⏱️ Lack of alert context costs your SOC time and money.
⚡️ #ANYRUN’s integration for Torq helps replace guesswork with high-confidence verdicts and intelligence to slash your MTTR by 21 mins per case.
Streamline your triage and response 👇
https://any.run/cybersecurity-blog/torq-integration/?utm_source=mastodon&utm_medium=post&utm_campaign=torq_integration&utm_term=250626&utm_content=linktoblog
⚠️ Static detection has limited reach into modern phishing.
#ANYRUN's in-browser data inspection catches every DOM mutation, script execution, redirect, and injected form.
👨💻 Discover the new standard for URL analysis: https://any.run/cybersecurity-blog/in-browser-data-inspection/?utm_source=mastodon&utm_medium=post&utm_campaign=browser_data_tab&utm_term=250626&utm_content=linktoblog
🚨 𝗡𝗲𝘄 𝗥𝗲𝗱𝗶𝗿𝗲𝗰𝘁 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 𝗧𝘂𝗿𝗻𝘀 𝗟𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗪𝗲𝗯𝘀𝗶𝘁𝗲𝘀 𝗜𝗻𝘁𝗼 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲
We’re tracking a surge in activity linked to Bulletproof Redirect Engine, a previously unknown framework that helps attackers manage #phishing redirects through compromised legitimate websites.
❗️ Since late April, #ANYRUN has recorded 170+ public submissions linked to this activity, with observed targets mainly in the US and Europe across manufacturing, consulting, and technology.
⚠️ Hosted in hidden directories on compromised sites, the framework uses trusted domain names to generate phishing links and redirect users to pages built with known phishkits: #Sneaky2FA, #Tycoon, #EvilTokens, Greatness, and EvilProxy. Based on the observed activity, the tool is likely distributed as a PhaaS.
Reputation-based URL controls are not enough when phishing infrastructure hides behind trusted domains and obfuscated browser logic. This increases the chance of victim interaction and creates a SOC blind spot that may lead to missed compromise.
⚡️ Attack chains like this are now faster and easier to investigate in #ANYRUN Sandbox. In-browser data inspection shows exactly what happens inside the browser, exposing phishing behavior that static URL analysis can miss.
👨💻 Using the Browser Data tab, we can quickly review requests sent by the redirect page and locate the same activity in the HTML DOM Changes: https://app.any.run/tasks/e728e277-a694-431b-8040-655c473baa22/?utm_source=mastodon&utm_medium=post&utm_campaign=bulletproof_redirect_engine_phishing&utm_term=240626&utm_content=linktoservice
The code is heavily obfuscated, so the final phishing page is not directly visible in the DOM. But the HTTP Requests tab still exposes the next-stage redirect to an #EvilProxy phishing page impersonating Microsoft sign-in flow. This gives analysts a clear pivot point for detection, investigation, and response ✅
🚀 Expose phishing activity hidden behind trusted infrastructure and obfuscated browser logic, then turn it into faster triage, sharper response, and stronger detection rules. See how #ANYRUN closes phishing blind spots: https://any.run/cybersecurity-blog/in-browser-data-inspection/?utm_source=mastodon&utm_medium=post&utm_campaign=bulletproof_redirect_engine_phishing&utm_term=240626&utm_content=linktoblog
🚨 𝗪𝗵𝗮𝘁 𝗘𝘃𝗶𝗹𝗧𝗼𝗸𝗲𝗻𝘀 𝗛𝗶𝗱𝗲𝘀 𝗶𝗻 𝘁𝗵𝗲 𝗕𝗿𝗼𝘄𝘀𝗲𝗿: 𝗦𝗲𝗲 𝗕𝗲𝘆𝗼𝗻𝗱 𝗦𝘁𝗮𝘁𝗶𝗰 𝗨𝗥𝗟 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀
#EvilTokens remains one of the most active phishkits in our reports, abusing MS Device Code authentication to gain access through OAuth workflows rather than direct credential theft.
❗️ The landing page content is AES-GCM encrypted in the initial HTML response and becomes visible only after client-side decryption writes it into the browser DOM, making static URL analysis and network-only visibility incomplete.
👨💻 Review the full phishing flow: https://app.any.run/tasks/55d3ead7-c07a-4fb1-aa42-8c397d1a0f8a/?utm_source=mastodon&utm_medium=post&utm_campaign=what_eviltokens_hide&utm_term=170626&utm_content=linktoservice
🚀 #ANYRUN sets a new standard for URL analysis, leaving no blind spots for phishing to exploit. In-browser data inspection shows exactly what happens inside the browser, exposing every phishing URL’s behavior.
⚡️ 𝗛𝗼𝘄 𝘁𝗼 𝘂𝘀𝗲 𝘁𝗵𝗲 𝗕𝗿𝗼𝘄𝘀𝗲𝗿 𝗗𝗮𝘁𝗮 𝘁𝗮𝗯 𝗶𝗻 #𝗔𝗡𝗬𝗥𝗨𝗡 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗳𝗼𝗿 𝗳𝘂𝗹𝗹 𝗨𝗥𝗟 𝘃𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 𝘁𝗵𝗮𝘁 𝘀𝗽𝗲𝗲𝗱𝘀 𝘂𝗽 𝘁𝗿𝗶𝗮𝗴𝗲 𝗮𝗻𝗱 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲:
𝗛𝗧𝗠𝗟 𝗗𝗢𝗠 𝗖𝗵𝗮𝗻𝗴𝗲𝘀: Track DOM states over time with timeshift, compare page states, and review byte-level diffs.
📌 In this case, it reveals when the decrypted phishing page is rendered, exposing the user code and other artifacts hidden in the initial response.
𝗨𝗥𝗟 𝗗𝗲𝘁𝗮𝗶𝗹𝘀: Review the final URL, domain, SSL certificate, DNS records, request statistics, and triggered signatures in one place.
📌 For device-code phishing, this helps quickly verify suspicious OAuth-related activity without manually correlating multiple data sources.
𝗛𝗧𝗧𝗣 𝗥𝗲𝗾𝘂𝗲𝘀𝘁𝘀: Inspect browser-level network activity across HTML, JS, Fetch/XHR, scripts, static files, binaries, archives, and other request categories.
📌 Here, requests to /api/device/start retrieve the userCode and sessionId, while /api/device/status/<sessionId> tracks authorization status, providing early confirmation of the phishing flow.
𝗜𝗻𝗱𝗶𝗰𝗮𝘁𝗼𝗿𝘀: Automatically collect page-level IOCs, including domains, URLs, hashes, IPs, and ASN data.
📌 These indicators provide immediate pivot points for threat hunting, helping analysts expand the investigation beyond the original URL.
✅ This turns URL triage from long manual reconstruction into a fast decision path: what loaded, what changed, and whether the case should be contained, escalated, or turned into detection logic.
When phishing relies on dynamic browser behavior, this visibility doesn't just speed up triage — it strengthens every downstream process: faster escalations, sharper response, stronger detection logic.
🚀 See how #ANYRUN closes phishing blind spots: https://any.run/cybersecurity-blog/in-browser-data-inspection/?utm_source=mastodon&utm_medium=post&utm_campaign=what_eviltokens_hide&utm_term=170626&utm_content=linktoblog
⚠️ Every delayed triage decision adds pressure to the SOC.
More manual checks, escalations, and time spent before real threats move into response.
⚡️ See how #ANYRUN helps teams validate threats faste and reduce operational risk 👇
https://any.run/cybersecurity-blog/triage-analyst-guide/?utm_source=mastodon&utm_medium=post&utm_campaign=triage_analyst_guide&utm_term=170626&utm_content=linktoblog
🌍 What a conference season!
Across Infosecurity Europe, CONFidence, and C1b3rWall, one challenge stood out: helping SOCs keep pace with evolving threats without overloading their teams 👨💻
See how #ANYRUN helps respond with speed & confidence 👇
https://any.run/cybersecurity-blog/europe-cybersecurity-conferences-2026/?utm_source=mastodon&utm_medium=post&utm_campaign=europe_cybersecurity_conferences_2026&utm_term=110226&utm_content=linktoblog
🚨 𝗢𝗔𝘂𝘁𝗵 𝗧𝗼𝗸𝗲𝗻 𝗔𝗯𝘂𝘀𝗲 𝗜𝘀 𝗚𝗿𝗼𝘄𝗶𝗻𝗴: 𝗚𝗿𝗲𝗮𝘁𝗻𝗲𝘀𝘀 𝗥𝗲𝘁𝘂𝗿𝗻𝘀 𝘄𝗶𝘁𝗵 𝗗𝗲𝘃𝗶𝗰𝗲 𝗖𝗼𝗱𝗲 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴
We've identified renewed activity associated with the Greatness #PhaaS, which combines #AiTM and Device Code #Phishing to target Microsoft 365 Accounts.
⚠️ Device Code Phishing abuses Microsoft's legitimate device authorization flow to obtain access tokens without directly collecting passwords or MFA codes. This shifts risk from credential theft to token abuse, reducing traditional phishing indicators for SOC teams to detect and investigate.
❗️ Greatness promotes token- and cookie-based access to Microsoft 365 accounts through its Telegram channel, advertising passwordless and code-less account compromise scenarios.
Observed capabilities include:
🔹 Device Code Phishing for M365 token theft
🔹 Phishing templates impersonating DocuSign, OneDrive, Outlook, and Voicemail
🔹 Country-targeted login lures
🔹 Cloudflare-hosted phishing links
🔹 Keyword-based targeting engine
🔹 Centralized administration panel
👨💻 Review the analysis session, investigate the phishing flow, and validate detection coverage: https://app.any.run/tasks/dd97835c-8a07-4917-ba23-cb8d8493b174/?utm_source=mastodon&utm_medium=post&utm_campaign=greatness_phaas&utm_term=100626&utm_content=linktoservice
🔍 Track Device Code Phishing activity associated with Greatness and uncover related infrastructure in #ANYRUN TI Lookup: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=greatness_phaas&utm_content=linktotilookup&utm_term=100626#%7B%22query%22:%22threatName:%5C%22greatness%5C%22%20and%20threatName:%5C%22oauth-ms-phish%5C%22%22,%22dateRange%22:180%7D
🚀 Strengthen phishing detection and accelerate response across your SOC with #ANYRUN: https://any.run/phishing/?utm_source=mastodon&utm_medium=post&utm_campaign=greatness_phaas&utm_term=100626&utm_content=linktophishinglanding
🎯 Threat hunting breaks when teams prioritize hypotheses based on assumptions instead of actual threats targeting their business.
For example, if you're protecting a U.S. financial organization, start with: 𝘀𝘂𝗯𝗺𝗶𝘀𝘀𝗶𝗼𝗻𝗖𝗼𝘂𝗻𝘁𝗿𝘆:"𝗨𝗦" 𝗔𝗡𝗗 𝗶𝗻𝗱𝘂𝘀𝘁𝗿𝘆:"𝗳𝗶𝗻𝗮𝗻𝗰𝗲"
🔍 Run the search in #ANYRUN TI Lookup: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=threat_hunting_practical_usecases&utm_term=100226&utm_content=linktolookup/#%7B%2522query%2522:%2522submissionCountry:%255C%2522US%255C%2522%2520and%2520industry:%255C%2522finance%255C%2522%2522,%2522dateRange%2522:180%7D
You'll see malware families, phishing campaigns, and attack techniques observed targeting organizations in your sector, helping prioritize hunts based on real attacker activity rather than broad industry reports.
👨💻 Learn how SOCs & MSSPs build hunts around observed threats to reduce wasted effort and focus on real business risk: https://any.run/cybersecurity-blog/threat-hunting-practical-usecases/?utm_source=mastodon&utm_medium=post&utm_campaign=threat_hunting_practical_usecases&utm_term=100226&utm_content=linktoblog
⚡️ SOAR can move an alert through a workflow but can't determine what a URL does.
#ANYRUN Sandbox adds behavioral analysis, helping validate threats earlier and reduce manual checks that slow triage & response.
How this works across SOC workflows 👇
https://any.run/cybersecurity-blog/integrating-sandbox-into-soar-workflows/?utm_source=mastodon&utm_medium=post&utm_campaign=sandbox_soar&utm_term=100626&utm_content=linktoblog
calops
ANY.RUN
