In this episode, Nikhil Gupta, Core Cyber Demo Specialist at Carahsoft, is joined by Joseph Gallop, Cyber Threat Intelligence Manager, Practitioner at Cofense. Together, they discuss new and long-standing phishing trends that challenge government agencies and contractors in 2022. In order to safeguard confidential information and effectively mitigate the risk of security breaches, public sector employees must be aware of the signs and trends of phishing attacks.
Nikhil Gupta
Hello, everyone. On behalf of Cofense and Carahsoft, like to welcome you today to today's podcast, quarterly phishing review. You know, we're going to be going over phishing intelligence and threats that matter as part of Cofense's Q3 insights. They're going to be talking about phishing, intelligence and trends that they've reported on recently. So we have a lot of stuff to talk about today. And with me, you know, I have one of the key experts here, Joe Gallop, who is the manager of intelligence analysis at Cofense. So I'm happy to have him alongside myself to have this conversation. I think we have a lot of good content for everyone here. So just before we get started, we'll do a little bit of an introduction into myself. And as well, as you know, Joe, who we have on the call. For me, my name is Nikhil Gupta, I'm a ST or engineer that we have here and Carahsoft. I've been working at Carahsoft for about five years now. And specializing in cybersecurity, and phishing defense within our core cyber division, been doing a lot of work with, you know, Cofense and other providers that we have around frameworks like Zero Trust and phishing and networking and endpoint security in general. So happy to be here happy to have this conversation with Joe. And just to kind of delve dive deeper a little bit into Cofense is quarterly insights into phishing intelligence. So Joe, you know, obviously, I have you, you know, you, you're the manager of intelligence analysis at Cofense. But I'm sure you have some other stuff that you want to say. So I'll go ahead and let you introduce yourself as well.
Joseph Gallop
Yeah, sure. Thank you, Nikhil, I really appreciate it. It's great to be here as well, talking about things that are really important. My name is Joe Gallup, I run the Intel analysis team at Cofense. And really, we're just, we're all about stopping phish, keeping those pesky phishing emails from getting into the hands of email users, and so that they actually keep themselves from being compromised. We are a team of analysts and engineers who are really focused on solving problem solving puzzles, finding patterns in phishing threat activity that we can use to stop phish and help other people stop phish.
Nikhil Gupta
You know, Joe, thanks for that. And as you know, as you mentioned, right away, I think phishing in general is just, you know, it's something that, you know, has been around since the dawn of time, right, ever since email started, right. There's always been instances of phish and phishing, and just attacks that are happening, I think we've seen reports, and we've done some other quarterly studies in the past where, you know, we've seen, you know, ransomware attacks, and seen the rise of just email attacks that we, you know, recently with COVID. And, and just kind of over the last couple years of how prevalent this is, right, especially with some things that we're going to talk about today, like credential phishing, and, you know, just ransomware in general, in the past, I think all of these things, all of these types of attacks are very dangerous. And we've seen the impact. And I think, you know, there's no shortage of importance, right to talk about this. And just to kind of delve deeper into what things you know, our government users can, can be aware of.
Joseph Gallop
Yeah, yeah, we're, we're definitely interested in finding those trends, that we can, you know, kind of pull out and identify and make sure that everyone knows what's important to look at, because it's easy to get caught up in, in things that either show up in the news or things that were important in the past and aren't necessarily important anymore. So we're really honed in on studying the trends, not only of, you know, getting out there and looking in the wild at what has been what's being sent by the threat actors, but also what's actually making its way into people's inboxes, what's making its way past the security mail gateways and other security controls that are in place and actually getting into the hands of the users, at companies across the country and across the world, really. And so we're learning from the wild, we're, you know, keeping track of what's going on out there. But we also really want to be the network effect for people and, and security teams to learn from each other as well. And so other parts of Cofense are helping people we have an arm called Phish Me that that provides training resources and simulation resources to be able to train users to recognize phish. And, you know, once you do that, basically you've got a network of people that human eyes that are trained, and we're kind of crowdsourcing a collection of, you know, if you're reporting those emails crowdsourcing a collection of suspicious emails from millions of trans human eyes among our customers, and so what we'll be doing Making the intelligence Team is taking a look at those emails, we are trying to pull out the trends. And we have the privilege really of and the fun, in a sense of, of digging into these puzzles, determining which of those suspicious emails is actually malicious. And then diving deeper, and figuring out what those malicious tactics, tactics, techniques and procedures are that they're using.
Nikhil Gupta
Yeah, good. Good point there, Joe. And, as you said, fun, you know, definitely I can imagine getting the, you know, when you start to see the trends develop, and I'm sure that is definitely, you know, it, seeing it out of all the data, right, pulling it together, and being able to see all those trends, being able to pull back on, hey, this is what we're seeing. This is the intelligence that we're observing, especially from users that are self reporting. I mean, it's, you know, I wish I could do something like that. Definitely be fun. I could only imagine that what you know, you you're in your team and the work that you guys are doing, definitely a lot of work. I'm sure it's, you know, sometimes there's gonna be some tough nights. But yeah, you know, for sure. But I'm happy that, you know, you guys have done the work. And I think we have definitely, you know, just having read the Q3 report, right, and Trends report, and just seeing the analysis that was developed? I think I've seen, I saw a lot of cool trends come out of that. I think specifically, we were, you know, I noticed that there were some prevalent attacks with Credential phishing, specifically targeting government contractors, right. And I think, you know, that's something that, you know, I think, as of today, right, with initiatives, you may have heard Jove of a program called cmmc. And some other people have here, that's kind of like the, you know, the federal government's defense industrial base security program, where they're trying to secure contractors and, and I think there's very much importance being placed on hey, you know, we need to secure our contractors, right, we need to secure the people that are doing work within the government as well. And I'm happy to see that, you know, I think, you know, there's definitely some importance that needs to be placed there, I'm happy to see that those jobs that that security is developing, for contractors. And I think this is very important for anyone that does work with the government to realize that, hey, you know, you are being attacked, you are being targeted, especially with this Trends report that I've observed. So, so Joe, let's get into that a little bit. And we'll talk more about that report. And so talk to me a little bit about some of the trends that you've observed, right with, with the Q3 phishing intelligence study that you guys did, you know, you got you and your team definitely worked a lot on that study had a lot of, you know, key points that came out of it. So talk to me a little bit about some of the main things that you observed, and, and some of the ways that this credential phishing has been happening.
Joseph Gallop
Yeah. And like you said, the phishing problem has been around for a long time, you know, practically as long as there's been email. And so it's, you know, a lot of things, there's a lot of things, you can reach back decades. And, you know, and it's the same, but the important thing that we see, you know, quarter to quarter, really every quarter is that the phishing threat landscape is always changing, you know, there's always something that's in flux that, and the adaptation is really, you know, the adaptations by the threat actors are really one of the key things that we need to track when they're learning that something's not working. And they switch to something else. That's what we need to be honing in on. And, you know, figuring also figuring out for ourselves, you know, sometimes there are things that, that the threat actors are doing a lot of in the wild, we're seeing a lot of it in the wild, and but there's a difference maybe between what's out there in the wild, and what's actually hitting in boxes, and what's actually really effective. So.
Nikhil Gupta
I think not everyone realizes that to Richard, because I think, you know, when I when, when some of us just look at phishing, and you think of the same old, you know, emails that we get some of the stereotype emails we've seen in the past, like, hey, you know, give me your information, or, you know, this is the IRS or whatever, we need your information, stuff like that. But you're right, it does change. And I think that that is something that needs to be made more aware to people.
Joseph Gallop
Yeah, yeah. And it changes in, you know, multiple aspects across the phishing threat landscape. You know, three of the main things that we're that we should cover, in our quarterly trends review, is, you know, the prevalence of different types of malware that are being delivered, you know, one of the delivery methods, and, and some of the, the, the trends also in credential phishing as well. So, you know, as far as the malware goes with, you know, it's important to recognize that they're going to be a lot out there in the wild where they're delivering, you know, threat actors are sending lots of phishing emails and malware delivery emails, that are going to be delivering a lot of old malware families and may not be sophisticated. We do want to keep an eye on what's going on out there in the wild. Right now, the most prevalent malware and really just anytime that it's active. E motet is the most Got one Yeah, where it really, it really takes over, you know, no matter what else is going on at the time, if emo tech decides here, this is a week where we're going to start sending emails, it really just kind of dwarfs everything else in terms of the actual volume that's getting sent among the top five. You know, in terms of malware types and malware families, what's getting sent these days, we're going to find, you know, your usual suspects. And those are, you know, loaders, key loggers information stealers remote access Trojans, banker malware, and you know, some of the common names among the malware families as well, an email that always tops the list, whenever it's active. Even if it's only active for a short period of time, you're gonna see that that always shows up agent Tesla really common Keylogger form book and information stealer that steals information from your machine as well as from your browser. And then rats that allow them Lau threat actors to keep control Remco strat is usually one of the top and then quack bot is a banker that also acts as a loader, that that often ends up at the kind of the bottom of the top five lists, still relatively common, but not by far, not the most prevalent of the malware families that gets sent out. But what's interesting to us, and the reason that we have identified quack bot in this quarter the end also in the previous quarter, the trends review that we put out was the crack bot, despite not being the most prevalent or the most high in terms of volume that's being sent. It's actually by a longshot, the most common in terms of what's actually reaching inboxes. So what's maybe what's getting past security, and actually reaching the users and giving them the most opportunity to actually click on it, you know.
Nikhil Gupta
The point of infection, basically, the infection rate of quick bite you're seeing is just much higher than what you've seen, right? For others.
Joseph Gallop
Yeah, well, the infection rate is probably higher, we don't necessarily measure infection rates. But as far as what gets its way into the inbox. So there's a lot of security controls out there that are keeping emails from even reaching the inbox, the spam, you know, whether it's spam filters, security, email gateways, you know, other controls that Sox are putting in place based on your rules that they've written or whatever, that are keeping the emails from getting into the inbox. But a lot of these, these emails that are delivering quack bot are actually, despite not being the highest in volume in terms of what's being sent, or actually the highest number of you know, of any malware family that are actually reaching the inbox.
Nikhil Gupta
Is that a weakness with the securing email gateways? Or is that you know, what the rules are, or is it just the type of malware that it is?
Joseph Gallop
It's in many ways the sophistication of the threat actor is dependent on the tactics and techniques that they're using. and QuickBooks specifically likes to use techniques that make it difficult for, for security email gateways to catch on. One of the things that they do, which emo to kind of in contrast to email, 10, email chat likes to use subject lines, that they've grabbed out of old conversations from inboxes, that they've compromised elsewhere. And they'll just grab random subject lines, and they'll apply those to any and all of the emails that they're sending out. And it's, it's all random. And whereas quack bot will often actually inject themselves into a conversation, they will, they will use a an email account that they've compromised, and continue a conversation or use an old subject line from a conversation with another account and actually target that specific account, as opposed to grabbing a random conversation, you know, subject line from a conversation on another account that they compromised, you know, a year and a half ago. And so crack bots doing that they're actually injecting themselves into the conversations, and using real subject lines that are pertinent to the recipient. And they are also using embedded URLs as opposed to attachments, a lot of the time, they're using embedded URLs that lead you out to download the attachment somewhere else, or download the file somewhere else, the payload, whereas a lot of times emotet is just sending things out via attachment or detachment zipped up into an archive and you actually have to put in a password and, and things like that. And so in many cases, it's easier to catch those attachments than it is to catch the URLs.
Nikhil Gupta
I see. Yeah, I mean, so definitely, just really targeted it seems, you know, a quack bot is doing and I think that's just in general right when you when you see a subject line that's pertinent to what you guys are doing or if you see a targeted account that you know, Someone that you seemingly trust inside your organization. And then there's a link inside rather than an attachment. So it definitely gets passed, and you click on it. Yeah, it seems like that would be something that, you know, I mean, it could be easily missed, right. And, and I can see why it gets passed. The detection methods that we see with secure email gateways.
Joseph Gallop
Basically, there, you know, with those embedded URLs, they're doing what credential phishing does. And it's one of the reasons that credential phishing is so much more prevalent these days than, than malware delivery, is that, you know, it's so link dependent and as opposed to attachment dependent, and when you're using links, you have the opportunity to abuse trust that you don't get with email attachments, because there's nothing in that email attachment itself that says, hey, you can trust me, right. Whereas if you're using an embedded URL, you can actually make use of domains that people trust in their day to day business, right? Everybody knows about the Dropbox, abuse, you know, then SharePoint domains, yeah, and things like that Adobe, a lot of times, you know, they're going to use, and those are all trusted services that we interact with on a day to day basis. And if they can figure out a way, you know, to create a link that either appears to be or actually is hosted, or redirects through resources that belong to Microsoft, or Dropbox, who or whoever it is, they get to make use of that trust, they abuse it. And so a lot of the threat actors who are delivering malware have really, you know, taken that takhat as well, some of the more effective ones, especially crackpot, they're using those embedded URLs, because they're able to not only abuse trust, but also to create, you know, they create their own domains that there's really, there may be no record for no record of malicious activity for so you can do a lot of things when you're when you're using URLs as opposed to using attachments. And that's one of the things that they really, really like to do in combination with other things. But it's that that really the amalgamation of all of these different effective tactics into one Make, make quack bot, really stand out above everything else, when we're looking at it. It's just head and shoulders above everything in terms of what's actually making its way into people's inboxes. And, and getting that FaceTime. That's really what the threat actors are about, they're getting back getting FaceTime. And if they can get it themselves in front of the users enough times, they're gonna find somebody they want to find somebody to click on it. Right.
Nikhil Gupta
Exactly. He just more attempts at bat, right means that they're gonna eventually get a hit. Right. So yeah, yeah. And so talk to me a little bit more Joe, about these domains that you were mentioning right with the credential phishing, and I agree, right domains being just, as you said, just kind of compromising a trust, right? I think it's getting to be a lot more dangerous, right? Because you can notice a link or you will notice a domain that you think, Hey, I've gone to this, you know, 100 times a day, right previously, but I'm not noticing that this is either a spoof domain or a you know, a mimicked one, or just one that maybe is harvesting my credentials as I enter them, it could be legitimate, but hey, under a situation where they're actually taking my credentials as I enter them. So talk to me a little bit about some of the domains that the top domains is that were seen in your report. recently. I know, there's a lot of time that you spent on that, and what are some of the things that you know, I guess, that that are kind of a notice or of what customers should pay attention to when it comes to domains?
Joseph Gallop
Yeah, well, like I said, I think some people or a lot of people are aware of what the really common ones are, you know, the abuse of SharePoint and OneDrive and things like that, although, although there may certainly be people who aren't, so it might be worth mentioning those. But there's a lot of a lot of things that people tend to know about already. Dropbox abuse is one of those. But the phishing threat actors have gotten pretty creative. Basically, anything that allows that allows user generated content, or user generated links can be abused for them to host their credential, phishing resources. And so we've seen them really pick up on things like domains like glitch.me, and like Evernote, because those are services that if you're not familiar with glitch.me, it's a it's a collaboration platform that allows you to collaborate on coding and other projects as well. So you're sending things real time to other people, for them to take a look at and, you know, verify and collaborate on an ad to so glitched out me and Evernote is one that that that a lot of people are using these days just in general to you know, keep their own records or share old records with other people. And so you've got all of these, all of this content that users are generating, and they have to have a resource to link to it. And so any of these types of services that we trust, that we have to generate content and links through phishing threat actors can also generate content and links through. Those are two of the ones that have really shown up recently glitched out me as one that was really prominent throughout the first half of 2022. It kind of dipped down a little bit in in Q3, but, but it's still definitely there. And they just getting creative with these.
Nikhil Gupta
Yeah, so perfect, Joe, I think to that point, too, right. As you mentioned, right, just some of the domains, I think they're all ones that we are more familiar with, I think you as you said, glitched out me is definitely one that has come up. So for those emails for those links, right? Let's say somebody clicks on one, what are some of the things what are some of the signs that they can use to detect that, hey, this might be a spoof domain, or a one that has hosting or potentially attempting to steal my credentials? Are there things to look out for that, you know, any of our listeners here can pay attention to or Hey, like, hey, if I if I if I find myself in this situation? What can I do? Right, what can I do to respond? Or what can I do to mitigate some of the issues?
Joseph Gallop
Yeah, there are a number of things and a lot, you know, some of it will depend on, you know, the specifics of the campaign, that that's targeting them. And we can talk, you know, maybe more about some of the specifics, I think you wanted to get into the stuff, some of the credential phishing, that's been targeting government contractors, but just in general, as far as, you know, what people can be on the lookout for with Credential phishing overall, you know, a lot of it starts, before you even get to the question of whether you click on the link is, is just questioning yourself and saying, Hey, is this an email that, that I was expecting to receive? Right, because a lot of a lot of these emails are, are, you know, could be, and, and are in, and in many cases, emails that, that you wouldn't really expect to receive in the position that you are in, in the company. And so just making sure that it's something that's, that, that just fits the, the general, you know, profile of what you should, what you should be receiving on a day to day basis looking, making sure that it's from, you know, someone that you've had contact with before? And if it's not, then you'd be, then you scrutinize even more, and, you know, once you've taken, you've just questioned yourself, okay, is this something that that I would be expecting to receive? If it is, then you want to take a look at, okay, what's, you know, where, where did it come from, what's the email address, and a lot of times, email addresses are spoofed, you know, you have to really take a good solid look, they might be, you know, actually copying, essentially a real address, a real trusted email address. But in many cases, they're actually just making the email address look like they've created a new email address that looks like something that's trusted, so really scrutinizing the email address itself, and making sure that that that it checks out there. And then once you get into get beyond that, you know, looking for consistent typos and errors in the text that make it look like it because a lot of these are these emails are sent by people that are doing this in in foreign countries. So there's a lot of errors there. But once you actually get into the link, and you know whether you should click the link, there are these trusted services they're abusing. And sometimes those links are really unique. And if you're not certain at all about whether you should click something, you know, you probably want to go ahead and click that report button. If you've have, you know, Cofense report phishing button. If you're not certain, you've got that button, you click it. And, but, but if it does look something like something that you would trust, and you click through into it, then you still want to go back to the you know, that bar at the top that URL bar at the top of your browser, and just make sure that it took you where you're expected what you were expecting it to take you. And that's one of the real keys is once you get into the later stages of the of the phishing campaign, to be scrutinizing it every step of the way, every single time you click something or the URL bar changes in any way, because they're going to use a lot of these trusted services as redirects to pass you through that. And then they're going to send you on to something else where they've got the real content, phishing content hosted. And so you just constantly be scrutinizing that URL bar and making sure that they didn't send you somewhere that they didn't say that they were going to send you or that you weren't expecting, or that isn't a trusted domain.
Nikhil Gupta
Perfect. Yeah, exactly. So I think, as you just mentioned, Joe, you know, think scrutinizing that domain scrutinizing that URL, as you see to make sure there's no redirects. I know internally Carahsoft we use, you know, we had Cofense We have Cofense Currently, and I know we sent out some, some test emails and I O We sometimes check to see, you know, as you said, right? Does the email sound suspicious, even if Is it from someone that you've never had contact with? In one of the cases that we've had when we did a test email, it was, you know, obviously, Carahsoft ends and an S-O-F-T right for software. I didn't notice this, but the spoofed email domain had Carahshoft. There was an extra h added. So things like that, right? Those are always things that you should pay attention to. And at first glance, right, you might not notice if you're looking quickly, but you know, as I think, as you know, warning to everyone, of course, just always be, you know, always always scrutinize always look always just, you know, consult that domain or that email address that you're receiving that email from, is it truly that person that you trust, right, and then if there is a link, and you have to click on it, right, you just share something, just make sure that it isn't going to, you know, a spoofed website, or it's, you know, one, that's a redirect. So, yeah, Joe, thanks for that intelligence or that analysis there. One thing I want to add to so I guess, the, you know, to kind of get towards the end of this sort of, we're running, you know, looking at the time here, Joe, um, and we could obviously talk about this for hours. But, you know, when it comes to phishing in general, and I think with the campaign and the intelligence support that you guys did with Q3, I know, we spoke about this in the beginning, but credential phishing for government contractors was a big result of the campaign that we saw for phishing back in Q3. So talk to me a little bit about what specifically made government contractors more susceptible to hopefully the results, you know, what were the results of the campaign? You know, is this something that we need to be aware of? Or is it something that, you know, are we going to do this scenario now? Or, you know, what is the, what were the results in what should we look forward to? And what should we prepare for going forward, especially when it comes to, you know, that credential phishing attack that we talked about?
Joseph Gallop
Yeah. So, one of the things that we looked into cute, three that you're referencing, there is digging into a particular set of threat activity that was targeting government contractors, or potential government contractors, and, and we all we, you know, we've all heard about script kiddies, you know, just unsophisticated threat actors that are just using scripts to send out in emails, and they're not very well crafted. And then we've got that on the other end of the scale, we've got these abt groups that are backed by governments. And, you know, they are sophisticated on a lot of different ways. And you've got a whole spectrum in between. And what was really interesting about this particular threat, threat activity step wasn't necessarily a massive increase in volume, or that we're seeing an uptick in this recent quarter. But it's been really interesting. And talking about the fun of figuring out puzzles earlier, it's been really interesting to watch the development of this activity set. And its sophistication over time, they've gone from being pretty simplistic in many different areas of the phishing, the credential, phishing campaigns, targeting government contractors, to being a lot more complex, they've changed the email contents, they've got, you know, created more extensive email bodies and input in realistic logos, they've changed the contents of the Luers. This whole activity set is based around the idea of sending out invitations to bid on government contracts, right. And so they include, they have an email that kind of introduces at all and, and has information specific to the recipient, so that it looks like it's actually for, you know, for the recipient, but then they have a PDF, and they've would generally have a PDF as the lower attachment in the email. And they've improved those over time, they've, you know, put in cover pages with, you know, with believable and realistic logos and things like that they've changed, they used to at the very start two years ago, when we were when we started watching this activity set, they used what seems like it might have been a real name of who the you know, the actor that was doing this, but over time, they've changed to the point where now they're using, they're actually changing the metadata in the in the PDF to represent an author name that looks like they'll use actual, take the exact names from documents that they know of that are government documents and put that into the metadata so that it looks real. They're including in these PDFs a lot more technical information about the bidding process, telling people that you shouldn't try to do you shouldn't try this, once you get to the website, don't do it more than once because then you'll ruin your chances. So then that's their, their way of keeping people from figuring out what's going on. They direct people at the very start, don't do it, you know, don't submit more than once, because that's going to you know, ruin your bid. Little things like that, adding in details, changing the appearance and the behavior of the credential, phishing pages. So they started out two years ago with just a single you know, just A single landing page that you would come to immediately put in your credentials, right? That's what they're looking for, they're looking to get those credentials. But over time they've developed where they're to where they're making exact copies of government websites, they're spoofing the domains, like we talked about before, they're using domains that look very similar to a real government domain, with a few letters changed, or, or what have you. And they're creating a whole website, that's an exact copy, and has multiple interactive pages that serve as like stages throughout the, you know, the phishing effort to get you to the point where, you know, you think this is a real thing. And, and by the time by the end, they're hoping that people will, you know, believe it and put it in their credentials. So much more complex. And it's been very, very interesting to watch this develop over time. And that's why we kind of called it out, because we think it's important for people to recognize, especially in this case, government contractors, to recognize that they're being specifically targeted, and not only government contractors, but also companies that might be considering becoming government contractors, because they're using these invitations to bid which works for both right, they are able to target then. So just watching that sophistication develop over time to get some somewhat more frequent, but also just, you know, increase in complexity. And believability.
Nikhil Gupta
Yeah, so I mean, you know, for all of our listeners, I guess, you know, government contractors in general, I know, Carahsoft, we work with a number of them for some of those opportunities for bidding. Right, Joe, I know, some of us do, you know, we respond to those right for some of those opportunities on behalf of some partners. One on one, I read the report, and now talking with you, we're getting your, you know, your points on it and everything. It's definitely, you know, eye opening a little bit. And it's something that, you know, wasn't made aware to me, or I wasn't aware of before, but as you said it right, it's interesting to see it develop and become a, you know, a kind of a point of contention now in in, in in in the phishing area, right, and then the phishing Roman, and I think in general, right, it's something that we all need to be mindful of, especially because sometimes those bids are time sensitive, right? They require urgency. So you know, those usual criteria that we use to, you know, look at a phishing email and displace it and say, Hey, this is asking for something by tomorrow. Right? That seems suspicious. I don't trust this email. But if it's responding, you know, regarding a bid that is do you legitimately do by tomorrow, right? You might, you might miss that. And it's something that kind of plays on that and kind of takes advantage of the urgency that a lot of people have when it comes to this. So definitely, as you mentioned, Joe, you know, that definitely scary and, but definitely eye opening? I think there are a lot of things we can look out for when it comes to those. But everyone should take a more vigilant eye for sure. When it comes to seeing and responding to those and just, you know, government contractors just in general, right, you should be aware. So Joe, I guess, we talked a lot, obviously, about some of the stuff and some of the insights, wanted to you know, kind of leave the floor open for you. And as we're approaching the holiday season, right, Thanksgiving is almost upon us. And you know, Christmas is coming as well. And you know, we're already at that time of the year. Anything that you want to tell the listeners as far as stuff to look out for, or any other further insights in the Q3 report that, you know, you guys worked on? And released? Is there anything else that you want to maybe make known for the listeners today?
Joseph Gallop
Yeah. I mean, I think one of the points I want to leave people with is, you know, threat actors don't keep doing things that don't work. Right. So this is like, just, you know, going back to that, that campaign that we've seen, over the course of the last two years, and we've been watching it development develop, you know, we don't know exactly how successful that that campaign is in terms of actually getting credentials and getting people to believe but considering that they've been doing it for two years, and using the same things and you know, improving their techniques, but using the same things, it seems to be something that's consistently working. And there's really no time, like the present for any one who's in that area. But just also across the board and turn in, you know, everybody's receiving phishing emails everywhere, you know, it's not just government contractors, get your to get yourself up to speed, if you're someone who's actually responsible for security at your company, to make sure that your users are getting trained, because you've got to have that combination of, of human intuition and human training to recognize the things that automatic security controls aren't able to recognize. And so making humans a not what we normally see them as, you know, as the weakest link, but making humans a critical component of you know, have your security posture is really important. So being aware of campaigns like this, keeping up to date and doing those simulations, like you were saying is really important as far as You know, specific to the holidays, as I said, they're threat actors aren't going to do things that don't work, one of the things that they've been doing for years is using shipping things. And this is kind of a more personal thing for, you know, for individuals at various companies, they've used shipping themes for four years, just general ones, like, here's your, you know, your confirmation number, you know, look into this and click this link and refund scams where they said, Hey, thanks for your purchase, and you're like, I didn't purchase that, let me call this number, all that kind of stuff. And as the holiday season approaches, and everybody's doing a lot more shipping, everybody's sending their, you know, sending and receiving a lot of packages, there's probably going to be an uptick, an uptick in the shipping thing. So just be really aware of that as well, I was is what I would say to two people just in general across the board, you know, for this season, as we're going into it, you know, they're using them for a reason, because they work, don't let them work on you.
Nikhil Gupta
Yes, if for sure. You know, Joe, and thanks for that. And just really want to thank you for being here, as well, Joe, and just chiming in and giving some of the analysis that you had right for Q3 transit, I learned a lot for sure and hope our listeners did as well. And it's always good to hear from the expert. Right. So, again, just on behalf of Carahsoft and Cofense. Here, everyone, you know, want to welcome again, Joe, thank you for participating and sharing your insights here. Yeah, it's great to be here. Sounds perfect. Joe, I want to wish you obviously, you know, a great holiday season for the rest of our listeners as well. Just the same. And just as always a reminder, you know, guys, as Joe mentioned, I really want to harp on that point, right, making your users training your users right to be the frontline, you know, to be kind of like a frontline defense for you for phishing, for any of the emails that get passed what you're already doing right with the email security, all those are going to be central components. I know Cofense In a we work with them. And they're one of the leaders for sure in implementing stuff like that, and training users and, and of course, I always find the intelligence and threat, the trends reviews that you guys do at the end of every quarter to be so insightful. I'm happy to keep reading those, of course, and I hope the rest of the listeners if you guys are interested, we can definitely you know forward some of those trend analysis reports to you. But with that, anyway, thank you so much, Joe. Thanks, everyone for the time and I will definitely stay tuned for another installment for another maybe next quarter, another podcast here. We'll come back and then we'll do a repeat analysis here for future trends and maybe a q4 report. But anyway, thank you so much. Thanks, Joe.
Joseph Gallop
Thanks, Nikhil.
Nikhil Gupta
Have a good one.