4 Key Takeaways From Cofense’s Email Security Report 2023 - Talion

Recognised by Gartner in the Market Guide for Email Security, our partner Cofense have some recent and eye opening statistics to share on how cybercrime has evolved over the past year.

They’ve observed the many environmental pressures and changes throughout 2022, including email threats not only increasing in volume, but also intensity and sophistication. Coupled with increased budget constraints and a growing skills gap means SOC teams are under pressure.

We’ve combed through Cofense’s latest Annual State of Email Security Report and highlighted 4 key takeaways we think you should know about.

Learn how Business Email Compromise (BEC) continues to hit companies far and wide and how weaponising conflict for financial gain isn’t leaving cybercriminals’ minds anytime soon.

This is what you should be aware of when tackling your security strategy in 2023:


 1. URL Attacks are Bypassing Legacy Email Security Vendors in up to 94% of Cases

There is often debate around the effectiveness of legacy solutions when it comes to cyber security. To some extent, many organisations prefer to stick with familiarity, but Cofense have found this is more likely to hinder safety of email accounts.

Not only is the effectiveness of antivirus for tackling ransomware causing concern, but so are Secure Email Gateways (SEGs).

In 2022, Cofense reported that up to 94% of URL attacks bypassed traditional SEG technology, broken down into the following:

  • 40% Microsoft E5
  • 49% Proofpoint
  • 61% Cisco
  • 94% Microsoft E3
  • 82% Mimecast


This may come as a surprise amongst well-known names, but it’s not necessarily undermining the companies themselves but testament to how sophisticated cyber criminals are becoming in bypassing even the most secure security systems.

Traditional SEG technology simply isn’t advanced enough to identify the evolving tactics threat actors are adopting now, resulting in a greater need for penetration and live threat intelligence to maximise security controls.

Below is an example of a malicious email built into looking like a Microsoft email notification to deceive the recipient. Usually, organisations have enabled URL defenses to protect users if they click a link, however sometimes it takes several interactions before the SEG determines it as malicious and blocks it.


Example of a phishing email that bypassed Secure Email Gateway (SEG)


This new level of sophistication has emphasised the need for robust employee training and the adoption of the ‘Last Line of Defence’ mentality. If a security infrastructure can’t stop an email threat getting into an inbox, then employees should be able to prevent it causing damage to the business by knowing how to spot them and what to do next. Supporting employees to develop this involves well communicated security procedures, enforced with regular and consistent live threat simulations and training.


2. Business Email Compromise – Top Cybercrime for 8th Year in a Row

Business Email Compromise just doesn’t seem to be shifting its weight, and this can’t be ignored.

There’s a reason BEC continues to be one of the top cybercrimes for the 8th year in a row and Cofense have evidenced the following:

“With BEC responsible for billions in global losses with victims in 90% of the world, it’s no wonder scammers outside of Nigeria have started taking notice of the successes of BEC. While SEGs have evolved from spam filters to now being used to detect and potentially block malware, malicious links and ransomware attacks, many fail at detecting conversational-based phishing attacks such as this.” – Cofense Email Security Report 2023

Below is an example of BEC, where a cybercriminal impersonated a CEO in order to retrieve the phone number of an employee.


Cybercriminals impersonates CEO via email to retrieve employee’s phone number


As you can see, the email address is clearly not valid and is irrelevant to the name of the sender, which is a key phishing giveaway, but it is also written with a sense of urgency to convince the victim to take swift action.

It’s harder for security systems to detect these emails, especially as some cases involve cyber criminals hacking into the real inboxes themselves and sending emails from the correct email address.

Whilst the failure of security vendors to detect phishing attacks is at the heart of the problem, insider threat is a key factor too. Both security systems and employee knowledge should be tested for an effective defence all round.

Discover how some threat groups have taken phishing one step further with integrated ransomware techniques.


3. BEC and Credential Phishing Combine For Sophisticated Email Attacks

Not only are malicious emails seeing an alarming 569% increase, but so are the number of credential phishing Active Threat Reports published at 478% (Cofense Email Security Report).

With financial related threats hitting the top mark at 37% in 2022, it’s clear to see where cybercriminals are placing emphasis – social engineering for financial gain.

Cofense explains that “threat actors continue to use credential phishing attacks to gain access to organisation inboxes to perform man-in-the-mailbox (MiTMbox) attacks. Once an attacker gains access to an organisation’s email account, they will routinely create email forward rules to monitor all traffic coming in and out of the account. In some cases, they will create auto-forwarding rules that include the words “purchase order,” “invoice,” or other financially based transactions between clients… Once the threat actors identify an invoice or opportunity to re-route the transaction, the threat actors pounce, replying to the known and trusted email thread with new information.”

These new sophisticated tactics, integrating stand alone techniques like credential phishing with BEC, is exactly how cyber criminals are bypassing SEG technology. Cofense have seen this through “the increase in conversation-based BEC attacks, credential phishing attacks that bypass 2FA and malicious use of Web3 technologies” (Cofense Email Security Report).

Threat groups are getting more and more creative, and organisations have to be aware that cybercrime techniques are always changing – and so our approach to security strategy must too.


4. Threat Actors Continue to Weaponize Conflict for Financial Gain

As evidenced with the increased volume of cyber attacks from the Russia/Ukraine conflict, threat actors haven’t shied away from exploiting global conflicts to their own advantage, playing on victim’s vulnerabilities to extract ransom fees and compromise accounts whilst barriers are low.

Cofense observed that “it is significantly more likely a tried-and-true phishing theme will be used rather than a stand-alone current event theme (as actors use a combination of methods and tactics). There will always be attempts to convince the receiver their mailbox is full and their password needs to be updated. Attached invoices of all sorts will make it to people’s inboxes, along with shipping receipts, deposit receipts and voicemails. These sorts of lures were in the background throughout the year. Threat actors will be opportunistic with world events, but there is typically no reason to change from the more traditional (and dependable) lures, especially as those methods have proven to work.”

This suggests that whilst cybercriminals are quick to make opportunity of global events, sending malicious emails at a purposeful time of high emotion, they don’t explicitly address the event in their phishing techniques. It is only the heightened emotion of the recipient that works in their favour, because it makes sense for them to use phishing techniques they already know to be effective.

If anything, this is more deceiving to potential victims who may not consider global events to be influential on the emails that land in their inbox.

Here’s what phishing signs your employees should look out for.


Overall, the consensus from the last 12 months is that Business Email Compromise (BEC) and Credential Phishing are the most prevalent tactics, and traditional SEG technology is no longer enough to stop them. Instead, complimentary solutions must be put in place to identify, protect and remediate against missed threats effectively.

As a result, there is a growing need for threat intelligence to accurately identify evolving threats. This allows companies to retrieve actionable data with heightened visibility into the movement of threat actors, in order to make informed decisions. Download Talion’s Threat Intelligence datasheet for more information.

Organisations will also need to place focus on credential phishing and early-stage malware, implementing robust security controls that evolve constantly with the changing threat landscape.

For more key email security statistics, download a full copy of the Cofense Annual State of Email Security Report.

For insight into phishing methods and the benefits of Managed Phishing Detection & Response (MPDR), check out Talion’s Ultimate Phishing Guide.



Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
24x7x365 UK-based Security Operations Centre
Service underpinned by market leading threat intelligence team
Continually developed threat relevant content, backed by SLAs
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Experts in SIEM and SOAR technology
UK-based Senior Leadership
Looking to maximise value and flexibility?
Learn how Talion and DEVO partner to achieve this.
Discuss your cyber security needs
Contact us below and one of our team will be in touch to answer your questions.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Get In Touch With Us

Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.

CISO Cyber Dinner – Register Your Interest!

Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.