Phish of the Week: In Honor of Shark Week…

The Kind of Shark Attack You Should REALLY Worry About

Who doesn’t love Shark Week? Mike Tyson cage-diving with sharks, Michael Phelps in shark-infested waters, plus, the ‘shark’ of all…phishing breaches? Oh. Wait, we’re not just talking about TV’s annual Shark Week (which concludes this weekend).

While Phelps in shark infested waters is always a good spectacle, the real sharks you should care about are the ones that lie hiding in wait within your partner ‘waters’. These sharks perpetuate a “long con,” Business Email Compromise Type 3 phishing attack. A good example is the recent Virtu breach covered by the Wall Street Journal, that resulted in $10.8M in fraudulent wire transfers. In this campaign, a bad actor watched the organization’s (Virtu’s) emails for two weeks – then used “legitimate, ordinary-course business transactions” to phish for funds.

The BEC attack on Virtu (which – according to available public records – uses both a Secure Email Gateway and DMARC) shows why old approaches don’t work against new BEC attacks. To avoid falling prey to BEC Type 3, check out our Active Fraud Prevention solution brief here.

Task Force 7 Q&A: How to Preemptively Track Phishing Campaigns

Why doesn’t a reactive posture work when it comes to email threats? How can a company still protect itself when a supply chain partner gets phished? What’s happening in the world of election cybersecurity?

Hear Area 1’s Chief Security Officer Blake Darché cover these topics (and more) in his recent Q&A with Task Force 7 Radio’s co-founder (and Ciena’s CISO) Andy Bonillo, here.

DMARC Deployment Still isn’t the Problem…

ICMYI, Blake (along with our Principal Security Researcher Javier Castro) also recently demonstrated how bad actors build and successfully launch a DMARC-passing phishing attack in less than 60 minutes.

TL;DWatch? Despite what new “studies” say, properly enforcing DMARC policies won’t protect your inbox against BEC, credential harvesting, or any other targeted phishing attack.

Read about the good, bad and ugly of email authentication in a new blog, here.

Microsoft Office 365, Compromised

Like email authentication, Office 365 also won’t intercept Business Email Compromise attacks. Nor will it prevent other low-volume, sophisticated phishing campaigns. If you’re still using Office 365 without cloud-native email security (or plan to transition to Office 365), then join us Aug. 27th to learn:

  • How bad actors evade Office 365’s ATP, email authentication and other traditional defenses
  • Recent examples of BEC and other phishing campaigns that bypassed Office 365 defenses
  • How to boost Office 365’s native capabilities with six cloud-native security techniques

Tell Us (Well, Gartner) What You Really Think of Us

Help other security professionals catch phish. Share your experience as an Area 1 customer on Gartner Peer Insights and receive a $25 gift card.

Gartner will validate your identity through your business email or LinkedIn profile. Reviews are anonymous and Gartner will not share your information or market to you unless you actively opt in.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!



Shalabh Mohan

VP, Product at Area 1

With a career spanning 20 years fighting bad guys online, Shalabh leads all product and go-to-market functions at Area 1 Security, with extensive prior experience across security, enterprise, and cloud infrastructure companies such as Aspen Networks, IronPort Systems, Cisco and Bracket Computing. Shalabh and his teams have taken products from conception all the way to large scale businesses; and in the process have consistently helped make the Internet a safer place. An alumnus of Stanford University and the University of Texas at Austin, Shalabh holds five patents and can claim to know something about enterprise infrastructure and security.

How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.