{"id":13944,"date":"2025-05-28T12:31:53","date_gmt":"2025-05-28T12:31:53","guid":{"rendered":"\/cybersecurity-blog\/?p=13944"},"modified":"2025-06-03T05:38:12","modified_gmt":"2025-06-03T05:38:12","slug":"how-to-investigate-phishing-attacks","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/","title":{"rendered":"How MSSPs Can Analyze and Investigate Phishing Attacks with ANY.RUN\u00a0"},"content":{"rendered":"\n<p>Phishing attacks have become a pervasive and escalating threat across various industries, notably in finance, manufacturing, and healthcare. For <a href=\"https:\/\/any.run\/cybersecurity-blog\/expertware-success-story\/\" target=\"_blank\" rel=\"noreferrer noopener\">Managed Security Service Providers<\/a> (MSSPs), the challenge lies in swiftly identifying and mitigating these threats to safeguard client infrastructures and uphold service integrity.&nbsp;<\/p>\n\n\n\n<p>This case study explores how ANY.RUN\u2019s <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_lookup_for_mssps&amp;utm_term=280525&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a> can empower MSSPs to detect, investigate, and respond to phishing attacks more effectively. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About the Case Study<\/h2>\n\n\n\n<p>As an example, we&#8217;ll use a payload from Delivr.to (a platform designed to help organizations assess and enhance their email security by simulating real-world threats). We&#8217;ll see how Threat Intelligence Lookup and Interactive Sandbox help with: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Access to real-world phishing samples<\/strong>: Use our <a href=\"http:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_lookup_for_mssps&amp;utm_term=280525&amp;utm_content=linktoti\" target=\"_blank\" rel=\"noreferrer noopener\">extensive threat database<\/a> to study current phishing samples, simulate email filter bypasses, and prepare more resilient defenses.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Deep behavior analysis<\/strong>: Examine samples in the sandbox to uncover <a href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs, IOBs, IOAs,<\/a> TTPs, and link attacks to specific malware families and threat actors.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Targeted threat discovery<\/strong>: Search phishing samples by country, time period, known artifacts.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Training and awareness<\/strong>: Use real phishing cases to educate your team and clients, improving detection and response readiness.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s begin.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introducing the payload&nbsp;<\/h2>\n\n\n\n<p>We have chosen an HTML file Electronic_Receipt_ATT0001.htm from the payload sample library of Delivr.to. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"929\" height=\"539\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-23.png\" alt=\"\" class=\"wp-image-13946\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-23.png 929w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-23-300x174.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-23-768x446.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-23-370x215.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-23-270x157.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-23-740x429.png 740w\" sizes=\"(max-width: 929px) 100vw, 929px\" \/><figcaption class=\"wp-element-caption\"><em>Payload\u2019s credentials via Delivr.to<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The attachment\u2019s description contains its ID, hash sum, payload chain deployment steps, and the tags describing the attack chain scenario. &nbsp;<\/p>\n\n\n\n<p>Such payloads are meant to be emailed in order to put to test corporate cybersecurity policies. However, a full-fledged understanding of a threat implies not only the detection of email filters bypass, but a full analysis of an activated payload behavior. This is why we shall use ANY.RUN\u2019s TI Lookup to search for this HTML file. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. Detecting the payload in malware campaigns&nbsp;<\/h2>\n\n\n\n<p>Our request to TI Lookup includes the parameter indicating an attached file and the file\u2019s name. &nbsp;<br>&nbsp;<br><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_lookup_for_mssps&amp;utm_term=280525&amp;utm_content=linktolookup#%257B%2522query%2522:%2522filePath:%255C%2522Electronic_Receipt_ATT0001%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;Electronic_Receipt_ATT0001&#8243;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"734\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2-2-1024x734.png\" alt=\"\" class=\"wp-image-13955\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2-2-1024x734.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2-2-300x215.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2-2-768x550.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2-2-1536x1101.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2-2-2048x1468.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2-2-370x265.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2-2-270x194.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2-2-740x530.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The test attachment is often found in malware samples<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>21 malware samples containing this payload have been discovered in TI Lookup at the moment. Besides providing links to the samples and their analyses, TI Lookup highlights the fact that most samples featuring our benign file have been tagged as malicious and attributed to Tycoon phishing kit distributed as Phishing-as-a-Service (PhaaS).&nbsp;<\/p>\n\n\n\n<p>This means that the chosen payload is actually employed in real phishing campaigns. &nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nLevel up malware analysis and threat intelligence capabilities<br>See all <span class=\"highlight\">ANY.RUN&#8217;s 9th Birthday offers<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=ti_lookup_for_mssps&#038;utm_term=280525&#038;utm_content=linktoplans\" rel=\"noopener\" target=\"_blank\">\nCheck out offers\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">3. Expanding the malware research&nbsp;<\/h2>\n\n\n\n<p>We can also search for other payloads related to Tycoon\u2019s activity. The search query combines the name of the process \u201coutlook.exe\u201d \u2014 used when opening emails \u2014 and the threat name \u201ctycoon\u201d. As a result, we obtain a broad set of analyses containing various malicious attachment variants associated with Tycoon. This allows us to analyze real-world examples of phishing campaigns and identify recurring delivery patterns.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_lookup_for_mssps&amp;utm_term=280525&amp;utm_content=linktolookup#%257B%2522query%2522:%2522commandLine:%255C%2522outlook.exe%255C%2522%2520and%2520threatName:%255C%2522tycoon%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">commandLine:&#8221;outlook.exe&#8221; and threatName:&#8221;tycoon&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"662\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3-2-1024x662.png\" alt=\"\" class=\"wp-image-13957\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3-2-1024x662.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3-2-300x194.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3-2-768x497.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3-2-1536x994.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3-2-2048x1325.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3-2-370x239.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3-2-270x175.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3-2-740x479.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing samples with Tycoon payloads in the Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>ANY.RUN provides not only attribution to a specific threat but also an overview of the activity landscape \u2014 including the number of related samples analyzed by the professional community, the timeframe of the payload\u2019s usage, and the frequency of its appearance. The most recent sample featuring Electronic_Receipt_ATT0001.htm, as of the time of analysis, is dated May 27, 2025, which helps assess the threat\u2019s current relevance. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Watching the malware in action&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s conduct a more detailed analysis of the payload in the ANY.RUN Sandbox. We\u2019ll view <a href=\"https:\/\/app.any.run\/tasks\/2e57a063-07dd-4518-a888-425ba674ae42\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_lookup_for_mssps&amp;utm_term=280525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">one of the malware analyses<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"588\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4-2-1024x588.png\" alt=\"\" class=\"wp-image-13959\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4-2-1024x588.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4-2-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4-2-768x441.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4-2-1536x883.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4-2-2048x1177.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4-2-370x213.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4-2-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4-2-740x425.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A sandbox analysis of Tycoon malware sample with phishing email<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>First of all, we can explore malicious email information. The recipient\u2019s address helps identify the likely aim of the attack and the organization it may have been directed against. The email subject is also available, and in some cases, its context\u2014allowing us to assess the social engineering tactics used by the attacker to persuade the recipient to open up the malicious attachment.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"872\" height=\"280\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-3.png\" alt=\"\" class=\"wp-image-13961\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-3.png 872w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-3-300x96.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-3-768x247.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-3-370x119.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-3-270x87.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-3-740x238.png 740w\" sizes=\"(max-width: 872px) 100vw, 872px\" \/><figcaption class=\"wp-element-caption\"><em>Email subject and attachment signaling phishing<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Detailed email header information can be retrieved from the Static Discovering tab:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"244\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-4.png\" alt=\"\" class=\"wp-image-13962\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-4.png 830w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-4-300x88.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-4-768x226.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-4-370x109.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-4-270x79.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-4-740x218.png 740w\" sizes=\"(max-width: 830px) 100vw, 830px\" \/><figcaption class=\"wp-element-caption\"><em>Traces to Tycoon\u2019s victimology<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The email recipient\u2019s address \u2014 fsp@mycoastlifecu.com \u2014&nbsp;belongs to CoastLife Credit Union, a U.S.-based financial institution, which is confirmed by its presence on the company\u2019s official website.&nbsp;<\/p>\n\n\n\n<p>The use of a legitimate corporate email as the recipient suggests that this attachment was part of an actual phishing campaign targeting employees of financial organizations. This, in turn, indicates the attackers\u2019 likely focus \u2014 U.S.-based companies providing banking or financial services.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"492\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-4.png\" alt=\"\" class=\"wp-image-13963\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-4.png 962w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-4-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-4-768x393.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-4-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-4-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-4-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-4-740x378.png 740w\" sizes=\"(max-width: 962px) 100vw, 962px\" \/><figcaption class=\"wp-element-caption\"><em>The attack\u2019s illustrative target<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>&#8220;Authentication-Results\u201d indicates that the email failed SPF verification. Specifically, it shows that the sender&#8217;s IP address 141.95.114.239 was not authorized to send emails on behalf of the domain greengrowersinc.com. This data confirms sender spoofing and identifies the specific IP address involved in the email campaign.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"886\" height=\"130\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-4.png\" alt=\"\" class=\"wp-image-13965\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-4.png 886w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-4-300x44.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-4-768x113.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-4-370x54.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-4-270x40.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-4-740x109.png 740w\" sizes=\"(max-width: 886px) 100vw, 886px\" \/><figcaption class=\"wp-element-caption\"><em>Another evidence of malicious behavior, authentication failed<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">5. Performing interactive analysis&nbsp;<\/h2>\n\n\n\n<p>On executing the malicious HTML attachment in the ANY.RUN environment, we can observe the phishing page that loads upon its activation. The execution triggers the download of a webpage hosted on the domain nq.jrerqaoiha.ru which looks like a typical part of malicious infrastructure. Besides, a Microsoft authentication page appearing on a .ru domain is highly unusual and suggests a fraudulent scheme.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"493\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-3.png\" alt=\"\" class=\"wp-image-13967\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-3.png 936w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-3-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-3-768x405.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-3-370x195.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-3-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-3-740x390.png 740w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><figcaption class=\"wp-element-caption\"><em>A typical phishing page impersonating Microsoft corporate login<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The page mimics a Microsoft Excel login form with official Microsoft branding. The interface prompts the user to enter their credentials, suggesting an attempt at credential harvesting.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"424\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/imagea-1.png\" alt=\"\" class=\"wp-image-13969\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/imagea-1.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/imagea-1-300x204.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/imagea-1-370x251.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/imagea-1-270x183.png 270w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\"><em>Malware\u2019s network activity details with IOCs<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>\u201cNetwork \u2192 Threats\u201d tab shows detected <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-analyze-malicious-network-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\">network threats<\/a>. For each recorded activity, you can view detailed detection results based on Suricata IDS, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Signature description&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protocol used&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Relevant IP addresses and ports&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MITRE ATT&amp;CK technique mapping. In this case, a connection to the domain nq.jrerqaoiha.ru classified as part of the Tycoon2FA phishing kit was linked to T1566 (Phishing) technique and tagged as Potential Social Engineering. &nbsp;<\/li>\n<\/ul>\n\n\n\n<p>These steps, which cover several analytical aspects critical for cybersecurity professionals, demonstrate how ANY.RUN enables in-depth research of phishing attacks, which is highly relevant for most MSSP companies.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Integrate ANY.RUN&#8217;s Solutions in Your MSSP<\/strong><\/h2>\n\n\n\n<p>Integrating ANY.RUN\u2019s Threat Intelligence Lookup and Interactive Sandbox into your MSSP operations equips you with advanced tools to combat phishing and other cyber threats efficiently.<\/p>\n\n\n\n<p>These solutions deliver precise, actionable intelligence to ensure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stronger Client Protection:<\/strong> Proactively investigate and identify malware and phishing attacks using ANY.RUN&#8217;s services to take faster actions for safeguarding clients&#8217; infrastructure.<\/li>\n\n\n\n<li><strong>Accelerated Research<\/strong>: Uncover extensive context on any threat, slashing threat investigation time and enabling faster analyst response.&nbsp;&nbsp;<\/li>\n\n\n\n<li><strong>Maximized ROI<\/strong>: Speed up triage and response with TI Lookup and the Interactive Sandbox to prevent incidents faster and avoid financial and reputational losses.&nbsp;&nbsp;&nbsp;&nbsp;<\/li>\n\n\n\n<li><strong>In-depth Threat Analysis<\/strong>: Leverage ANY.RUN&#8217;s Interactive Sandbox for real-time detonation and analysis of malicious files and URLs missed by automated systems.&nbsp;&nbsp;<\/li>\n\n\n\n<li><strong>Streamlined SOC Processes<\/strong>: Take advantage of 2-second searches to reduce triage, investigation, and response times, enhancing team productivity.<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_lookup_for_mssps&amp;utm_term=280525&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Get a 14-day trial of ANY.RUN&#8217;s solutions<\/a> and see how much faster and deeper your threat investigations can be.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN&#8217;s <a href=\"http:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_lookup_for_mssps&amp;utm_term=280525&amp;utm_content=linktoti\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_lookup_for_mssps&amp;utm_term=280525&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a> offer robust solutions for analyzing and preventing phishing attacks. The services enable MSSPs to conduct in-depth behavioral analyses of suspicious emails and attachments, identify indicators of compromise, and attribute threats to specific malicious actors. By integrating these capabilities into their security operations, MSSPs can enhance their threat detection and response times, providing clients with proactive defense mechanisms against phishing threats.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Phishing attacks have become a pervasive and escalating threat across various industries, notably in finance, manufacturing, and healthcare. For Managed Security Service Providers (MSSPs), the challenge lies in swiftly identifying and mitigating these threats to safeguard client infrastructures and uphold service integrity.&nbsp; This case study explores how ANY.RUN\u2019s Threat Intelligence Lookup and Interactive Sandbox can [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":13992,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,34,40],"class_list":["post-13944","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How MSSPs Can Analyze and Investigate Phishing Attacks<\/title>\n<meta name=\"description\" content=\"See a case study on how MSSPs can track down active phishing campaigns, identify their targets, and collect IOCs with ANY.RUN.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"4OURUP\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/\"},\"author\":{\"name\":\"4OURUP\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How MSSPs Can Analyze and Investigate Phishing Attacks with ANY.RUN\u00a0\",\"datePublished\":\"2025-05-28T12:31:53+00:00\",\"dateModified\":\"2025-06-03T05:38:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/\"},\"wordCount\":1336,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/\",\"name\":\"How MSSPs Can Analyze and Investigate Phishing Attacks\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-05-28T12:31:53+00:00\",\"dateModified\":\"2025-06-03T05:38:12+00:00\",\"description\":\"See a case study on how MSSPs can track down active phishing campaigns, identify their targets, and collect IOCs with ANY.RUN.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How MSSPs Can Analyze and Investigate Phishing Attacks with ANY.RUN\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"4OURUP\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg\",\"caption\":\"4OURUP\"},\"description\":\"I research malicious activity, attack tactics, and techniques. I analyze cyber threats, process data, and help stay one step ahead of adversaries.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How MSSPs Can Analyze and Investigate Phishing Attacks","description":"See a case study on how MSSPs can track down active phishing campaigns, identify their targets, and collect IOCs with ANY.RUN.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/","twitter_misc":{"Written by":"4OURUP","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/"},"author":{"name":"4OURUP","@id":"https:\/\/any.run\/"},"headline":"How MSSPs Can Analyze and Investigate Phishing Attacks with ANY.RUN\u00a0","datePublished":"2025-05-28T12:31:53+00:00","dateModified":"2025-06-03T05:38:12+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/"},"wordCount":1336,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/","url":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/","name":"How MSSPs Can Analyze and Investigate Phishing Attacks","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-05-28T12:31:53+00:00","dateModified":"2025-06-03T05:38:12+00:00","description":"See a case study on how MSSPs can track down active phishing campaigns, identify their targets, and collect IOCs with ANY.RUN.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-phishing-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"How MSSPs Can Analyze and Investigate Phishing Attacks with ANY.RUN\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"4OURUP","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg","caption":"4OURUP"},"description":"I research malicious activity, attack tactics, and techniques. I analyze cyber threats, process data, and help stay one step ahead of adversaries.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13944"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=13944"}],"version-history":[{"count":36,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13944\/revisions"}],"predecessor-version":[{"id":13997,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13944\/revisions\/13997"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/13992"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=13944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=13944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=13944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}