Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity Labs
HomeSecurity Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

Forcepoint Security Labs have recently observed a peculiar email campaign distributing a variant of the Dridex banking trojan. The campaign used compromised FTP sites instead of the more usual HTTP link as download locations for malicious documents, exposing the credentials of the compromised FTP sites in the process.

The malicious emails were distributed just before 12:00 UTC on 17 January 2018 and remained active for approximately seven hours. The emails were sent primarily to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the UK, and...

Read more

It has been just over a week since the Spectre and Meltdown vulnerabilities were released, shaking everyone out of their post-holiday daze. Our previous blog post on the topic discussed the viability of these attacks in the real world – what have we learned since then?

Note: Forcepoint customers should refer to the Knowledge Base article at for Spectre/Meltdown mitigation and patching advice for all Forcepoint products. New information is posted to the KB article as it becomes available.


The majority of OS vendors have now...

Read more

Editor's Note: 

For the latest Security Labs research, see Spectre & Meltdown -- A Week (and a bit) On

For the latest information on how this issue affects Forcepoint security products, please see the technical bulletin: Meltdown and Spectre Vulnerability



2018 has gotten off to a tough start with the news of the Meltdown and Spectre (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754) vulnerabilities. This is a broad industry problem that affects almost everyone, everywhere. Processors from Intel, AMD, and ARM are all potentially vulnerable to at least one variant of Spectre or...

Read more

We normally try to protect the things most valuable to us, hence the proliferation of different locks and keys for our cars, houses, etc. These keys in the material world are analogous to our passwords in the digital one. However even an average user likely has more passwords for the devices and services they use than keys for any other group of assets. 

We recently wrote about the Quant malware coming with pre-packaged password stealing capabilities. We all understand that physical security is important, choose our locks carefully and consciously keep our keys where we believe they will be safe from being stolen, but do we...

Read more

Forcepoint Security Labs researchers have just returned from a successful Black Hat Europe 2017 hosted in London, UK.  We had an enjoyable time presenting, networking and expanding our own knowledge. Thank you to all those who attended our Briefings Talk on Wednesday and who met us on our booth in the Business Hall.


Forcepoint Briefing - and Evader

Forcepoint researchers, Antti Levomäki & Olli-Pekka Niemi, delivered a briefing in the Network Defense track entitled “Automatic Discovery of Evasion Vulnerabilities using Targeted Protocol Fuzzing” on Wednesday 6 December at 11:45am.  Their research...

Read more

Last year, Forcepoint Security Labs blogged about the Quant Loader – a Trojan downloader previously seen being used to distribute Locky and Pony. 

We recently came across an active Quant loader administration panel hosted on a freshly registered domain which was also hosting a number of additional malware samples. At first glance everything seemed to be business as usual, but once the initial investigation was completed it became evident that some additional ‘features’ had been added...

Three for the Price of One 

Quant is not new or a very novel piece of malware: we covered the basics of it last year when it was...

Read more

In a similar fashion to the Jaff ransomware, Forcepoint Security Labs have observed another piece of ransomware called “Scarab” being pushed by the infamous Necurs botnet. The massive email campaign started at approximately 07:30 UTC and is active as of 13:30 today, totalling over 12.5 million emails captured so far.

The graph below shows the per-hour volume of Scarab/Necurs emails blocked by Forcepoint between 07:00 and 12:00 UTC:

Figure 1: Scarab/Necurs emails intercepted per hour

Based on our telemetry, the majority of the traffic is being sent to the .com top level domain (TLD). However...

Read more

As we round out what has been one of the most impactful years in cyber security we are pleased to announce the Forcepoint Security Labs’ cyber security predictions report for the forthcoming year.

Subject matter experts across our global Security Labs, Innovation Labs, CTO and CISO teams have pooled their collective insights to give you an accurate insight into the landscape of the future.  We have dived into the current threat landscape, looked at business challenges on the horizon and surveyed enterprise leaders to arrive at what we think are key areas of risk that will present themselves in 2018 and beyond.


Read more

On 24 October 2017 Bad Rabbit – the third ‘major’ ransomware outbreak of the year – made headlines as it affected large numbers of machines, predominantly in Eastern Europe.

The malware bears many similarities to the Petya - AKA NotPetya, GoldenEye, ExPetr, Petrwrap - attack from June (éjà-vu-petya-ransomware-appears-smb-propagation-capabilities): the ransom messages are very similar in both content and style, the ransom demand is for a similar amount (USD $300 in June versus BTC 0.05 – approximately $280 at current prices), and it attempts to move laterally once inside a network....

Read more

Please note:​ This is an update to our original analysis posted earlier on Oct. 16, 2017.

The best advice is to not transmit or receive sensitive information over Wi-Fi without some additional form of encryption actively in place, and follow these best practices:

Use a corporate VPN client whenever you’re outside of your corporate networks. In conjunction use HTTPS in web browsing. Ensure that the padlock icon is active in your browser. Stop browsing if you get any pop-up errors about certificates or insecure communications. Apply vendor patches to all Wi-Fi... Read more