* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Secure the Future](https://www2.paloaltonetworks.com/blog/category/secure-the-future/)
* Block COVID-19 Phishing E...

# Block COVID-19 Phishing Emails at Machine Speed

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F07%2Fcortex-phishing-emails%2F)  
[](https://twitter.com/share?text=Block+COVID-19+Phishing+Emails+at+Machine+Speed&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F07%2Fcortex-phishing-emails%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F07%2Fcortex-phishing-emails%2F&title=Block+COVID-19+Phishing+Emails+at+Machine+Speed&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/07/cortex-phishing-emails/&ts=markdown)  
\[\](mailto:?subject=Block COVID-19 Phishing Emails at Machine Speed)  
Link copied  
By [Kamil Imtiaz](https://www.paloaltonetworks.com/blog/author/kamil-imtiaz/?ts=markdown "Posts by Kamil Imtiaz")  
Jul 22, 2020  
3 minutes  
[Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[COVID-19](https://www.paloaltonetworks.com/blog/tag/covid-19/?ts=markdown)  
[Phishing](https://www.paloaltonetworks.com/blog/tag/phishing/?ts=markdown)  
[playbooks](https://www.paloaltonetworks.com/blog/tag/playbooks/?ts=markdown)  
[SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2020/08/cortex-phishing-emails/?lang=ja "Switch to Japanese(日本語)")

With COVID-19 now a global pandemic, the rapid expansion of the remote work environment has opened up new challenges for enterprises. The attack surface is growing, providing lucrative opportunities for those who want to exploit this new norm. Hackers are accelerating their attack campaigns with original and proven techniques -- often designed to [take advantage of the pandemic](https://www.paloaltonetworks.com/blog/2020/07/unit-42-cybercrime-gold-rush/). Whether registering new websites with coronavirus-related names or sending COVID-19 phishing emails, cyber criminals aim to lure an anxious populace into a new web of attacks.

Enterprises want to prevent these attacks and protect their remote workforce. Unfortunately, security teams are overwhelmed with a surge of alerts, managing an influx of requests from other departments and working with scarce and remote siloed teams. They need more resources, streamlined processes and automation to take care of mundane tasks, prioritize tasks and incidents, and focus on malicious and relevant threats to their environment.

Hackers are smart and lazy. They want the most bang for their buck. Phishing is the easiest way to target victims who are always looking at the next big pandemic update. What's better than crafting a coronavirus-themed email that appears to be coming from the CDC?
![This sample COVID-19 phishing email presents itself as orginating from the Centers for Disease Control and Prevention and includes language that attempts to take advantage of users' desire for updates about the pandemic.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/07/email1.png)
Figure 1: COVID-19 phishing email example

As a security analyst, you can expect a lot of these types of emails flooding your employees' inboxes across the enterprise. To put things in perspective, Google reported [18 million COVID-19 related emails](https://www.theverge.com/2020/4/16/21223800/google-malware-phishing-covid-19-coronavirus-scams) in a few weeks in April 2020. It is not humanly possible to deal with this type of volume manually. There needs to be an automated way to collect, correlate, verify and document these incidents.

This is where Cortex XSOAR [automated playbooks](https://www.paloaltonetworks.com/blog/2020/04/cortex-monitoring-remote-user-activity/) can help. Automated phishing playbooks are among the most popular use cases for Cortex XSOAR. They're in use in our own security operations center, [reducing our phishing response time from 30 minutes down to about 10 seconds](https://www.paloaltonetworks.com/resources/use-case/how-a-security-company-does-security). Security teams can save time and automate their COVID-related incident workflows to run at machine speed. Employees submitting suspicious emails to infosec teams will trigger a COVID-specific playbook that will extract all the relevant indicators like URLs, domains and links. Cortex XSOAR will then compare these indicators with internal and external repositories, tag them and add them to external blocklists. Finally, Cortex XSOAR provides additional context by ingesting active threat intel feeds, making it easier and faster to respond. It's like operating a factory assembly line, where various jobs are running, providing immediate action with speed and scale.
![The diagram shows how a Cortex XSOAR automated playbook could automate responses to COVID-19 phishing emails. The flow includes the ingestion of active threat intel feeds and the triggering of the playbook, which then extracts additional context to enrich the indicator information, compares with internal lists to check for matches with either trusted or suspicious domains, and blocks the phishing email if it's determined to be malicious.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/07/datasources.png)
Figure 2: Cortex XSOAR COVID-19 suggested playbook flow

The attackers create their own assembly line by leveraging machine learning and AI. They repurpose old proven phishing tactics and techniques at machine speed. This makes it harder for enterprises to catch up unless they counter them with the same force, combating a machine with a machine.

Watch this video to learn how Cortex XSOAR playbooks can protect your enterprise and automate responses to COVID-related phishing attacks.

*** ** * ** ***

## Related Blogs

### [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Introducing the Cortex XSOAR Marketplace](https://www2.paloaltonetworks.com/blog/2020/08/cortex-xsoar-marketplace/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Auto-Quarantine Phishing Threats with Cortex XSOAR and Cofense Vision](https://www2.paloaltonetworks.com/blog/security-operations/auto-quarantine-phishing-threats-with-cortex-xsoar-and-cofense-vision/)

### [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### Automate Email Incident Response with Armorblox in Cortex XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/automate-email-incident-response-with-armorblox-in-cortex-xsoar/)

### [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Enable Next Level Phishing Analysis and Response with Cortex XSOAR and Cofense Triage](https://www2.paloaltonetworks.com/blog/security-operations/cofense-xsoar-marketplace/)

### [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### SlashNext Reinvents Incident Response with Cortex XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/slashnext-xsoar-marketplace/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Manage a Remote SOC: Micro-Surveys for Crisis Management](https://www2.paloaltonetworks.com/blog/2020/05/cortex-micro-surveys/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language