years, email continues to be an easy way for scammers to target many people at one time and victimize a percentage of them.
- [5:52] – Wherever there are a lot of people, that is where attackers will go because that is a bigger pool of success for them.
- [7:08] – You used to be able to block emails with an unsubscribe button, but now we rely on those emails, too.
- [9:50] – The goal is not to stop them altogether, because at this point it isn’t possible. The goal is to dissuade people from clicking links and trusting emails.
- [11:47] – With AI and LM, crafting emails has never been easier for scammers.
- [13:48] – Organizations get hit in different ways, but HR generally gets targeted a lot.
- [16:54] – Intellectual property theft is also a part of email crafting.
- [20:14] – Chris shares the story of an unfortunate experience.
- [25:10] – Acknowledge that these things do happen and they can happen to you.
- [27:33] – Always call the vendor. It’s an extra layer and extra work, but never trust an email that says something has changed when it comes to finances.
- [28:54] – Organizations should have a strong reporting culture.
- [30:55] – Employees can report emails that seem suspicious. The majority of them are spam emails, rather than scams, but they should be reported.
- [34:02] – What constitutes a spam email? What is the difference?
- [36:13] – Organizations tend to cut IT and cybersecurity when there are budget cuts.
- [39:18] – This is changing every single day.
- [41:46] – Scammers collect data and create profiles. They are very sophisticated in their strategies to target organizations.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Cofense Website
- John Bartolomie on LinkedIn
Transcript:
Josh, thank you so much for coming on the Easy Prey Podcast today.
Appreciate being here. Thank you.
You're welcome. Can you give the audience a little bit of background about who you are and what you do?
My name is Joshua Bartolomie. Currently, I'm the VP of Global Threat Services at Cofense Email Security. I've been in cybersecurity since about the late 90s.
Originally, I actually got my start as an IT guy at a local Air Force base. I happened to meet the right people and ultimately ended up becoming a defense contractor doing digital forensics and teaching state, local, and federal law enforcement for at least a decade.
Over the years, I've built multiple SOCs, incident response teams, malware analysis, threat intelligence teams. Really, I got tired really quickly over the years of getting the 3:00 AM calls chasing something that just happened.
About six-and-a-half years ago or so, I came over to Cofence. Actually, I originally headed up their research and development team, and then over the years just worked with and throughout the company. As it stands right now, I'm heading up our managed services and our threat services overall.
When you were in the military and there was this IT opportunity, was it something that you had education for, or we just need a body in this space and you were the nearest person?
It was a myth. I was actually a civilian working on the base. I was already a defense contractor at that point, but there were a couple of government contracts at the time that really needed some bodies, needed some technical people. I had personal experience doing some forensics incident response, pen testing. Not so much actual schooling at the time, but we're going back 25 years now.
There was no schooling for that.
Really, this was actually before that was there. Really, I was able to get in there. Once I was in that role, then I obtained a lot of my schooling, my bachelor's, and my master's.
Over the years, it evolved with the various certifications, and worked on a bunch of different government contracts for, like I said, digital forensics. We had some clearance, portals on digital forensics, and how to do it. Actually, I worked with various training groups to help by training for government teams and locations, things like that.
Email, to me, is always one of these things that I think because it was conceptually designed before security and trust or even things to worry about that, in my perception, has all this negative legacy, lack of security, as part of its design.
I still find it interesting that here we are 25–30 years into spam and phishing, and it's still a problem. Not to say that vendors aren't working their butts off to try to fight it, but I still find it interesting that stuff still slips through and attackers are still working. Is email still one of the primary vectors to breach security?
Absolutely. I used to use a quote by Willie Sutton, one of the more famous bank robbers back earlier in the century. He was asked, “Why do you keep robbing banks?” He said, “Because that's where the money is.” That was his answer. Email is easy because I can send out a million emails. Even if I get a 0.1% hit rate victimization, that's still a huge undertaking.
I don't know if you remember, we used to get those chain letters in the mail, the “I'm a Nigerian prince,” the 419 scams, actually in a letter form in the physical mail. That's just all translated obviously over to email. Just like any widespread technology, because it's so embedded, any type of advancement from a fundamental stance for email is hard.
That's why S9 is not really fully accepted, even if you only secure DNS or IPv6. That's why a lot of these things haven't kicked off in huge numbers, because we have such a large architecture and infrastructure globally that you can't really do it quickly.
Email is the lifeblood for most organizations now. Obviously, it came a lot to the forefront in COVID times. Now, everybody is not in the office anymore. Between different chat messaging applications and email, that's how you manage your teams. That's how you managed your workflows. That's always going to be a target wherever there are a lot of people. That's where attackers are going to go because that's a bigger pool of success.
What has made it difficult to mitigate? I think you think of things like spam, I think, is probably easier in a sense, because it's easier to mitigate in terms of this is a universally, “I'm sending the same, exact message to a billion email boxes, and I'm going to save the same message next week and the following week and the following week and the following week, because I'm promoting a particular product.” But it sounds like while we've got a mostly good handle on spam, the phishing and the spear phishing seems to be particularly difficult to mitigate.
There are a lot of reasons for it. What most people don't realize is there are a couple of different types of threat actors. There are actually crime syndicates, for lack of a better term. There are groups that do nothing but these types of attacks. Some of them are nation state-sponsored, some of them are just criminal groups.
Then there are a lot of what we used to call script kiddies, just the opportunistic people that just say, “Yeah, I'm going to try this and see what happens.” And they send out bunches.
For those groups that are more coordinated, they do run themselves like a business. They're keeping an eye on what's happening, what the security community is doing, what they're looking towards, what they're monitoring, what they're seeing, and they're constantly evolving all of these tactics, even with spam.
There used to be a thing where if you block an email that has an unsubscribe link on it, you can do that because it's most likely spam. But now you can't because most of our emails now have that, whether it's for our own internal systems, marketing, notifications, and things like that. We keep increasing the reliance on email. As such, the threat actors are really just shifting to things that we're already comfortable with.
I have Microsoft O365 for my email client. Now I just got an email that says I need to change my credentials. Click the link, because the attackers know I have Microsoft O365. They're targeting. They're doing a lot of reconnaissance.
The way the Internet works, a lot of what we have is out there. With a little bit of research, they can identify what your organization is using, build targeted phishing templates, send them to you so that it looks like you're coming from your IT team. It just makes it easier.
A lot of people have the misconception that phishing is static. It is what it is. The email I got today is the same thing I got 20 years ago. The goal is the same, but the actual email, the tactic, the checks, and the ones and the zeros that they're using to bypass the security mail gateway detections is constantly evolving.
The goal is the same, but the actual email, the tactic, the checks, and the ones and the zeros that they're using to bypass the security mail gateway detections is constantly evolving. -Josh Bartolomie Share on XEvery single week, we're seeing variations of common themes that are getting through and reaching endpoints or that are being successfully exploited, passwords are being lost, and accounts are being compromised.
I always found it humorous for a long time. I actually had my own physical mail server running a fairly unique server software. Periodically, I'd get those, “Hey, this is your IT administrator. Your mailbox is almost full.” I'd chuckle like, “Well, that's me. Clearly, I didn't send the email to myself.”
Fortunately, there are advantages of working in a small company, because I can tell everybody in the room, “Hey, if you get an email saying that your mailbox is almost full, don't click on it. If you get anything talking about any of our systems into the building, and you haven't confirmed that it's from me personally, I give you permission to just delete it.”
That's the thing. By nature, humans want to help. We want to interact, we want to communicate. In doing that, especially when it comes to the business, if my finance team received an invoice or, “OK, we’ve got to pay this invoice, but did they check to see if it's legitimate? Is it a scam?” We’ve got to put in all these different blocks and barriers.
It's just like every type of security at their home security. The intent isn't so much to stop it from ever happening. It's either to dissuade somebody from doing it or to make their attempt longer, and then you can detect them. That's really where we are for a lot of this as an overall industry and cyber as a whole, not even just phishing.
Then there's also the employee behavior side of it as well, I imagine?
Absolutely. We've seen that within Cofense too as we work with our customers and such from an email perspective and otherwise. You have your traditional insider risk, or malicious insider, let me put it that way. Intense is always a thing. That's where you have to focus on malicious inside, somebody that is intently doing a malicious act, they're installing this and they know it's malicious, or they're saving out data that they know they shouldn't save. They're bad. That's bad, don't get me wrong.
Then you also have just your normal users that don't know what the current threats are, don't know that it looks like you just said. “It looks like an email from my IT team; why shouldn't I click this link?”
My wife actually has a little website that I run. I host it. To your point, I hosted, I owned the domain the whole nine. She just got an email from her website administrator saying her account was locked down and she needed to reset it.
At first she's like, “Did you do this? Why would you send this to me?” “I didn't, honey. No, it's not real. A lot of people just want to get it done, and we're so busy. OK, I don't have time. They're busy, I'm busy. I'm just going to do what the email asks.”
It's a mixture of a lot of things that adds to all of this. Don't get me wrong. There are always improvements, but as a community, we're all doing a lot better than we did 10–15 years ago. So are the attackers.
Is that one of the challenges with respect to phishing and particularly spear phishing, that it's so crafted, so unique, that it's really hard to recognize a pattern?
It is, and because the patterns change. But now when you look at what's happening in the ecosystem as a whole with AI and ML, you can set up an LLM (large language model), curate data from a company's website and materials that they've published, and now you essentially have, what are their email structures look like? Were they a part of a data breach where their emails were released?
Now you have some communication. You know the vernacular, you know the department names, you know product names, trademark names. Attackers are leveraging the same things the businesses are trying to leverage because, again, they're handling it like a business in their front, on their end. They will tailor it to you.
I've actually seen this happen recently. If you're an organization who hired a new mid-level, senior-level of a small organization, and you put on your website that this person just got hired, congratulations, that person's going to get attacked. We've seen it.
Unfortunately, I've recently seen a couple of individuals and customers' infrastructures that situation occurred. They got the links, they clicked the links, and lost their passwords. Luckily, the threat was averted and mitigated as quickly as possible. It happens all the time.
What departments are usually the primary target within an organization? Is it IT, is it accounts payable, or is it pretty random?
It's not so much as it's random, it's opportunistic. Believe it or not, there is, what I termed, a fishing almanac. It depends on the time of year.
If we're talking about the later part of the year—Q4—benefits, HR, because everybody's doing their benefits. Especially in the US, they're doing their benefits enrollments, updating W-2s, working through all of next year's insurances and all of that, changing their direct deposits.
HR gets targeted a lot. Generally at the end of quarters for finance teams within organizations, because that's when a lot of invoices are due, or at least they try to roll up to the end of quarters.
Opportunistic insofar as, say my company went to a conference. We had a booth. We actually attended the conference. Because the attackers do buy these lists of who attended conferences, they know that I attended this conference and attended these talks.
Now I'm on their short list, targeting them with, “Hey, I met you here. I don't know if you remember me. Here’s my resume that we talked about.” It's a weaponized document or something along those lines.
The reality is it all depends on the intent. I mentioned these individual groups. Generally, there's an intent. Are they looking for fraud? Are they looking for credentials that they can harvest to either get into a company or to just sell? Are they just trying to get money really quick, or is it more of an espionage-ish style attack?
We've seen everything from CEOs getting targeted directly, to, “I received an email and a text message a couple of weeks ago from my CEO who asked me to do some actions. That wasn't my CEO.” We're all getting these all day. Like I said, there's the spray and pray, and then there is the targeted. There's patterning, but really, everybody's a target. I wouldn't say there's anybody that isn't a target.
Maybe I don't like to use the word espionage, but is the espionage that we're trying to get in a system to learn something or to find stuff out, we're not leveraging that to break into other accounts, we're not trying to do large data breaches and sell the data, we're not trying to get into the accounting system? We're trying to get intellectual property. Is that one of the harder ones to detect? To me, the accounting one is probably the easiest because you're going straight for money.
You would think it's the easiest, and it generally is, more often than not for some of these, especially from the espionage front. I have history in this realm. That's where I'm leaning on some of this stuff from that stance, and a lot of the can be nation state-sponsored.
Really, back in the day, it was attacking the DMZ, trying to pop a web server, and then try to get through it to internals. Why would I do that if I just need to send 5–10 emails, get somebody to click the link, I have your passwords, and now I can get into your network and, like you said, poke around to find what I need?
Either install a plant so I just sit there for a while and wait a couple of months, so that way nobody can ever trace back and find the root cause, and then just slow and go to find if there's anything of interest.
It still does happen, espionage overall, but most of the time, to your point, it's intellectual property theft. Not so much for fraud, laundering, or anything along those lines. It’s, “I don't want to spend a million dollars on R&D, so I'm going to take your R&D, really.”
Or, “I just tried to get your accounting department to wire me the money instead of this other entity.”
Or that. We've actually seen that, where companies have been ahead of accounts compromised. They're either putting a request from an employee's email just to change my direct deposit, or it's a third-party vendor that's now emailing the company, but the third-party vendor was compromising. “Oh, we had to change the bank account on the invoice we just sent you last week; please send the money here.”
I was talking to somebody I know. I was surprised because it turned out to be more savvy in a sense. Usually, for these scams, there's a sense of urgency involved. That's something that people are starting to get comfortable looking for—the urgency element—and that becomes a red flag.
The HR department received what looked like an email from him saying, “Hey I'm switching banks, but I'm overlapping for some period of time, so it's not a big deal. But when it's convenient for you, can you go to this account instead of the other account? Again, it's no rush, just whenever it's convenient for you.” Because he was an owner in that company, the money wasn't sent. There was no dispersion to him for quite a while.
The HR made the change. No one thought anything of it. It was time for a disbursement, so that gets triggered and he doesn't get it. He calls up HR and says, “Hey, what's going on? I didn't get the funds.” She's like, “Well, I sent them a couple of days ago. You should get them.” He just asked like, “Well, what account did you send it to?”
She's like, “Well, a couple of months ago, you asked me to switch accounts.” He's like, “No, I didn't ask you to do that.” He calls me and says, “Hey, Chris, what do I do?” I'm like, “Well, get the receiving bank account number. Figure out what bank that is, and hopefully they haven't pulled the money out of that bank account yet. You can stop the transaction at the receiving end. Contact your sending bank, and hopefully you can stop it.”
He was really fortunate in that the money that the bank was sent to, somewhere between the time that the account number got changed and the transaction happened, the bank was able to determine that account was fraudulent. They shut the account down, and they were just holding the money to see. At some point, it would have bounced back to the original sending account, but he lucked out in that the account was closed.
They were like, “Yeah, if the money had sat in that account for more than two or three days, it would have been yanked out. That was the pattern that we were seeing, so we closed the account. We assumed it was fraudulent.” He really, really lucked out. He went back. He looked through all of his email history. “Nope, there are no mails sent from my account in my outbox.”
The HR person looked at it, and someone had gone out and registered a domain name with one character that looked like a different character difference, and had gotten his email signature, who had found out who the right person in HR was.
From the surface of it, there was no reason to believe that it wasn't a legitimate email. There was no sense of urgency, there was no bad grammar, there were no red flags, there wasn’t, “Send a million dollars.” It was just, “Hey, I'm changing my bank account. There's an overlap.” There's no big deal, and none of the red flags that you would normally see in one of those attacks.
It's amazing when you think about that too. What if he didn't realize it? What if, like you said, the money was already pulled out? The other instance, the other institution didn't block it. Unfortunately, I've seen that too many times during my time here at Cofense.
I still do, but I used to engage with a lot of customers to help with some of this, whether they were scammed or they received something. Especially when we do some threat hunting on our side, and we identify potentially compromised credentials or suspicious activity, we reach out and obviously let our customers know what's going on.
There were a couple of times, even in the last year, customers reached out to us at Cofense. I started talking with them. It's interesting because you have that situation. The one I ran into was a smaller organization where a new employee came in during COVID, so nobody's really in the office too much. I think it was within the last two years. Yes, but not a lot.
New person, relatively speaking. CEO texted him, sent him an email, gave him a phone number to text me back because I can't check my email. The person texted the CEO back. Small enough company that's not out of line for the CEO to talk to people.
Over the course of about three months, the CEO asked for a mixture of gift cards, money to be wired, access to the person's crypto account because they needed to send a customer some bitcoin. All said and done, the person lost anywhere from $20,000–$30,000.
At the times that they were in the office together, he would look if the CEO walked by, looked, and they would just passing glance. The new employee was like, “Well, he's not talking to me. Maybe he doesn't want everybody to know that I'm doing this.” Finally stepped up, but it was a couple of months in.
That mentality of wanting to hide that you're being victimized is still a thing. It's great that your friend, the contact you were talking about, we immediately reached out and started making the phone calls to what happened. The psychological effect didn't impact them, so they were all open to try to actually get to a resolution.
That mentality of wanting to hide that you're being victimized is still a thing. -Josh Bartolomie Share on XThat's the other side of it, too. We see a lot of these types of attacks, and there is no restitution. In this instance, the company reimbursed. There was a good, happy ending. The company still lost some of that money, but overall it was still a happy ending.
But for an individual, oftentimes there is no restitution because it was already converted or it was already extracted from bank account A, crypto repo B, or whatever they requested, or gift cards, which is always a common thing because they're not traceable. That's the easiest way for most attackers.
Easy to be converted back into cash.
Yeah. It's easier for me to sell a $50 Google gift card for $30 and get cash in hand. Then, no one's the wiser and nobody can ever trace it back to me.
What does a company to do? Technology will get us a certain part of the way there, or a technology that we implemented at a specific point in time was appropriate then. What's the going-forward strategy?
The biggest thing is don't ostrich it. Don't put your head in the sand. Acknowledge that these things can happen and do happen. If it does happen, don't sweep it under the rug. Communicate out in monthly newsletters, whatever your… Share on XThe biggest thing is don't ostrich it. Don't put your head in the sand. Acknowledge that these things can happen and do happen. If it does happen, don't sweep it under the rug. Communicate out in monthly newsletters, whatever your company's status is.
It is a pretty humbling activity to highlight if you have been a victim, but it's also a great educational opportunity for somebody, because I've had it happen to myself multiple times here and there. I do this for a living.
The big thing we've seen is training. It seems past day, and now it's security awareness training. Cofense does a lot of security awareness training. Cofense was one of the first pioneers in doing phishing simulations for the last 10-plus years.
It's still a thing. The trick is don't do it for compliance numbers. You need it for compliance, don't get me wrong, but use new phishing tactics. Use the attacks that we're seeing this week, this month, not the things from 10 years ago.
Don't try to negatively impact any employees that fall for the phishing attack, no punitive type thing. That's my opinion on punitive because then they don't learn from it. Don't use just the easy ones because you want a high score. Don't use the hard ones because you want a low score to get back at people, whatever the reasoning is. Use the real.
What's happening now? “Here's an actual phishing attack from the last X week, month, whatever. Here's a real phishing attack that we received. Here's a real phishing attack that we fell victim to. We're going to use that as our phishing simulation. We're going to use that as our training on what to watch out for, because a lot of it is still the common stuff.” We’ve just got to slow down and take a look.
I mentioned that email my wife got. I said, “OK, look at the sender email address.” It was it-support-forfree.net. OK, obviously, I have no idea what that is. If you press over the link, what's the link? It was freeattorneyvisitssomething.com. “Obviously that's not me either, honey.” Some of the basics are still great basics, and some of it's going to come down to policy.
Finance, HR. You have to institute a policy. If you change direct deposit, send a notification email, send a letter, verbally pick up the phone and call them or actually call the person.
If your CEO is asking you to send gift cards or money, I doubt they'd be very mad at you if you actually picked up and either talked to their admin or reached out and tried to call them directly. “Did you really want $20 in gift cards?”
If your CEO is asking you to send gift cards or money, I doubt they'd be very mad at you if you actually picked up and either talked to their admin or reached out and tried to call them directly. “Did you really want $20 in gift… Share on XThe same thing with finance insofar as invoice changes. You get a new invoice with a new routing or new account number, call the vendor. It is an extra layer and it's extra work, but it's less impactful.
There were a couple of Cofense customers that I've talked to—I want to say it was probably Q3 or Q4 of last year—where they received a couple of invoices and their finance team just paid for them. It wasn't any services they actually ever did or commissioned. They were out about $60,000, and there's no recouping on that. Just that extra step, the trust but verify. It's that mantra. That's really what most people can do.
I've definitely done that. I had a vendor contact me and say, “Hey, we've updated our bank payment details. Please use this going forward.” It's like, “OK, well, this was emailed to me, so I can't respond to the email. I need to call somebody. ‘Hey, I just got an email saying da-da-da-da-da.’” It's like, “I don't know, but let me find out.” He called back a day later. “Yup, hey, just found out the accounts receivable changed the bank, so yes that is the legitimate message. Thank you for asking.”
Exactly. The other side too is having a good reporting culture. I'm a little bit biased, but even before I worked at Cofense, I stressed this for the organizations that I worked for, and I deployed a lot of these. Deploy a “report suspicious email” button. Have a go to an abuse box that your security team does look through, not a week later, not a month later, but the same day. Provide that feedback loop to the reporter and to your company as to what your threats look like.
I head up the team for our managed services and Cofense. The reporter button sends to an abuse box that my team analyzes. We go through hundreds of thousands of emails every month. On average, regardless of what security they have in place, it's between 11% and 15% of all reported emails are malicious.
We go through hundreds of thousands of emails every month. On average, regardless of what security they have in place, it's between 11% and 15% of all reported emails are malicious. -Josh Bartolomie Share on XThese are emails that made it through all of the security stack in a mailbox, and got forwarded over to us. We analyze them—our average is within a two-minute window—actually notify the employee as to what was good, bad, or ugly, and then send the data to their security team.
It makes a difference. If I actually measure the customers, because I have Cofense customers that have either managed services or a robust SOC that does it themselves, and decent phishing simulation that are using newer templates and that security awareness training that goes into it, the percentage of malicious emails that get reported are actually higher for those customers because their employees know what to look for, because now they're seeing it more. It's one of those things.
Normally, if you don't ever look for something, you never see it. But once you start thinking about it, it's everywhere. That type of situation. It's all that big circle. To your point, technology can't solve people, people can't solve technology, but working together, it augments each other.
I'm curious, the 85% of the reports that you receive that are not malicious, what are they? Mistakes or spam?
I don't want to say mistakes because that's a negative assertion. You don't want people to not report things that they think are suspicious, even if it is “good email,” because that one time that they're like, “Yeah, this looks like it won’t,” it's going to be malicious.
Majority of it is spam. It's a mixture between spam and business communications. Whether it's internal communications—the company just sent out an email blast through Yammer—it might have looked fishy. We have a bunch of employees reporting that, or emails that came in from the company that are going from a third-party marketing.
Honestly, I've done this for a long time. You'll always see the others that do make you question certain things. You just signed up for a webinar. You just got an email for the webinar you just signed up for, and then you just reported the email for the webinar that you just signed up for as suspicious. You know what? If you're nervous about it, we'll still help you and all that.
Really, the majority of it is either just benign business communication, email and spam. There's always intermingling here because we see the gauntlet between business email compromise, credential phishing, malware, pretext for ransomware attacks. You name it, we've seen it all pretty much every day at this point.
I suppose most of these platforms are pretty good about blocking most spam as well, I assume.
It's been awhile since I've been on the operational cipher spam filtering, but I could say in past lives, I've been on platforms where I've managed platforms that would block anywhere from 85%–93% of spam, but I would still be getting in millions of emails every day. It's an economy of scale.
Some of our Cofense customers on the managed side, they're fairly large. Their inbound email is double-digit millions every single day. Even out of that, even if you have a 5% spam ratio, that's still a lot of spam coming in.
Spam is doing the same thing everybody else is. Obviously, it's a different motive, but they're tuning it, they're tweaking it. They're trying different ways of what is working, what isn't.
If you actually look up any marketing website—now this isn’t a trash at marketing, obviously, by any stretch of the imagination—how to get emails into inboxes, you'll come up with 10 pages of Google heads on here, do this, try this header, try this wording, so that way it won't get marked as spam and you'll make it to in front of somebody's eyes on the end point.
When I was part of the anti-spam community, that was the hardest thing for people to understand. To me, in my mind, spam was always about consent, not content. No matter how legitimate it was, did you ask for it to be sent to you? That's spam. If you didn't ask for it, you got it. It's spammy.
Now there's an inflection point. Like I said, we're getting tens of thousands of emails a day on the Confense managed services. We've seen emails that look like spam or even look like business communication because the attackers are following the same templates, actually just spoofing, or which is what we're seeing a little bit more of, they're leveraging compromised accounts.
Whether it's a company's compromised accounts to send internal emails to internal employees saying, “Hey, I just got this great thing. Click here.” Or they compromised somebody's—I'm just arbitrarily saying names. This isn't like a Marketo or a SendGrid marketing account, and they're leveraging that to send out malicious emails as well. It's a hot mess at times.
Is there any aspect of this or intangible that keeps you up at night? Aside from the—it’s one thing if I'm responding to an incident. When you're in this industry, you have to deal with it when you have to deal with it, and that might be in the middle of the night, but what's the stuff that when you're not working, makes you wake up, and go, “Oh my gosh, oh my gosh, oh my gosh”?
It's interesting because there are a lot of different aspects to it. One of the big things that I've worked on within Cofense—we have a product for it so this isn't a sales pitch, but we do have it—is targeted phishing threat intelligence, so we can help minimize that noise in real time stuff.
The reason I bring that up is because of that type of intelligence, we see not even just what's in our managed services, but what other Cofense customers are seeing in their environment, because of what the intelligence detects within their environment.
To answer your question, what keeps me up at night is still doing this same as you, 25-plus years. When there's a budget crunch, IT and security, I'm sure you've said it. I've said it too many times. “I'm paying this much for security, nothing's happened. Why am I paying for you? I'm paying this much for security, something happened. Why am I paying for you?” The budget cuts, and the focus on the new shiny when you have some of these fundamentals.
Endpoint protection is fantastic and it is required, MDRs, EDRs, whatever you want to call them. Having those endpoint protections, having your other firewalls, proxies and all that, absolutely required. But why is it always the last thought to augment the primary entrance of threats? Why not add augmentation to your email security stack and stop an attack before it happens? It's easier to close the door on the submarine before you submerge than it is after.
Over the years, again, I'm sure you've seen the exact same thing. You see these cycles, these peaks and valleys of defense in depth, vendor consolidation, defense in depth, vendor consolidation. It's between a five-to-seven year cycle I've seen, where we want the defense in depth because what if product A doesn't detect something, block it, or if it fails unknowingly? We have product B that can help provide some cloud cover, ground cover.
When you get into consolidation, you put all of your eggs in one basket. From a cybersecurity stance, where does that leave you? I'm not saying this from a negative stance because it happens, it happens to all these companies, but look at the recent attack on Microsoft, source code lost, potentially some data. For companies that all of their security stack is Microsoft-related, where does that leave them? Now, they're rushing around.
Attackers are exploiting all of these things. There are products that are fantastic. Email security products, there are some of them that are fantastic at what they do, but there are others that fill the gap. Like I mentioned, 11%–15% of reported emails that come into Cofense-managed service are malicious. That's from customers that have one, two, three, five different email security-specific appliances in place. Things are getting through.
Don't put your head in the sand. Don't discount email security. It's old hat, it's not new, it's not flashy, it's not buzzworthy. It's old stuff, it's an old tripod, email, it's email, it's email. Stop the fire before it starts. That's really what keeps me up. That and the amount of spam and scams that my mother gets, but that's a whole different conversation.
That's a different episode. What does this landscape look like? How quickly is stuff evolving? Do you guys have resources that people can look at to see what the latest things are?
The first part, how much does it change? How often every day. That's the nice thing about doing what we're doing on the Cofense side with the managed services. We get to see what's happening every day. Is there a new tactic? Is there a new tweak, new twist? Then we can operationalize that data and use it throughout.
Also, to your point, we do write up a lot of research papers, blogs, webinars examples of different phishing campaigns that are making into enterprise mailboxes. We present those emails, obviously redacted and cleaned up. All of that data is available on our website.
We have bi-weekly intelligence reports. We have quarterly threat intel landscape reports on the phishing threat landscape. Just like every other cyber domain, really, the threat landscape is different. It behooves security professionals to know what the landscape is and what the evolutions are, but there really isn't a week or two that goes by that we don't see something new.
Two weeks ago, we had a rash of 10,000–12,000 emails come through that were using a brand new tactic. Actually, the URL in an email was wrapped by a common secure email gateway like the proof plates, the Mimecast, where they do the URL wrapping. It was wrapped by another secure email gateway after that.
The email didn't go through either of those secure gateways, so the attacker was basically just leveraging it because once a URL is wrapped, most other Secure email gateways won't scan the URL because it's already wrapped. It's an easy way to bypass security checks.
We saw that, and that was across to multiple different customers. It tapered off, but you still get sprinklings of it. We see a lot of those try to see if it's worth it. Then usually within a couple of weeks or a month later, you start seeing a surge of that. The attackers are quantifying all of these success rates.
Something we see commonly is they found a new way of doing an open relay for links. If you have a Google link that if you click it, it looks like it's Google, but then actually once you click it, it redirects you to something else. There were actually a couple of open relays that they found for some mail-scanning services that they were able to hijack.
Basically, because it was for a mail-scanning service, it's a high-reputation domain. Nobody blocked the emails. A couple of thousand came in as well, so it's always these iterative loops. We've seen it where they've added different methods of spoofing, especially when it comes to the targeted stuff, but even more generically, with the advent of the LLMs, AI modeling and all of that. They're able to actually create corporate profiles much quicker and much easier.
Think of ChatGPT that has all of your company's website, articles, history, and now they know your trademarks, your monikers, your structure, what you just did, any new conferences, any new products, any new things that they can craft emails that are targeting your organization directly. It is a constant evolution, and that's what a lot of people don't get.
Spear phishing on a large scale, what are we going to call that? That's what it is.
It really is.
There are now resources in place to allow you to carry out spear phishing against an organization at an order of magnitude above what it used to be. I don't think we call it spear phishing. I don't know. We've got to figure that one out.
How about grenade phishing because you're just throwing the grenade in the water and getting what floats up? I'm not saying I'm coining that, but I just wrote it down for my lawyer.
To be trademarked in the next 15 minutes. Josh, if people want to be able to connect with you and find out more about what Cofense is doing, how can they find you?
For myself, I'm on LinkedIn—Joshua Bartolomie. Feel free to reach out. I'm happy to chat anytime. Cofense as well is obviously on LinkedIn, but cofense.com. Like I mentioned previously, we have a lot of resources, a lot of information. It's open for the grabbing. A lot of history there in regards to some of that patterning annual reports, quarterly reports, insights as to what's going on on the phishing threat landscape, and the security awareness and phishing simulation landscape as well. Feel free to reach out to me or to Cofense.
Perfect. We'll make sure to put all of those links in the show notes. Thank you so much for coming on the Easy Prey Podcast today.
I really appreciate the time. Thank you very much. I appreciate that.