CoFense Scam News

The blog explains how threat actors use steganography to hide malware inside harmless-looking image files, helping them evade security tools and deliver malware like Remcos RAT, Agent Tesla, and XWorm through phishing campaigns. These attacks often use multi-stage infection chains involving JavaScript droppers and DotNET loaders that execute malware directly in memory to avoid detection. The report also highlights the growing abuse of image hosting sites such as archive[.]org and notes that many of these stealthy campaigns are finance-themed and highly targeted.

This blog explains how threat actors are evolving beyond traditional credential phishing by using convincing Zoom-themed social engineering attacks to trick users into installing ConnectWise ScreenConnect, a legitimate remote monitoring tool that can provide attackers with persistent remote access to compromised systems. The campaign uses realistic fake Zoom meeting pages, audio playback, and fraudulent software update prompts to persuade victims to execute a disguised VBS installer that silently downloads and launches the ScreenConnect payload. The article highlights how attackers increasingly abuse trusted platforms and legitimate administrative tools to blend malicious activity into normal enterprise behavior, enabling credential theft, reconnaissance, lateral movement, and potential ransomware deployment.

In our recent webinar, Inside the Shape-Shifting Inbox: The New Playbook for SOC Teams, Cofense threat analysts explored how these attacks are changing and what security teams should prioritize moving forward.  This blog breaks down five of the biggest takeaways from the discussion.

New capabilities help organizations detect polymorphic coordinated phishing earlier, respond faster, and build lasting resilience

In this blog, Cofense Senior Technical Product Manager Jason Meurer explains how Cofense Vision AI changes phishing remediation by enabling SOC teams to detect and contain entire phishing campaigns instead of responding to individual emails. He outlines five major advantages of Vision AI, including campaign-level clustering, retroactive quarantine based on confirmed indicators, detection of AI-generated phishing patterns, trusted human-supervised automation, and integration into existing Cofense Vision workflows. Meurer argues that Vision AI represents a significant shift in phishing defense because it helps security teams respond faster and more effectively to large-scale, polymorphic phishing attacks.graphics for this blog are the ones juliann and aurelio are fixing

Threat actors are increasingly using Generative AI tools like Vercel to rapidly create highly convincing phishing websites that mimic legitimate brands, significantly lowering the technical skill required to carry out attacks. The platform’s easy deployment, cloud hosting, and integrations with services like Telegram allow attackers to scale campaigns, automate credential theft, and quickly rebuild sites if taken down.

In this blog, Josh Bartolomie argues that many security awareness programs rely on predictable phishing simulations that inflate success metrics without improving real-world defense. They highlight that modern phishing attacks, increasingly powered by AI and real-world context, have outpaced these outdated training methods, leaving organizations exposed despite “good” results. Bartolomie advocates for threat intelligence–driven training and emphasizes measuring employee reporting behavior, positioning the workforce as an active part of security rather than a passive compliance metric.

Meta, the parent company of platforms such as Facebook and Instagram, plays a major role in both personal communication and business operations worldwide. A new phishing campaign is emerging that abuses Meta’s verification system and 2FA tokens to gain account access and steal sensitive information. This campaign is particularly convincing and targets both individual users and businesses. Below, we examine how it works and how to better protect against it.

Polymorphic phishing is no longer an emerging tactic—it’s quickly becoming the norm. In our recent webinar, Inside the Shape-Shifting Inbox, Cofense experts broke down how these campaigns work, why they’re so effective, and what security teams need to do to keep up.

Threat actors increasingly exploit legitimate software and known vulnerabilities to evade detection and deliver attacks. Tools like Microsoft Office and Remote Access Tools enable persistence, data theft, and remote control while blending into normal activity. This trend exposes a key weakness, organizations often overlook trusted tools and unpatched systems, giving attackers an easy path in.

The blog describes a phishing campaign identified by Cofense that impersonates Interactive Brokers using a fake IRS W-8BEN renewal email to trick users into clicking a malicious link. The email appears legitimate but uses a suspicious sender address and directs victims to a counterfeit login page designed to steal account credentials.

This blog describes a phishing campaign that impersonates the IRS and Elon Musk to lure victims with a fake $5000 tax refund, ultimately redirecting them to credential harvesting websites. After submitting personal information, victims are funneled into a fraudulent cryptocurrency platform that requests additional sensitive data, including bank details and photo ID, under the guise of processing the refund.