CoFense Scam News

This report examines malware families delivered by campaigns that bypass secure email gateways between May 2023 and May 2025, focusing on the five most common non-English languages used to deliver malware. It highlights long-term trends to help organizations understand whether they are more likely to face regionally targeted malware or more generalized threats, as part of a broader series on multilingual phishing campaign trends.

Cofense Intelligence relies on over 35 million trained employees from around the world, therefore a considerable number of analyzed campaigns are written in languages other than English. This report covers from May 2023 to May 2025 and focuses on the overall themes of campaigns in the top five most commonly seen languages besides English that bypassed perimeter filtering such as Secure Email Gateways (SEGs). 

The Cofense Phishing Defense Center (PDC) recently observed a new phishing campaign imitating ADP, allowing the threat actor to gain access to employee accounts and steal sensitive information. To help employees identify phishing threats and become the first line of defense against threat actors, we broke down this real-life example.

Modern Windows features that support normal system operations can also be misused by threat actors to keep malware running without user interaction, a tactic known as persistence. Persistent malware allows attackers to maintain access even after a system restarts, enabling ongoing monitoring and additional malicious activity. This report explains common Windows persistence mechanisms and highlights malware families that frequently abuse them.

Holiday phishing scams surge every year as attackers take advantage of busy inboxes, seasonal shopping, and end of year HR activity. From fake shipping notices to fraudulent bonus updates and last minute sales, cybercriminals use familiar holiday themes to trick users into clicking before thinking. Learn how to spot these common scams and protect your organization this season in our latest blog.

Cofense, the leader in intelligence-driven phishing defense, today announced significant advancements across its portfolio, introducing Smart Reinforcement within its Security Awareness Training solution, and unveiling the latest release of Triage 1.30 within its Phishing Detection and Response (PDR) solution. These enhancements mark a major step forward in Cofense’s mission to deliver faster, smarter, and more automated phishing threat remediation and training. 

Threat actors are exploiting the legitimate NoteGPT platform to host malicious “documents,” luring users from seemingly authentic OneDrive-themed emails into credential-harvesting pages. Once victims click the embedded link, they are redirected through a NoteGPT page to a fake Microsoft login portal designed to steal professional credentials. This campaign leverages familiarity, branding, and trusted services to bypass suspicion and increase the success of phishing attacks. 

As organizations prepare for another year of highly sophisticated, AI-driven email threats, Cofense’s 2026 Phishing Threat Predictions webinar brought together experts Joshua Bartolomie, Max Gannon, and Chance Caldwell to break down what security teams should anticipate in the year ahead. Here are the five biggest takeaways security leaders need to know.

Q3 and Q4 of each year tend to see the most Human Resources (HR) task-related phishing threats. Impersonating HR provides many benefits to threat actors. Tasks from HR are typically mandatory, so HR emails carry authority. Legitimate HR tasks can also have strict deadlines, which a threat actor can use to impose urgency. Finally, regular HR tasks are expected by employees. Sent at the right time, employees may not recognize an email as phishing and automatically click on any link to resolve the HR issue. This analysis focuses on the statistics of HR-themed phishing from January 2024 to September 2025. 

Black Friday generates a surge in promotional emails, shopper urgency, and mobile-heavy browsing, conditions that make it easier for cybercriminals to blend phishing messages into legitimate inbox traffic.

Threat actors take advantage of the tools offered by link shortening services to deliver malware and credential phishing. In this report, Cofense Intelligence has identified the most commonly abused legitimate URL shortening services.

Cofense Intelligence relies on over 35 million trained employees from around the world, and a considerable number of analyzed campaigns are written in languages other than English. This report focuses on the URLs embedded in emails that bypassed email security controls like secure email gateways (SEGs) to deliver malware.