{"id":10021,"date":"2024-11-26T09:47:14","date_gmt":"2024-11-26T09:47:14","guid":{"rendered":"\/cybersecurity-blog\/?p=10021"},"modified":"2024-12-17T13:41:42","modified_gmt":"2024-12-17T13:41:42","slug":"investigating-phishing-threats","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/","title":{"rendered":"Investigating Phishing Threats with TI Lookup: Use Cases from an Expert"},"content":{"rendered":"\n<p>TI Lookup from <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> is a versatile tool for gathering up-to-date intelligence on the latest cyber threats. The best way to demonstrate its effectiveness is to hear from actual security professionals about how they use the service in their daily work.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This time, we asked <a href=\"https:\/\/x.com\/Jane_0sint\" target=\"_blank\" rel=\"noreferrer noopener\">Jane_0sint<\/a>, an accomplished network traffic analyst and the first ANY.RUN ambassador, for her real-world cases of using TI Lookup. Lucky for us, she agreed to share her insights and sent us a few examples, which include finding intel on phishing kits like Mamba2FA and Tycoon2FA.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About Threat Intelligence Lookup&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a> is a searchable hub for investigating malware and phishing attacks and collecting fresh cyber threat data. Powered by a massive public database of millions of samples analyzed in ANY.RUN&#8217;s Interactive Sandbox, it contains various <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-collect-iocs-in-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Indicators of Compromise <\/a>(IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs), from threats&#8217; network activity to system processes and beyond.&nbsp;<\/p>\n\n\n\n<p>The service provides you with extensive search capabilities, allowing you to create custom requests that feature different data points to home in on specific threats. It offers:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Quick Results<\/strong>: Searches for events and indicators from the past six months take just 5 seconds on average<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Unique Data<\/strong>: It contains over <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\" target=\"_blank\" rel=\"noreferrer noopener\">40 types of threat data<\/a>, including malicious IPs, URLs, command line contents, mutexes, and YARA rules<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Large Database<\/strong>: TI Lookup is updated daily with thousands of public samples uploaded to ANY.RUN\u2019s sandbox by a global community of over 500,000 security professionals<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nGet 20 free requests to test <span class=\"highlight\">TI Lookup<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=phish_investigations_with_jane&#038;utm_term=261124&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nContact us\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Investigating the Mamba2FA Phishing Kit&nbsp;<\/h2>\n\n\n\n<p>Mamba2FA is a phishing kit that has seen a significant rise over the past several months. To investigate this threat and gather more context, we can utilize a typical URL pattern commonly found in its campaigns. This pattern follows the structure {domain}\/{m,n,o}\/?{Base64 string}.<\/p>\n\n\n\n<p>When translating this into an actual query for TI Lookup, we can use the following search string:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-196\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"196\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522%2520http*%255C%255C\/?%255C%255C\/%255C%255C?c3Y9%255C%2522%25C2%25A0%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522%2520http*%255C%255C\/?%255C%255C\/%255C%255C?c3Y9%255C%2522%25C2%25A0%2522,%2522dateRange%2522:180%7D\" data-link-text=\"commandLine:&quot; http*\\\/?\\\/\\?c3Y9&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">commandLine:&quot; http*\\\/?\\\/\\?c3Y9&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-196'>\ntable#wpdtSimpleTable-196{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-196 td, table.wpdtSimpleTable196 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Let\u2019s break down this query:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Asterisk (*): <\/strong>This wildcard character indicates any character string. It helps expand our search to include all domains used in Mamba2FA attacks, ensuring a comprehensive investigation<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Question Mark (?):<\/strong> This is another wildcard character that indicates exactly one character or none at all. In our case, there are two question marks in the query. The first one is the wildcard that serves as a stand-in for the characters \u201cm\u201d, \u201cn\u201d, and \u201co\u201d that are commonly used in Mamba2FA URLs. The second question mark is a part of the address. To escape it, we use the \\ slash symbol<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>c3Y9:<\/strong> This is a Base64-encoded parameter found across Mamba2FA attacks. When decoded, it translates to sv=, which specifies the appearance of the phishing page<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"435\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image4-6-1024x435.png\" alt=\"\" class=\"wp-image-10022\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image4-6-1024x435.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image4-6-300x127.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image4-6-768x326.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image4-6-1536x652.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image4-6-2048x869.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image4-6-370x157.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image4-6-270x115.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image4-6-740x314.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup provides threat intel all sandbox sessions with the matching command line strings<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Submitting this search query to TI Lookup allows us to access plenty of results that match our string, from command lines with URLs to sandbox sessions where these command lines were logged.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"199\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image2-1.jpg\" alt=\"\" class=\"wp-image-10023\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image2-1.jpg 800w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image2-1-300x75.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image2-1-768x191.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image2-1-370x92.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image2-1-270x67.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image2-1-740x184.jpg 740w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\"><em>CyberChef recipe used for decoding the URL string<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We then can collect the full URLs found and decode the base64-encoded parts to reveal more information on the attack and extract the list of domains from them.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Investigating the Tycoon2FA Phishing Kit&nbsp;<\/h2>\n\n\n\n<p>Tycoon2FA is another phishing kit, which is known for faking Microsoft authentication pages to steal victims\u2019 credentials. With the help of TI Lookup, we can collect plenty of intel on its latest samples and wider infrastructure.&nbsp;&nbsp;<\/p>\n\n\n\n<p>A good practice for constructing queries in TI Lookup is to link each condition of the query to specific features of the phishkit:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the phishkit hides its pages behind Cloudflare Turnstile, we add a condition for this;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If there is content encryption, we add a condition for the encryption library;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the phishing page stores content on a specific CDN (Content Delivery Network), we add a condition for that as well.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>An example of this query construction method for searching Tycoon2FA phishkit attacks can be seen below.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-197\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"197\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522filePath:%255C%2522crypto-js.min.js%255C%2522%2520AND%2520filePath:%255C%2522api.js%255C%2522%2520AND%2520domainName:%255C%2522ok4static.oktacdn.com%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522filePath:%255C%2522crypto-js.min.js%255C%2522%2520AND%2520filePath:%255C%2522api.js%255C%2522%2520AND%2520domainName:%255C%2522ok4static.oktacdn.com%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"filePath:&quot;crypto-js.min.js&quot; AND filePath:&quot;api.js&quot; AND domainName:&quot;ok4static.oktacdn.com&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">filePath:&quot;crypto-js.min.js&quot; AND filePath:&quot;api.js&quot; AND domainName:&quot;ok4static.oktacdn.com&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-197'>\ntable#wpdtSimpleTable-197{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-197 td, table.wpdtSimpleTable197 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>As noted, one of the signature features of this threat is the abuse of Cloudflare\u2019s Turnstile challenges as a barrier for automated security solutions. For the challenge to work, Tycoon2FA loads the library api.js.&nbsp;<\/p>\n\n\n\n<p>During the challenge, Tycoon2FA also loads another library, crypto-js.min.js, which it uses at later stages of the attack to encrypt its communication with the command-and-control center (C2).&nbsp;<\/p>\n\n\n\n<p>The phish kit also accesses elements stored on the legitimate domain ok4static[.]oktacdn[.]com and utilizes them to build phishing pages designed to imitate Microsoft\u2019s login pages.&nbsp;<\/p>\n\n\n\n<p>The two libraries and the domain make solid pieces of intel to pivot on using TI Lookup to find instances of Tycoon2FA attacks.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"446\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image5-5-1024x446.png\" alt=\"\" class=\"wp-image-10024\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image5-5-1024x446.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image5-5-300x131.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image5-5-768x335.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image5-5-1536x669.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image5-5-2048x893.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image5-5-370x161.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image5-5-270x118.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image5-5-740x322.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup pulls relevant threat data from sandbox sessions where both libraries were detected&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In response to the query, the service provides a list of matching events found in 20 decrypted sandbox sessions over the past 180 days. Search queries created on this principle based on domains bring more results because they work not only on decrypted network sessions but also require a larger number of conditions in the query. We can collect the information and take a closer look at the sessions to observe attacks as they unfolded in real time.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tracking APT-C-36 Phishing Campaigns&nbsp;<\/h2>\n\n\n\n<p>Threat Intelligence Lookup can be helpful in your investigations into campaigns that are attributed to advanced persistent threats (APTs).&nbsp;<\/p>\n\n\n\n<p>Consider the example of Blind Eagle, also known as APT-C-36, which is a group that targets Latin America. You can learn more about their activity in ANY.RUN\u2019s article on the <a href=\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2024\/\" target=\"_blank\" rel=\"noreferrer noopener\">threats discovered in October 2024<\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Knowing that APT-C-36 uses phishing emails with attachments that contain malware, such as <a href=\"https:\/\/any.run\/malware-trends\/asyncrat\" target=\"_blank\" rel=\"noreferrer noopener\">AsyncRAT<\/a> and <a href=\"https:\/\/any.run\/malware-trends\/remcos\" target=\"_blank\" rel=\"noreferrer noopener\">Remcos<\/a>, and attempts to reach targets in LATAM countries like Colombia, we can put together a TI Lookup query to find more relevant samples related to their attacks:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-198\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"198\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522OUTLOOK.EXE%255C%2522%2520and%2520submissionCountry:%255C%2522Co%255C%2522%2520and%2520commandLine:%255C%2522WinRAR%255C%2522%2520and%2520threatLevel:%255C%2522malicious%255C%2522%2520AND%2520threatName:%255C%2522rat%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522OUTLOOK.EXE%255C%2522%2520and%2520submissionCountry:%255C%2522Co%255C%2522%2520and%2520commandLine:%255C%2522WinRAR%255C%2522%2520and%2520threatLevel:%255C%2522malicious%255C%2522%2520AND%2520threatName:%255C%2522rat%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"commandLine:&quot;OUTLOOK.EXE&quot; and submissionCountry:&quot;Co&quot; and commandLine:&quot;WinRAR&quot; and threatLevel:&quot;malicious&quot; AND threatName:&quot;rat&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">commandLine:&quot;OUTLOOK.EXE&quot; and submissionCountry:&quot;Co&quot; and commandLine:&quot;WinRAR&quot; and threatLevel:&quot;malicious&quot; AND threatName:&quot;rat&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-198'>\ntable#wpdtSimpleTable-198{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-198 td, table.wpdtSimpleTable198 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"582\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image3-8-1024x582.png\" alt=\"\" class=\"wp-image-10026\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image3-8-1024x582.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image3-8-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image3-8-768x436.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image3-8-1536x873.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image3-8-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image3-8-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image3-8-740x420.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image3-8.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Results for the query investigating APT-C-36<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The service provides 100 sandbox sessions that match our request along with events from those sessions.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"581\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-5-1024x581.png\" alt=\"\" class=\"wp-image-10027\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-5-1024x581.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-5-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-5-768x436.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-5-1536x872.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-5-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-5-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-5-740x420.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image6-5.png 1855w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>One of the phishing emails containing an AsyncRAT payload discovered via TI Lookup<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Among them, we can find samples of <a href=\"https:\/\/app.any.run\/tasks\/7c22d510-81c6-421f-b5e3-a068f3cc9bf7\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">actual phishing emails<\/a> belonging to Blind Eagle\u2019s campaigns which were publicly uploaded to ANY.RUN\u2019s sandbox for analysis by users in Colombia.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Identifying Phishing Attacks Abusing Microsoft\u2019s Infrastructure&nbsp;<\/h2>\n\n\n\n<p>Another useful way to utilize TI Lookup is to proactively research phishing attacks that use legitimate resources to access content as legitimate account login pages do. For example, attackers often use parts of the Azure Content Delivery Network (CDN), like backgrounds or login forms.&nbsp;<\/p>\n\n\n\n<p>To find these examples with TI Lookup, you can specify the Azure domain. However, it\u2019s important to filter out non-malicious instances. You can do this by excluding Microsoft\u2019s domains from the query using the NOT operator and setting the threat level to &#8220;suspicious.&#8221; You are free to add exceptions at your discretion if you wish to cleanse your query results of unsolicited submissions.&nbsp;<\/p>\n\n\n\n<p>We can also include parameters with empty values. This signals the system to show all possible results for those parameters. <\/p>\n\n\n\n<p>Adding domainName:&#8221;&#8221; and suricataMessage:&#8221;&#8221; will display all domains and Suricata messages found across sandbox sessions that match our query.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-199\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"199\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522aadcdn.ms*auth.net%255C%2522%2520AND%2520threatLevel:%255C%2522suspicious%255C%2522%2520AND%2520NOT%2520domainName:%255C%2522.microsoftonline.%255C%2522%2520AND%2520suricataMessage:%255C%2522%255C%2522%2520AND%2520domainName:%255C%2522%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522aadcdn.ms*auth.net%255C%2522%2520AND%2520threatLevel:%255C%2522suspicious%255C%2522%2520AND%2520NOT%2520domainName:%255C%2522.microsoftonline.%255C%2522%2520AND%2520suricataMessage:%255C%2522%255C%2522%2520AND%2520domainName:%255C%2522%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"domainName:&quot;aadcdn.ms*auth.net&quot; AND threatLevel:&quot;suspicious&quot; AND NOT domainName:&quot;.microsoftonline.&quot; AND suricataMessage:&quot;&quot; AND domainName:&quot;&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">domainName:&quot;aadcdn.ms*auth.net&quot; AND threatLevel:&quot;suspicious&quot; AND NOT domainName:&quot;.microsoftonline.&quot; AND suricataMessage:&quot;&quot; AND domainName:&quot;&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-199'>\ntable#wpdtSimpleTable-199{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-199 td, table.wpdtSimpleTable199 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>In response to our query, TI Lookup provides extensive threat data, including the Suricata rules that were triggered during analysis.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"303\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1024x303.png\" alt=\"\" class=\"wp-image-10028\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1024x303.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-300x89.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-768x227.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-1536x454.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-2048x606.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-370x109.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-270x80.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imaged-740x219.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rules that match our query<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can also observe all the domains in sessions involving phishing attacks. We can collect them and examine each of them separately to check if they are used as part of attackers\u2019 infrastructure.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"528\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagee-1024x528.png\" alt=\"\" class=\"wp-image-10029\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagee-1024x528.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagee-300x155.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagee-768x396.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagee-1536x791.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagee-2048x1055.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagee-370x191.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagee-270x139.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagee-740x381.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Apart from domains, TI Lookup also presents IP addresses and URLs<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We also get a list of sandbox sessions that feature examples of actual phishing attacks abusing Microsoft\u2019s infrastructure.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"572\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1024x572.png\" alt=\"\" class=\"wp-image-10031\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1024x572.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-768x429.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-1536x859.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef-740x414.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagef.png 1848w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox sessions that match our request<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s explore one of them in greater detail.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image10-2-1024x570.png\" alt=\"\" class=\"wp-image-10032\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image10-2-1024x570.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image10-2-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image10-2-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image10-2-1536x855.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image10-2-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image10-2-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image10-2-740x412.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/image10-2.png 1828w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rule displayed in the ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In <a href=\"https:\/\/app.any.run\/tasks\/f3c848e8-e1fe-43b6-b20f-3a3862e0a230\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">this session<\/a> we can see a Suricata rule that indicates a request to Azure\u2019s content delivery network. &nbsp;<\/p>\n\n\n\n<p>You can build upon this search by adding a commandLine parameter. Specifically, we can tell the service to look for command lines that include URLs with the # anchor, which attackers use to add a victim\u2019s email address.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"ANY.RUN cloud interactive sandbox interface\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to Track Emerging Cyber Threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nCheck out expert guide to collecting intelligence on emerging threats with <span class=\"highlight\">TI Lookup<\/span>\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<p>To find results with URLs containing email addresses, include the @ symbol in your query. Use the * wildcard to account for any characters between the anchor and the @ symbol.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-200\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"200\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22aadcdn.ms*auth.net%5C%22%20and%20commandLine:%5C%22http*#*@*.*%5C%22%22,%22dateRange%22:180}\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22aadcdn.ms*auth.net%5C%22%20and%20commandLine:%5C%22http*#*@*.*%5C%22%22,%22dateRange%22:180}\" data-link-text=\"domainName:&quot;aadcdn.ms*auth.net&quot; and commandLine:&quot;http*#*@*.*&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">domainName:&quot;aadcdn.ms*auth.net&quot; and commandLine:&quot;http*#*@*.*&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-200'>\ntable#wpdtSimpleTable-200{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-200 td, table.wpdtSimpleTable200 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1-1024x579.png\" alt=\"\" class=\"wp-image-10033\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/11\/imagea-1.png 1839w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Command line data from logged during ANY.RUN sandbox sessions&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Apart from relevant sandbox sessions, the service returns a list of command lines extracted from these, allowing us to see the URLs used by attackers that include emails of victims.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=mitre_ttps_in_ti_lookup&amp;utm_term=211124&amp;utm_content=linktotilanding\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>&nbsp;services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What\u2019s impressive is how fast these scans are\u2014they significantly speed up the analysis process, allowing for quick detection of threats and malware.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktotiplans\" target=\"_blank\" rel=\"noreferrer noopener\">Try ANY.RUN\u2019s Threat Intelligence Lookup for free \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TI Lookup from ANY.RUN is a versatile tool for gathering up-to-date intelligence on the latest cyber threats. The best way to demonstrate its effectiveness is to hear from actual security professionals about how they use the service in their daily work.&nbsp;&nbsp; This time, we asked Jane_0sint, an accomplished network traffic analyst and the first ANY.RUN [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":10064,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34,40],"class_list":["post-10021","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Investigating Phishing Threats: Use Cases from an Expert<\/title>\n<meta name=\"description\" content=\"Discover real-world cases of using TI Lookup to find and collect intel on phishing kits like Mamba2FA and Tycoon2FA and other cyber threats.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jane\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\"},\"author\":{\"name\":\"Jane\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Investigating Phishing Threats with TI Lookup: Use Cases from an Expert\",\"datePublished\":\"2024-11-26T09:47:14+00:00\",\"dateModified\":\"2024-12-17T13:41:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\"},\"wordCount\":1602,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\",\"name\":\"Investigating Phishing Threats: Use Cases from an Expert\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-11-26T09:47:14+00:00\",\"dateModified\":\"2024-12-17T13:41:42+00:00\",\"description\":\"Discover real-world cases of using TI Lookup to find and collect intel on phishing kits like Mamba2FA and Tycoon2FA and other cyber threats.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Investigating Phishing Threats with TI Lookup: Use Cases from an Expert\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jane\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane.jpg\",\"caption\":\"Jane\"},\"description\":\"I'm ANY.RUN ambassador and a real network traffic numismatist. I also love penguins and tortoises. My motto is to do good and throw it into the sea.\",\"sameAs\":[\"https:\/\/any.run\/\"],\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Investigating Phishing Threats: Use Cases from an Expert","description":"Discover real-world cases of using TI Lookup to find and collect intel on phishing kits like Mamba2FA and Tycoon2FA and other cyber threats.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/","twitter_misc":{"Written by":"Jane","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/"},"author":{"name":"Jane","@id":"https:\/\/any.run\/"},"headline":"Investigating Phishing Threats with TI Lookup: Use Cases from an Expert","datePublished":"2024-11-26T09:47:14+00:00","dateModified":"2024-12-17T13:41:42+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/"},"wordCount":1602,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/","url":"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/","name":"Investigating Phishing Threats: Use Cases from an Expert","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-11-26T09:47:14+00:00","dateModified":"2024-12-17T13:41:42+00:00","description":"Discover real-world cases of using TI Lookup to find and collect intel on phishing kits like Mamba2FA and Tycoon2FA and other cyber threats.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Investigating Phishing Threats with TI Lookup: Use Cases from an Expert"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Jane","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane.jpg","caption":"Jane"},"description":"I'm ANY.RUN ambassador and a real network traffic numismatist. I also love penguins and tortoises. My motto is to do good and throw it into the sea.","sameAs":["https:\/\/any.run\/"],"url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10021"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=10021"}],"version-history":[{"count":29,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10021\/revisions"}],"predecessor-version":[{"id":10511,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10021\/revisions\/10511"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/10064"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=10021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=10021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=10021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}