ANY.RUN🚨 #XWorm is up +174% in Q4 25, while #Storm1747 increased its activity by 51%.
Explore major threats, TTPs, and APTs in our latest threat landscape report powered by data from 15K SOCs.
Use this intelligence now to prevent incidents later 👇
https://any.run/cybersecurity-blog/malware-trends-report-q4-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=malware_trends_report_q4_2025&utm_term=070126&utm_content=linktoblog
🚨 Figma Abuse Leads to Microsoft-Themed #Phishing.
⚠️ Attackers are exploiting trusted platforms to bypass defenses. Among all phishing threats we tracked last month, #phishkits abusing Figma made up a significant share: #Storm1747 (49%), Mamba (25%), Gabagool (2%), and Other (24%).
🔍 This trend underscores the need to monitor abuse of trusted platforms that create blind spots in defenses and raise the risk of large-scale credential theft.
In this case, Figma prototypes were abused as phishing lures: a victim receives an email with a link to a “document” hosted on http://figma.com. Once opened, the prototype displays content that prompts a click on an embedded link. The chain continues through fake CAPTCHAs or even a legitimate Cloudflare Turnstile widget.
🔗 Execution chain:
Phishing email with a link ➡️ Figma document ➡️ Fake CAPTCHA or Cloudflare Turnstile widget ➡️ Phishing Microsoft login page
👨💻 See the full execution on a live system and download actionable report: https://app.any.run/tasks/5652b435-2336-4531-a33f-d81a733b3c63/?utm_source=mastodon&utm_medium=post&utm_campaign=figma_phishing&utm_term=240925&utm_content=linktoservice
📌 Why Figma? Public prototypes are easy to create and share, require no authentication, and come from a trusted domain. This combination makes it easier to bypass automated security controls, slip through email filters, and increase user interaction.
🎯 For CISOs, the abuse of widely trusted platforms creates critical monitoring gaps, while Microsoft impersonation elevates the risk of credential theft or account takeover, posing direct risks to business resilience and compliance.
SOC teams need the ability to trace redirect chains, uncover hidden payloads, and enrich detection rules with both static #IOCs and behavioral context.
🔍 Use this TI Lookup search query to expand threat visibility and enrich #IOCs with actionable threat context:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=figma_phishing&utm_content=linktoti&utm_term=240925#%7B%2522query%2522:%2522domainName:%255C%2522figma.com%255C%2522%2520AND%2520threatName:%255C%2522phishing%255C%2522%2522,%2522dateRange%2522:180%7D
IOCs:
9a4c7dcf25e9590654694063bc4958d58bcbe57e5e95d9469189db6873c4bb2c
Dataartnepal[.]com
Strengthen resilience and protect business continuity with #ANYRUN 🚀 #ExploreWithANYRUN
🚨 ALERT: Fake #YouTube links redirect to #phishing pages
Using the Uniform Resource Identifier authority (URI), phishers obfuscate links and place a legitimate resource address, like http://youtube, at the beginning of URLs to deceive users and make the link appear authentic and safe.
📌 The attackers are also abusing other services. We’ll keep monitoring and sharing the details with you, so your company can make effective decisions to address the threat.
Take a look at the example and gather #IOCs:
https://app.any.run/tasks/ace1b2b4-1c1a-4669-a3fc-231d473bc3b9/?utm_source=mastodon&utm_medium=post&utm_campaign=uri_phishing&utm_term=090125&utm_content=linktoservice
👨💻 Use this search request to find more sandbox sessions and improve the precision and efficiency of your organization's security response:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=uri_phishing&utm_content=linktoti&utm_term=090125#%7B%2522query%2522:%2522commandLine:%255C%2522youtube.com%2525%255C%2522%2522,%2522dateRange%2522:180%7D
Technically, the URI Scheme replaces the userinfo field (user:pass) with a domain name: foo:// <user:pass> @ domain . zone
📝 Attributes
#Storm1747 domain infrastructure — checkers, redirectors and main pages — has a standard template for #Tycoon 2FA #phishkit installed.
The technique of replacing userinfo is also employed by various other phishing kits, such as #Mamba 2FA and #EvilProxy.
🚀 Analyze and investigate the latest #malware and phishing threats with ANYRUN
