⚠️ In 2025, stealer and RAT activity tripled. #Lumma led with 31K+ detections, while #XWorm grew 4.3x YoY.
Phishing kept pace, driven by MFA-bypassing PhaaS kits like #Tycoon2FA and #EvilProxy.
👨💻 See which threats SOC teams should be preparing for next: https://any.run/cybersecurity-blog/malware-trends-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=malware_trends_2025_types&utm_term=030226&utm_content=linktoblog
🚨 Attackers hijacked a supplier mailbox and replied inside a real C-suite thread, delivering an #EvilProxy phish behind Turnstile gates
We exposed the full chain + campaign links
See how this impacts business risk, and how your SOC can catch it earlier: https://any.run/cybersecurity-blog/enterprise-email-thread-phishing/?utm_source=mastodon&utm_medium=post&utm_campaign=enterprise_email_thread_phish&utm_term=280126&utm_content=linktoblog
🚨 Attackers Took Over a Real Enterprise Email Thread to Deliver #Phishing
⚠️ The hacker replied directly within an active discussion among C-suite executives about a document pending final approval, sharing a phishing link to a fake Microsoft authentication form.
The attackers likely compromised a sales manager account at an enterprise contractor and hijacked a trusted business conversation.
👾 By detonating samples in the #ANYRUN Sandbox and pivoting indicators in TI Lookup, we uncovered a broader campaign powered by the #EvilProxy phishkit. The activity has been ongoing since early December 2025, primarily targeting companies in the Middle East.
🔗 Execution chain:
SCA phishing email ➡️ 7 forwarded messages ➡️ Phishing link ➡️ Antibot landing page w/ Cloudflare Turnstile ➡️ Phishing page w/ Cloudflare Turnstile ➡️ EvilProxy
❗️ Supply chain phishing campaigns now rely on layered social engineering, real conversation hijacking, and infrastructure that closely resembles #PhaaS platforms in both complexity and scale. These attacks exploit business trust, not technical vulnerabilities.
🎯 How companies can reduce supply chain phishing risk:
🔹 Flag HTML/PDF files with dynamic content, review unusual approval flows, and detonate suspicious files in a sandbox before interaction.
🔹 Split responsibility between initiating and approving document or process changes. Apply the four-eyes principle.
🔹 Use realistic supply chain attack scenarios and “perfect-looking” emails in awareness programs.
⚡️ Further technical insights are coming, stay tuned!
With #ANYRUN Sandbox, the threat's full attack chain becomes visible through real behavior and actionable reports with IOCs in under 60 seconds, significantly cutting MTTD and MTTR. Security teams triage faster, reduce Tier-1 overload and escalations, and contain incidents earlier to limit business impact.
👨💻 Equip your SOC with stronger phishing detection: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=b2b_social_engineering_phishing&utm_term=270126&utm_content=linktoenterprise
📋 IOCs:
URI pattern: POST ^(/bot/|/robot/)$
Domains:
himsanam[.]com
bctcontractors[.]com
studiofitout[.]ro
st-fest[.]org
komarautomatika[.]hu
eks-esch[.]de
avtoritet-car[.]com
karaiskou[.]edu[.]gr
Domain pattern: ^loginmicrosoft*
🚨 #Phishing on Trusted Cloud Infrastructure: Google, Microsoft, Cloudflare.
We’re tracking a growing trend where phishing kit infrastructure is hosted on legitimate cloud and CDN platforms, not newly registered domains. In some cases, these campaigns specifically target enterprise users. This creates serious visibility challenges for security teams.
We’ve observed this pattern across multiple #phishkits:
🔹 #Tycoon hosted on alencure[.]blob[.]core[.]windows[.]net (Microsoft Azure Blob Storage): https://app.any.run/tasks/29b53d89-99b4-4827-b0af-72f315fdf529/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
⚠️ #Sneaky2FA hosted on legitimate cloud platforms, filtering out free email domains via a fake Microsoft 365 login to target corporate accounts:
firebasestorage[.]googleapis[.]com (Cloud Storage for Firebase): https://app.any.run/tasks/8189dd5e-0159-480d-8654-7b438a73f11e?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
cloudfront[.]net (AWS CloudFront): https://app.any.run/tasks/9a2d1537-e952-455e-bba0-b36f720a07e6/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
🔹 #EvilProxy hosted on sites[.]google[.]com (Google Sites): https://app.any.run/tasks/07995c22-6e7d-468b-ad94-29af75525ed3/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
Victims see a “trusted” provider domain, while the network only sees normal HTML being loaded from cloud infrastructure. What looks clean at first glance is exposed by #ANYRUN Sandbox in under 60 seconds, directly reducing MTTD and MTTR.
🔍 Hunt for related activity and pivot from #IOCs using these search queries in TI Lookup:
🔹 Microsoft Azure Blob Storage abuse: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktotilookup#%7B%22query%22:%22threatName:%5C%22phishing-ml%5C%22%20and%20domainName:%5C%22*.blob.core.windows.net$%5C%22%22,%22dateRange%22:30%7D
🔹 Firebase Cloud Storage abuse: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktotilookup#%7B%2522query%2522:%2522domainName:%255C%2522firebasestorage.googleapis.com$%255C%2522%2520AND%2520(domainName:%255C%2522.icu$%255C%2522%2520OR%2520domainName:%255C%2522.xyz$%255C%2522)%2522,%2522dateRange%2522:60%7D%20%20
🔹 Google Sites abuse: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktotilookup#%7B%2522query%2522:%2522domainName:%255C%2522sites.google.com$%255C%2522%2520AND%2520suricataMessage:%255C%2522*Possible%2520Fake%2520Microsoft%2520Sign-in%2520domain%2520chain*%255C%2522%2522,%2522dateRange%2522:60%7D%20%20
Many security vendors will flag these domains as legitimate. Technically, they are. That’s why security teams need behavioral analysis and network-level signals to reliably uncover phishing before impact.
🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=register#register
#ExploreWithANYRUN
#IOCs:
mphdvh[.]icu
kamitore[.]com
aircosspascual[.]com
Lustefea[.]my[.]id
(Microsoft) myth: 99.9% of phishing is prevented by using MFA
See also (2019): https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124
🪝 #EvilProxy is a #phishing kit that bypasses 2FA via a reverse-proxy architecture.
🌐 Attackers use it to target credentials of corporate Microsoft 365 users across different industries.
Learn about this threat & see analysis: https://any.run/malware-trends/evilproxy/?utm_source=mastodon&utm_medium=post&utm_campaign=evilproxy&utm_content=tracker&utm_term=230625
Phishing-as-a-service is an area that is increasing rapidly according to research by security vendor Barracuda Networks, which says it has detected a “massive spike” in PhaaS attacks in the first two months of this year.
#phishing #phaas #tycoon2fa #evilproxy #infosec #cybersecurity #barracuda #technews
🚨 ALERT: Fake #YouTube links redirect to #phishing pages
Using the Uniform Resource Identifier authority (URI), phishers obfuscate links and place a legitimate resource address, like http://youtube, at the beginning of URLs to deceive users and make the link appear authentic and safe.
📌 The attackers are also abusing other services. We’ll keep monitoring and sharing the details with you, so your company can make effective decisions to address the threat.
Take a look at the example and gather #IOCs:
https://app.any.run/tasks/ace1b2b4-1c1a-4669-a3fc-231d473bc3b9/?utm_source=mastodon&utm_medium=post&utm_campaign=uri_phishing&utm_term=090125&utm_content=linktoservice
👨💻 Use this search request to find more sandbox sessions and improve the precision and efficiency of your organization's security response:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=uri_phishing&utm_content=linktoti&utm_term=090125#%7B%2522query%2522:%2522commandLine:%255C%2522youtube.com%2525%255C%2522%2522,%2522dateRange%2522:180%7D
Technically, the URI Scheme replaces the userinfo field (user:pass) with a domain name: foo:// <user:pass> @ domain . zone
📝 Attributes
#Storm1747 domain infrastructure — checkers, redirectors and main pages — has a standard template for #Tycoon 2FA #phishkit installed.
The technique of replacing userinfo is also employed by various other phishing kits, such as #Mamba 2FA and #EvilProxy.
🚀 Analyze and investigate the latest #malware and phishing threats with ANYRUN
ANY.RUN
Erik van Straten
The Threat Codex
John Leonard
