What is spear phish
Spear phishing is email targeted at specific individuals or organizations which the intention of persuading the recipients to reveal confidential information such as usernames, passwords, and other sensitive information.
Criminals who send spear phish messages tend to personalize them, in order to make them appear official-looking. These messages can often be spoofed to appear to come from a trusted person, company, or internal department. A few examples would be: an email from a trusted department or organization requesting confidential data, your IT department regarding matters such as mailbox sizes, website maintenance or a locked out account, messages from another member of staff at the same company asking you to confirm a username and password. The email may try to direct you to a bogus version of the company website or intranet. When you reply, the phisher takes the submitted details and misuses them.
The spear phisher can easily generate the victim's addresses by using software that combines given names and family names. These addresses/names could also be pulled from the web or other email lists. The spammer may also only send these messages to a single domain, which makes it less likely that the message will be detected as spam.
How to submit spear phish to SophosLabs for analysis
SophosLabs has created a special email address to deal with these types of targeted campaigns. Please forward all spear phish samples to the following address:
This address is monitored by SophosLabs, and definitions will be quickly created to ensure the campaign is addressed. Please ensure that all samples are sent as an RFC-2822 attachment; if you're not familiar with forwarding messages as an attachment, we have a knowledgebase article that tells you how to submit a spam sample to SophosLabs.
Messages forwarded to the addresses listed above will not receive a reply.
Note: All other spam, fraud and phish samples should still be sent to:
From a load standpoint, please don't forward submissions to both addresses; this allows SophosLabs to properly prioritize which submissions to look at.