๐จ ๐ช๐ต๐ ๐ฃ๐ต๐ถ๐๐ต๐ถ๐ป๐ด ๐ฆ๐๐ถ๐น๐น ๐๐ฒ๐๐ ๐ง๐ต๐ฟ๐ผ๐๐ด๐ต: ๐๐ฒ๐๐ฒ๐ฐ๐๐ถ๐ผ๐ป ๐๐ฎ๐ฝ๐ ๐ถ๐ป ๐ฅ๐ฒ๐ฑ๐ถ๐ฟ๐ฒ๐ฐ๐ & ๐๐๐ฃ๐ง๐๐๐ ๐๐น๐ผ๐๐
Redirect chains, fake CAPTCHA, and fast-changing delivery paths make traditional detection unreliable. By the time credentials are targeted, the signal is already lost, which creates a critical gap in triage. The key is detecting #phishing earlier, while patterns are still stable, before the flow fully unfolds.
โก๏ธ With #ANYRUN TI Lookup, teams can move from isolated indicators to full context, identify attack patterns, and validate detection logic against real attack data from 15K+ organizations.
๐ Here are two examples showing how early-stage signals help identify phishing activity before it escalates:
1๏ธโฃ ๐ฅ๐ฒ๐ฑ๐ถ๐ฟ๐ฒ๐ฐ๐ ๐ถ๐ป๐ณ๐ฟ๐ฎ๐๐๐ฟ๐๐ฐ๐๐๐ฟ๐ฒ
The chain starts from a Google link leading to a compromised site. A hidden HTML page extracts victim data from the URL fragment and triggers a redirect before any user interaction. Analysis session: https://app.any.run/tasks/05c1017e-397c-4cb9-a666-e715402a943a/?utm_source=mastodon&utm_medium=post&utm_campaign=redirect_and_captcha_phishing&utm_content=linktoservice&utm_term=230426
๐ In TI Lookup, this activity can be traced by searching for URL fragments containing the #...Family= parameter, which is used to pass victim data and drive redirection. This helps uncover similar samples and track reuse across campaigns.
โก๏ธ Use this query to pivot from this signal and uncover related activity: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=redirect_and_captcha_phishing&utm_content=linktotilookup&utm_term=230426#%7B%22query%22%3A%22url%3A%5C%22*%23%3F%3F%3F%3F%3F%3F%3F%3FFamily%3D*%5C%22%22%2C%22dateRange%22%3A180%7D
2๏ธโฃ ๐๐ฎ๐ธ๐ฒ ๐๐๐ฃ๐ง๐๐๐ ๐ฑ๐ฒ๐น๐ถ๐๐ฒ๐ฟ๐
After the initial redirect, the victim is presented with a legit-looking CAPTCHA to build trust before being redirected to a phishing page, a fake Microsoft login page powered by #EvilProxy. Analysis session: https://app.any.run/tasks/3ef22bb3-b331-4211-9526-b95c7b19d4ab/?utm_source=mastodon&utm_medium=post&utm_campaign=redirect_and_captcha_phishing&utm_content=linktoservice&utm_term=230426
๐ Detection here relies on consistent URL parameters (v, session, cid, iat, loc, build) that appear early in the execution chain. Searching for this structure helps surface related signals and build early-stage detection, reducing MTTD, improving coverage and MTTR.
โก๏ธ Use this query to surface related phishing activity and validate detection patterns: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=redirect_and_captcha_phishing&utm_content=linktotilookup&utm_term=230426#%7B%22query%22%3A%22url%3A%5C%22*%2F%5C%5C%3Fv%3D%3F%3F%3F%3F%26session%3D*%26cid%3D*%26iat%3D*%26loc%3D*%26build%3D*%5C%22%22%2C%22dateRange%22%3A60%7D
๐ ๐ฌ๐ผ๐ ๐ฐ๐ฎ๐ป ๐ป๐ผ๐ ๐๐ฒ๐๐ ๐ง๐โ๐ ๐ถ๐บ๐ฝ๐ฎ๐ฐ๐ ๐ผ๐ป ๐๐ฟ๐ถ๐ฎ๐ด๐ฒ, ๐ฟ๐ฒ๐๐ฝ๐ผ๐ป๐๐ฒ, ๐ฎ๐ป๐ฑ ๐๐ต๐ฟ๐ฒ๐ฎ๐ ๐ต๐๐ป๐๐ถ๐ป๐ด ๐ฑ๐ถ๐ฟ๐ฒ๐ฐ๐๐น๐ ๐ถ๐ป ๐๐ผ๐๐ฟ ๐๐ผ๐ฟ๐ธ๐ณ๐น๐ผ๐๐. With 20 premium search requests available, SOC and MSSP teams can validate activity against real-world data, reduce uncertainty, and make faster, evidence-based decisions.
โก๏ธ Learn how to integrate #ANYRUN Threat Intelligence into your SOC to strengthen detection and improve overall performance: https://any.run/cybersecurity-blog/expanded-free-ti-plan/?utm_source=mastodon&utm_medium=post&utm_campaign=redirect_and_captcha_phishing&utm_content=linktoblog&utm_term=230426
