Any.Run, a malware analysis service, disclosed details about a recent phishing attack targeting its employees. The incident unfolded on June 18 when all staff members received a phishing email purportedly sent by another Any.Run employee. Although the attacker’s access was swiftly terminated, an investigation revealed they had been present for several weeks undetected.
The attack originated on May 23, 2024, when an employee in Any.Run’s sales team clicked on a link in an email from a purported client, which led to a compromised Microsoft phishing website. The employee unwittingly entered their login credentials and multi-factor authentication (MFA) code, granting the attacker access to their account.
Subsequently, the hacker added their mobile device for continued access and installed an application to pilfer data from the victim’s email account. They maintained access until June 18, sending out phishing emails to contacts in the compromised employee’s address book. Fortunately, the malicious link had already been identified by Any.Run’s threat intelligence database, stemming from sandbox analysis sessions conducted by free users of the service.
Upon discovery, Any.Run promptly revoked the attacker’s access, enhanced security measures, and shared indicators of compromise (IoCs) to bolster detection efforts against similar threats. The incident is believed to be part of a broader business email compromise (BEC) campaign, underlining the ongoing vigilance needed to thwart sophisticated phishing attacks in cybersecurity.
