๐ Threat intelligence value is defined by its daily use. Integrated into workflows, it improves decision speed, consistency, and SOC visibility.
โก๏ธ #ANYRUN Threat Intelligence supports this by delivering context where decisions are made. Learn more: https://any.run/cybersecurity-blog/expanded-free-ti-plan/?utm_source=mastodon&utm_medium=post&utm_campaign=expanded_ti_plan&utm_term=070526&utm_content=linktoblog
๐จ #BlobPhish credential-phishing campaign targets Microsoft 365, major U.S. financial institutions, and webmail services.
โ ๏ธ Compromised accounts enable BEC, data exfiltration, and lateral movement, creating direct financial and operational risk.
This campaign generates phishing pages directly inside the browser using blob objects instead of loading them over the network. The payload exists entirely in memory, which breaks network visibility and makes traditional detection unreliable.
โก๏ธ #ANYRUN Sandbox helps SOC teams observe this behavior, exposing in-memory phishing and enabling faster detection and response. See how the attack unfolds and collect IOCs: https://app.any.run/tasks/191b74fc-fb9f-455a-9492-ca872871d0e1/?utm_source=mastodon&utm_medium=post&utm_campaign=blobphish_case&utm_term=060526&utm_content=linktoservice
๐ Explore full technical breakdown to understand detection gaps, validate your coverage, and strengthen phishing defenses: https://any.run/cybersecurity-blog/evasive-blob-phishing-detection/?utm_source=mastodon&utm_medium=post&utm_campaign=blobphish_case&utm_term=060526&utm_content=linktoblog
Mature SOCs using Microsoft Sentinel are adding #ANYRUN to their stack. It gives analysts time to make decisions. And also:
โก Auto-enrichment and prioritization
๐ MTTR down by up to 21 min
๐ฅ Early detection & faster response
Time to add it to your SOC: https://any.run/cybersecurity-blog/malware-sandbox-ms-sentinel-connector/?utm_source=mastodon&utm_medium=post&utm_campaign=sandbox_sentinel&utm_term=060526&utm_content=linktoblog
The MSSP market is booming. When growth kills margins, intelligence-driven scaling is the fix โ
#ANYRUN gives MSSPs a unified operational layer, which means less manual work, consistent workflows, and more context across every client.
๐ Learn how to scale past bottlenecks: https://any.run/cybersecurity-blog/mssp-pains-solved-by-ti/?utm_source=mastodon&utm_medium=post&utm_campaign=mssp_pains_solved_by_ti&utm_term=050526&utm_content=linktoblog
๐ Fuel core SOC workflows with #ANYRUN April updates
20 premium TI Lookup and YARA Search requests now available for your team, AI-assisted search, and 1,770 new detections to support triage, hunting, and response.
๐ฏ Cut uncertainty and act faster
https://any.run/cybersecurity-blog/release-notes-april-2026/?utm_source=mastodon&utm_medium=post&utm_campaign=release_notes_april_2026&utm_term=300426&utm_content=linktoblog
๐จ ๐๐๐๐ฅ๐ง: ๐จ๐ฆ-๐ง๐ฎ๐ฟ๐ด๐ฒ๐๐ฒ๐ฑ #๐ฃ๐ต๐ถ๐๐ต๐ถ๐ป๐ด ๐๐ฎ๐บ๐ฝ๐ฎ๐ถ๐ด๐ป ๐๐
๐ฝ๐น๐ผ๐ถ๐๐ถ๐ป๐ด ๐ฅ๐ฒ๐บ๐ผ๐๐ฒ ๐๐ฐ๐ฐ๐ฒ๐๐ ๐๐น๐ถ๐ป๐ฑ ๐ฆ๐ฝ๐ผ๐๐
A large-scale campaign is targeting U.S. organizations with fake event invitations. Attackers combine credential theft with OTP interception and RMM deployment, enabling direct remote access.
โ ๏ธ Activity is concentrated in the U.S., with ๐ต๐ถ๐ด๐ต ๐ฟ๐ถ๐๐ธ ๐ฎ๐ฐ๐ฟ๐ผ๐๐ ๐ฏ๐ฎ๐ป๐ธ๐ถ๐ป๐ด, ๐ด๐ผ๐๐ฒ๐ฟ๐ป๐บ๐ฒ๐ป๐, ๐๐ฒ๐ฐ๐ต, ๐ฎ๐ป๐ฑ ๐ต๐ฒ๐ฎ๐น๐๐ต๐ฐ๐ฎ๐ฟ๐ฒ, indicating broad exposure across business-critical sectors.
โ๏ธ Some phishing pages show signs of AI-assisted generation, while embedded code reveals reuse of common phishing kits, allowing attackers to scale and rapidly create new lures.
The risk goes beyond phishing. ๐ฅ๐ฒ๐บ๐ผ๐๐ฒ ๐ฎ๐ฐ๐ฐ๐ฒ๐๐ ๐๐ผ ๐๐ต๐ฒ ๐ฐ๐ผ๐ฟ๐ฝ๐ผ๐ฟ๐ฎ๐๐ฒ ๐ฒ๐ป๐๐ถ๐ฟ๐ผ๐ป๐บ๐ฒ๐ป๐ ๐ถ๐ ๐ฒ๐๐๐ฎ๐ฏ๐น๐ถ๐๐ต๐ฒ๐ฑ ๐๐ต๐ฟ๐ผ๐๐ด๐ต ๐น๐ฒ๐ด๐ถ๐๐ถ๐บ๐ฎ๐๐ฒ ๐๐ผ๐ผ๐น๐ like ScreenConnect, ITarian, and Datto RMM, while infrastructure and domains are designed to look trustworthy, delaying detection and increasing attacker dwell time.
๐ The flow starts with a CAPTCHA page, followed by a fake โevent invitationโ and then splits into two paths: credential harvesting via phishing login pages or RMM installation.
๐พ In this case, the download starts automatically, establishing access early in the execution chain, before user awareness. See how the full flow unfolds, from initial redirect to remote access delivery: https://app.any.run/tasks/4c2687da-1426-43c3-8e16-868f90fb9361/?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_RMM_campaign&utm_term=290426&utm_content=linktoservice
โก๏ธ With #ANYRUN Sandbox and Threat Intelligence, analysts can safely reconstruct the full attack chain and identify related patterns across campaigns. This enables earlier confirmation of phishing activity, reduces MTTD, and helps contain incidents before impact.
โ๏ธ Early-stage signals make this campaign detectable. These appear before credentials are entered and are visible in #ANYRUN Sandbox at the start of the execution chain, enabling faster and more confident response decisions.
Despite infrastructure changes, the campaign relies on repeatable patterns: consistent URL structure across phishing domains, fixed resource paths like /Image/*.png, and sequential requests such as /favicon.ico โก๏ธ /blocked.html โก๏ธ phishing content.
๐ Full technical breakdown of this campaign and all attack flow variants coming soon. Stay tuned!
๐จโ๐ป Explore these patterns, uncover related activity, and pivot from IOCs in TI Lookup: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_rmm_campaign&utm_content=linktotilookup&utm_term=290426#%7B%2522query%2522:%2522url:%255C%2522/blocked.html%255C%2522%2520AND%2520url:%255C%2522/favicon.ico%255C%2522%2520and%2520url:%255C%2522/Image/*.png%255C%2522%2522,%2522dateRange%2522:180%7D%20
๐ Equip your SOC with stronger phishing detection and contain incidents faster: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_RMM_campaign&utm_term=290426&utm_content=linktoblog
๐ฅ Healthcare is a prime ransomware target due to legacy systems and sensitive data. Faster, clearer threat analysis keeps operations running.
โก๏ธ Dive into the real story of how healthcare support organization accelerated SOC processes with #ANYRUN: https://any.run/cybersecurity-blog/healthcare-success-story/?utm_source=mastodon&utm_medium=post&utm_campaign=healthcare_success_story&utm_term=290426&utm_content=linktoblog
๐จ #๐ฃ๐ต๐ถ๐๐ต๐ถ๐ป๐ด-๐๐ผ-๐ฅ๐ ๐ ๐๐๐๐ฎ๐ฐ๐ธ๐: ๐ง๐ต๐ฒ ๐ฅ๐ฒ๐บ๐ผ๐๐ฒ ๐๐ฐ๐ฐ๐ฒ๐๐ ๐๐น๐ถ๐ป๐ฑ ๐ฆ๐ฝ๐ผ๐ ๐๐๐ฆ๐ข๐ ๐๐ฎ๐ปโ๐ ๐๐ด๐ป๐ผ๐ฟ๐ฒ
Attackers are exploiting a security gap in U.S. businesses. Fake Microsoft, Adobe, and OneDrive pages deliver RMM software instead of payloads, giving attackers direct access to the environment.
โ ๏ธ Because these tools are widely used across enterprises, attackers can establish access before activity is flagged as malicious. Combined with trusted or compromised infrastructure, this delays detection and increases attacker dwell time.
โก๏ธ #ANYRUN allows teams to safely validate suspicious remote access activity faster, trace the access path, and provide leadership with clearer evidence for containment and follow-up decisions.
๐จโ๐ป See the analysis session showing how attackers gain remote access through a fake Microsoft Store page delivering an RMM installer disguised as Adobe software: https://app.any.run/tasks/e072ae4e-214c-4039-957d-7c0cbe682da8/?utm_source=mastodon&utm_medium=post&utm_campaign=rmm_blind_spot&utm_term=280426&utm_content=linktoservice
๐ Learn how to close the blind spot before access turns into impact: https://any.run/cybersecurity-blog/rmm-blind-spot-for-cisos/?utm_source=mastodon&utm_medium=post&utm_campaign=rmm_blind_spot&utm_term=280426&utm_content=linktoblog
โ๏ธ For MSSPs, every new client adds headcount before margin. So how do you scale?
Teams breaking that cycle aren't hiring faster, they're investigating faster.
โก๏ธ See how #ANYRUN cuts analysis time, letting you handle more clients without extra hires: https://any.run/mssp/?utm_source=mastodon&utm_medium=post&utm_campaign=grow_your_mssp&utm_term=280426&utm_content=linktomssplanding
ANY.RUN
