{"id":18224,"date":"2026-02-03T09:41:32","date_gmt":"2026-02-03T09:41:32","guid":{"rendered":"\/cybersecurity-blog\/?p=18224"},"modified":"2026-02-06T09:31:34","modified_gmt":"2026-02-06T09:31:34","slug":"enterprise-phishing-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/","title":{"rendered":"Enterprise\u00a0Phishing:\u00a0How\u00a0Attackers\u00a0Abuse Trusted\u00a0Microsoft\u00a0&amp;\u00a0Google\u00a0Platforms\u00a0"},"content":{"rendered":"\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis%20&amp;utm_term=030226&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;observes&nbsp;a&nbsp;growing trend&nbsp;of&nbsp;phishing kit infrastructure&nbsp;being&nbsp;hosted on legitimate cloud and CDN platforms,&nbsp;rather than on&nbsp;newly registered&nbsp;domains.&nbsp;These campaigns&nbsp;often&nbsp;target enterprise users&nbsp;specifically, creating a global threat to businesses.&nbsp;The shift creates serious visibility&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/solving-soc-challenges-with-ti\/\" target=\"_blank\" rel=\"noreferrer noopener\">challenges for security teams<\/a>, as trusted platforms and valid indicators shield malicious activity from detection.&nbsp;<\/p>\n\n\n\n<p>For a deeper dive, read on and see the breakdown of such cases, along with tips on what works and what&nbsp;doesn\u2019t.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key&nbsp;Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modern phishing campaigns increasingly rely on<strong>&nbsp;trusted cloud infrastructure<\/strong>, not disposable domains.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AiTM&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/phishkit-attacks-101\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing kits<\/a>&nbsp;dominate&nbsp;<strong>enterprise-targeted attacks<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloudflare, Microsoft Azure, Google Firebase, and AWS are&nbsp;frequently&nbsp;abused.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Traditional IOCs like IPs, TLS fingerprints, and certificates are becoming&nbsp;<strong>unreliable<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intel-board-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Continuous threat intelligence<\/strong><\/a>&nbsp;and&nbsp;<strong>behavioral&nbsp;analysis<\/strong>&nbsp;are&nbsp;critical for detection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Enterprises Under Fire:&nbsp;AITM kits&nbsp;and&nbsp;Cloudflare&nbsp;Abuse&nbsp;<\/h2>\n\n\n\n<p>The most widespread and dangerous phishing campaigns&nbsp;today are powered by&nbsp;AiTM&nbsp;(Adversary-in-the-middle kits). These&nbsp;toolsets help unfold&nbsp;phishing attacks where threat actors&nbsp;become&nbsp;a&nbsp;proxy between the victim and&nbsp;a&nbsp;legitimate&nbsp;service.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Follow ANY.RUN&#8217;s team on <a href=\"https:\/\/www.linkedin.com\/company\/any-run\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a> and <a href=\"https:\/\/x.com\/anyrun_app\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a> to get weekly updates on the most widespread&nbsp;phishing&nbsp;kits&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/image3-9-2048x1132-1-1024x566.png\" alt=\"\" class=\"wp-image-18231\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/image3-9-2048x1132-1-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/image3-9-2048x1132-1-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/image3-9-2048x1132-1-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/image3-9-2048x1132-1-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/image3-9-2048x1132-1-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/image3-9-2048x1132-1-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/image3-9-2048x1132-1-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/image3-9-2048x1132-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Multi-stage attack unraveled inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>A typical&nbsp;phishkit&nbsp;attack starts with an email&nbsp;containing&nbsp;a link&nbsp;(including in the form of a QR code)&nbsp;leading to attackers\u2019 infrastructure.&nbsp;Most campaigns also involve a CAPTCHA challenge&nbsp;and a string of redirects&nbsp;as a means to avoid detection by AVs and static systems.Advanced evasion leads to a high rate of missed attacks for organizations that suffer from data theft&nbsp;as a result of&nbsp;this.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/new_phishing_attacks-1024x547.png\" alt=\"\" class=\"wp-image-18316\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/new_phishing_attacks-1024x547.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/new_phishing_attacks-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/new_phishing_attacks-768x410.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/new_phishing_attacks-1536x821.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/new_phishing_attacks-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/new_phishing_attacks-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/new_phishing_attacks-740x396.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/new_phishing_attacks.png 1841w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s Interactive Sandbox ensures fast detection of phishing attacks<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis%20&amp;utm_term=030226&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s&nbsp;Interactive Sandbox<\/a>&nbsp;provides security teams with the capabilities to quickly detect&nbsp;phishkit&nbsp;attacks thanks to interactive analysis. In&nbsp;addition&nbsp;to static detection, the sandbox lets SOC analysts&nbsp;safely&nbsp;follow the entire&nbsp;attack chain in an isolated VM and&nbsp;go past all the evasion layers to reveal the final malicious credential theft page or payload.&nbsp;<\/p>\n\n\n\n<p>The result for businesses that have adopted ANY.RUN\u2019s solutions in their infrastructure is&nbsp;a lower risk of a data breach and a more effective SOC team that can quickly&nbsp;identify&nbsp;phishing attempts with a high degree of certainty.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nFaster decisions and lower workload:<br>Cut investigation time <span class=\"highlight\">in half<\/span> with ANY.RUN\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=enterprise_phishing_analysis&#038;utm_term=030226&#038;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noopener\">\nIntegrate in your SOC\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The top&nbsp;three&nbsp;most active&nbsp;phishing kits&nbsp;remain&nbsp;stable&nbsp;quarter to quarter. The list&nbsp;features:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/tycoon\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon2FA<\/a>:&nbsp;Phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/sneaky2fa\/\" target=\"_blank\" rel=\"noreferrer noopener\">Sneaky2FA<\/a>:\u00a0Adversary-in-the-Middle (AiTM) threat used in Business Email Compromise (BEC) attacks.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/evilproxy\/\" target=\"_blank\" rel=\"noreferrer noopener\">EvilProxy<\/a>: Reverse-proxy phishing kit, often used for&nbsp;account&nbsp;takeover attacks aimed at high-ranking executives.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Mostly these campaigns&nbsp;are hosted&nbsp;behind&nbsp;Cloudflare&nbsp;CDN infrastructure.&nbsp;You can find&nbsp;live&nbsp;examples&nbsp;using&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Lookup<\/a>&nbsp;with queries like these:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktolookup\/#{%22query%22:%22threatName:%5C%22tycoon%5C%22%20AND%C2%A0destinationIpAsn:%5C%22cloudflarenet%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;tycoon&#8221; AND&nbsp;destinationIpAsn:&#8221;cloudflarenet&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"505\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/cloud_flare-1024x505.png\" alt=\"\" class=\"wp-image-18275\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/cloud_flare-1024x505.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/cloud_flare-300x148.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/cloud_flare-768x379.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/cloud_flare-1536x757.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/cloud_flare-370x182.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/cloud_flare-270x133.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/cloud_flare-740x365.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/cloud_flare.png 1842w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Threat Intelligence Lookup results for Tycoon threats abusing Cloudflare<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Use TI Lookup to strengthen alert triage and proactive threat hunting:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Accelerate detection and response:&nbsp;<\/strong>Correlate alerts with real-time threat intelligence to reduce triage time and missed threats.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improve threat visibility:&nbsp;<\/strong>Gain deeper insight into emerging malware and attack trends across industries.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stay ahead of risk:&nbsp;<\/strong>Proactively&nbsp;monitor&nbsp;relevant threats with automated alerts and expert intelligence reports.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Power your threat hunting<\/span> with TI Lookup<br>\nIntelligence from 15K SOCs and 600K analysts\u00a0\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=enterprise_phishing_analysis&#038;utm_term=030226&#038;utm_content=linktotilookup#register?redirect-ref=intelligence.any.run\/analysis\/lookup\" target=\"_blank\" rel=\"noopener\">\nGet live intel\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Why Threat Actors Choose Cloudflare&nbsp;<\/h2>\n\n\n\n<p>For threat actors,&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/cloudflare-phishing-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cloudflare<\/a>&nbsp;abuse offers critical advantages:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Complicated detection:&nbsp;<\/strong>Cloudflare&nbsp;operates as&nbsp;both&nbsp;a CDN and reverse&nbsp;proxy.&nbsp;The&nbsp;real&nbsp;origin&nbsp;server (often a&nbsp;VPS) gets hidden behind&nbsp;Cloudflare\u2019s&nbsp;IP addresses.&nbsp;SOC&nbsp;analysts&nbsp;only see trusted Cloudflare&nbsp;ASN, valid HTTPS, and&nbsp;ordinary&nbsp;CDN traffic.&nbsp;The&nbsp;original&nbsp;IP&nbsp;can\u2019t&nbsp;be scanned, blocked, or&nbsp;easily&nbsp;linked to other campaigns.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Resistance to&nbsp;blocking and takedowns:&nbsp;<\/strong>Cloudflare\u2019s IPs are&nbsp;nearly impossible&nbsp;to block without&nbsp;significant disruption.&nbsp;If&nbsp;a malicious domain&nbsp;is taken down, threat actors can&nbsp;register a new own right away&nbsp;and&nbsp;hide it behind Cloudflare&nbsp;just the same,&nbsp;without changing the basic&nbsp;infrastructure.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Built-in&nbsp;anti-analysis&nbsp;techniques:<\/strong>&nbsp;Even in mass mailing cases, the CDN helps sustain the activity and lowers the risk of VPS\u2019s takedown.&nbsp;It also provides easy-to-use anti-analysis and access control techniques, such as CAPTCHA, Turnstile,&nbsp;geo fencing,&nbsp;ASN and User-Agent filtering, and&nbsp;blocking of&nbsp;automated scanners and sandboxes.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Because TLS termination&nbsp;happens&nbsp;at Cloudflare, SSL certificates&nbsp;and TLS&nbsp;session\u2019s&nbsp;fingerprints&nbsp;like JA3S&nbsp;lose value as&nbsp;indicators for SOC analysts.&nbsp;IP- and TLS-based detection becomes&nbsp;inefficient, and&nbsp;the only&nbsp;remaining&nbsp;leads for analysts are domains and their reputation.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Implications and Recommendations for&nbsp;Decison-Makers&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attackers increasingly rely on trusted platforms to evade detection, reflecting cloud-based phishing growth to a mainstream technique.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In many cases,&nbsp;there\u2019s&nbsp;a clear intent to target large companies specifically.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Traditional detection methods and static IOCs&nbsp;aren\u2019t&nbsp;sufficient for a strong defense strategy.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Effective detection requires non-stop monitoring of phishing campaigns, as well as constantly updated&nbsp;signature databases.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"522\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/businessimpact1-1024x522.jpeg\" alt=\"\" class=\"wp-image-18235\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/businessimpact1-1024x522.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/businessimpact1-300x153.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/businessimpact1-768x392.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/businessimpact1-370x189.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/businessimpact1-270x138.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/businessimpact1-740x378.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/businessimpact1.jpeg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Business impact powered by ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Interactive sandboxing&nbsp;combined&nbsp;with&nbsp;threat&nbsp;intelligence solutions enable analysts to uncover evasive phishing threats&nbsp;and helps achieve:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Early warning through global intelligence:&nbsp;<\/strong>Learn from real-world incidents across industries to&nbsp;anticipate&nbsp;threats before they reach your organization.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster, more confident triage:&nbsp;<\/strong>Enrich alerts with proven historical evidence to reduce false positives and unnecessary escalations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Deeper visibility into real threats:&nbsp;<\/strong>Observe&nbsp;malicious behavior as it unfolds to uncover evasive techniques that static analysis often misses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operational efficiency at scale:&nbsp;<\/strong>Eliminate&nbsp;manual correlation across multiple sources and streamline investigations within a single workflow.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stronger SOC performance:&nbsp;<\/strong>Support analysts at all levels while accelerating the full security operations lifecycle, from detection to response.&nbsp;<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-275\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"5\"\n           data-wpID=\"275\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        The result is measurable:                      <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        +62.7% more threats detected overall                      <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        94% of surveyed users report faster triage                      <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        63% year-over-year user growth, driven by analyst efficiency                      <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        30% fewer alerts require escalation to senior analysts                     <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-275'>\ntable#wpdtSimpleTable-275{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-275 td, table.wpdtSimpleTable275 th { white-space: normal !important; }\n<\/style>\n\n<\/div><\/div>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nANY.RUN\u00a0delivers <span class=\"highlight\">measurable\u00a0SOC\u00a0outcomes<\/span> <br>\nvia dynamic analysis and extended threat coverage\u00a0\n\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=enterprise_phishing_analysis&#038;utm_term=030226&#038;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noopener\">\nReach out for Enterprise access\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Modern Phishing: No Longer Seen by the Naked Eye&nbsp;<\/h2>\n\n\n\n<p>Until recently, a typical phishing attack looked like this:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/39b6bbdd-b69a-40bd-92e6-cdb368349264\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"726\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/webflow1-1024x726.png\" alt=\"\" class=\"wp-image-18237\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/webflow1-1024x726.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/webflow1-300x213.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/webflow1-768x545.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/webflow1-370x262.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/webflow1-270x191.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/webflow1-740x525.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/webflow1.png 1100w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The malicious intent here is obvious if you&nbsp;take a look&nbsp;at the domain&nbsp;<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>As&nbsp;shown above, the login form is&nbsp;hosted&nbsp;on a&nbsp;newly registered domain, not legitimate Microsoft 365 one&nbsp;(e.g.,&nbsp;windows[.]net,&nbsp;microsoftonline[.]com,&nbsp;office[.]net, or&nbsp;live[.]com).&nbsp;This clearly&nbsp;indicates&nbsp;phishing.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"399\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/virustotal-1024x399.png\" alt=\"\" class=\"wp-image-18239\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/virustotal-1024x399.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/virustotal-300x117.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/virustotal-768x299.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/virustotal-1536x599.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/virustotal-2048x798.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/virustotal-370x144.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/virustotal-270x105.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/virustotal-740x288.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>VirtusTotal provides no information on this domain<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>But modern phishing threats are&nbsp;significantly&nbsp;more complex and therefore dangerous.&nbsp;In many cases, even the domain name stops being a&nbsp;reliable&nbsp;IOC.&nbsp;That\u2019s&nbsp;what&nbsp;can be&nbsp;observed&nbsp;in this sample:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/176c4e1e-f230-437e-99fa-137c735d10d4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis%20&amp;utm_term=030226&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"970\" height=\"722\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/blob.png\" alt=\"\" class=\"wp-image-18238\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/blob.png 970w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/blob-300x223.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/blob-768x572.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/blob-370x275.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/blob-270x201.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/blob-740x551.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/blob-80x60.png 80w\" sizes=\"(max-width: 970px) 100vw, 970px\" \/><figcaption class=\"wp-element-caption\"><em>A malicious Tycoon2FA sample on a legitimate Microsoft Blob Storage domain<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In this analysis,&nbsp;login form is hosted on legitimate Microsoft Azure Blob Storage, complicating the chance of detection.&nbsp;This sample belongs to&nbsp;Tycoon2FA, which&nbsp;we\u2019ve&nbsp;discussed in detail&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-tycoon2fa-hybrid-phishing-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">in this article.<\/a>&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nImmediate phishing detection\u00a0with ANY.RUN Sandbox\u00a0<br>\nSee the <span class=\"highlight\">full attack chain in seconds <\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=enterprise_phishing_analysis&#038;utm_term=030226&#038;utm_content=linktoregister\" target=\"_blank\" rel=\"noopener\">\nGet\u00a0started\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>In the&nbsp;POST request&nbsp;below,&nbsp;the victim\u2019s encrypted password is&nbsp;transmitted&nbsp;from Microsoft Azure page&nbsp;to an attacker-controlled server:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"327\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/password-1024x327.png\" alt=\"\" class=\"wp-image-18240\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/password-1024x327.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/password-300x96.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/password-768x245.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/password-1536x490.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/password-370x118.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/password-270x86.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/password-740x236.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/password.png 1686w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>POST request used by attackers to steal the password<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The response&nbsp;from a malicious reserve proxy&nbsp;returns&nbsp;a&nbsp;\u201cwrong password\u201d&nbsp;message, mimicking Microsoft\u2019s legitimate authentication flow.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"278\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/wrongpassword-1024x278.png\" alt=\"\" class=\"wp-image-18241\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/wrongpassword-1024x278.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/wrongpassword-300x81.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/wrongpassword-768x208.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/wrongpassword-370x100.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/wrongpassword-270x73.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/wrongpassword-740x201.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/wrongpassword.png 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>\u201cWrong password\u201d error message appears after password input<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Trends: Rapid Growth of Cloud-Hosted Threats&nbsp;<\/h2>\n\n\n\n<p>At the&nbsp;time&nbsp;of writing,&nbsp;it&#8217;s&nbsp;been a week the&nbsp;previous&nbsp;<a href=\"https:\/\/x.com\/anyrun_app\/status\/2011756689024815184\" target=\"_blank\" rel=\"noreferrer noopener\">publication of these findings<\/a>. Since then, the amount of similar&nbsp;phishing cases&nbsp;has nearly&nbsp;doubled.&nbsp;<\/p>\n\n\n\n<p>You can find&nbsp;examples&nbsp;of this trend&nbsp;on TI Lookup:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktolookup\/#{%22query%22:%22threatName:%5C%22tycoon%5C%22%20AND%C2%A0domainName:%5C%22*.blob.core.windows.net%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;tycoon&#8221; AND&nbsp;domainName:&#8221;*.blob.core.windows.net&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"261\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/submission-1-1024x261.png\" alt=\"\" class=\"wp-image-18243\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/submission-1-1024x261.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/submission-1-300x76.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/submission-1-768x196.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/submission-1-1536x391.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/submission-1-2048x521.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/submission-1-370x94.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/submission-1-270x69.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/submission-1-740x188.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Tycoon threats abusing Microsoft storage platform&nbsp;are&nbsp;observed&nbsp;in&nbsp;numerous&nbsp;regions<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>On average, SOC&nbsp;teams from&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/industry-geo-threat-landscape\/\" target=\"_blank\" rel=\"noreferrer noopener\">the US and Europe<\/a>&nbsp;encounter&nbsp;Tycoon-based&nbsp;phishing abusing trusted&nbsp;Microsoft&nbsp;infrastructure&nbsp;multiple&nbsp;times a day,&nbsp;indicating&nbsp;a growing rise in their activity.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Sneaky2FA&nbsp;Targeting Enterprises&nbsp;<\/h3>\n\n\n\n<p>Similar behavior is&nbsp;observed&nbsp;in Sneaky2FA&nbsp;campaigns, commonly&nbsp;hosted at Google Firebase Storage:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/96dbe668-1be7-4001-be2c-edec54df09f7\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"765\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/firebase-1024x765.png\" alt=\"\" class=\"wp-image-18244\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/firebase-1024x765.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/firebase-300x224.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/firebase-768x574.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/firebase-370x276.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/firebase-270x202.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/firebase-740x553.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/firebase-80x60.png 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/firebase.png 1028w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sneaky2FA threat sample hosted on Google Storage<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>As well as at AWS CloudFront:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/9a2d1537-e952-455e-bba0-b36f720a07e6\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"637\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/d1domain-1024x637.png\" alt=\"\" class=\"wp-image-18245\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/d1domain-1024x637.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/d1domain-300x187.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/d1domain-768x478.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/d1domain-370x230.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/d1domain-270x168.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/d1domain-740x460.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/d1domain.png 1100w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Another Sneaky2FA malicious samples hosted on AWS CloudFront<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>What differentiates&nbsp;Sneaky2FA from Tycoon2FA is&nbsp;its&nbsp;focus on&nbsp;large companies,&nbsp;not mass campaigns. The kit&nbsp;excludes free personal email addresses&nbsp;hosted on gmail.com, yahoo.com, and outlook.com, focusing only on&nbsp;corporate&nbsp;emails.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"591\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sneaky2falist-1024x591.png\" alt=\"\" class=\"wp-image-18246\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sneaky2falist-1024x591.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sneaky2falist-300x173.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sneaky2falist-768x443.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sneaky2falist-1536x886.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sneaky2falist-370x213.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sneaky2falist-270x156.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sneaky2falist-740x427.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sneaky2falist.png 1630w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sneaky2FA uses a Base64-encoded domain list to filter for corporate accounts<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">EvilProxy: Different Threat, Same Method&nbsp;<\/h3>\n\n\n\n<p>In addition to Tycoon2FA and Sneaky2FA,&nbsp;EvilProxy&nbsp;also&nbsp;demonstrates&nbsp;similar&nbsp;abuse of trusted cloud&nbsp;platforms:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/07995c22-6e7d-468b-ad94-29af75525ed3?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"712\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sitesgoogle.png\" alt=\"\" class=\"wp-image-18247\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sitesgoogle.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sitesgoogle-300x209.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sitesgoogle-768x534.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sitesgoogle-370x257.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sitesgoogle-270x188.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/sitesgoogle-740x515.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>EvilProxy&nbsp;sample hosted on legitimate Google domain<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The underlying strategy is similar and involves hiding malicious activity behind&nbsp;legitimate&nbsp;infrastructure.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cephas: Beyond Mainstream&nbsp;<\/h3>\n\n\n\n<p>Another example of a Microsoft 365&nbsp;phishing&nbsp;abusing a trusted cloud infrastructure&nbsp;was&nbsp;found among&nbsp;less&nbsp;common&nbsp;phishkits,&nbsp;such as&nbsp;Cephas.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/browses\/738e60c4-27f0-460c-9e79-160de4bee621\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/signin-1024x579.png\" alt=\"\" class=\"wp-image-18248\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/signin-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/signin-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/signin-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/signin-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/signin-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/signin-740x419.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/signin.png 1524w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Cephas sample hosted on legitimate Microsoft storage domain<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This confirms the trend, which solidifies cloud platform abuse as a standard technique, not a one-off case.&nbsp;<\/p>\n\n\n\n<p>To find more phishing domains based on Microsoft Azure, use the following TI Lookup query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktolookup\/#{%22query%22:%22threatName:%5C%22phishing%5C%22%20AND%20domainName:%5C%22*blob.core.windows.net%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;phishing&#8221; AND domainName:&#8221;*blob.core.windows.net&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"534\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/bloblookup-1024x534.png\" alt=\"\" class=\"wp-image-18249\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/bloblookup-1024x534.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/bloblookup-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/bloblookup-768x401.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/bloblookup-1536x802.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/bloblookup-2048x1069.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/bloblookup-370x193.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/bloblookup-270x141.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/bloblookup-740x386.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing samples based on&nbsp;Microsoft&nbsp;Blob Storage domain. Search in TI Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Phishing hosted on trusted cloud infrastructure is becoming increasingly widespread. The risk for large organizations grows daily, and detecting this type of&nbsp;attacks&nbsp;at&nbsp;early stages&nbsp;is made possible through continuous monitoring of phishing&nbsp;campaigns.&nbsp;&nbsp;<\/p>\n\n\n\n<p>ANY.RUN provides this visibility by delivering continuous signature updates and empowering SOC teams in 195 countries to detect sophisticated phishing threats for maximum business protection.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About&nbsp;ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis%20&amp;utm_term=030226&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;develops advanced solutions for malware analysis and threat hunting,&nbsp;trusted by 600,000+ cybersecurity professionals worldwide.&nbsp;<\/p>\n\n\n\n<p>Its interactive&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">malware analysis sandbox<\/a>&nbsp;enables&nbsp;hands-on investigation of threats targeting Windows, Linux, and Android environments. ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis&amp;utm_term=030226&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>&nbsp;help security teams quickly&nbsp;identify&nbsp;indicators of compromise, enrich alerts with context, and investigate incidents&nbsp;early.&nbsp;Together, the&nbsp;solutions&nbsp;empowers&nbsp;analysts&nbsp;to&nbsp;strengthen overall security posture&nbsp;at enterprises.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=enterprise_phishing_analysis%20&amp;utm_term=030226&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Request ANY.RUN access for your company<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently Asked Questions (FAQ)&nbsp;<\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1770109610613\"><strong class=\"schema-faq-question\">What is enterprise phishing?\u00a0<\/strong> <p class=\"schema-faq-answer\">Enterprise phishing refers to targeted phishing attacks aimed at corporate users, often designed to steal credentials, session cookies, or gain access to business systems rather than personal accounts.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1770109615085\"><strong class=\"schema-faq-question\">How do attackers abuse Microsoft and Google platforms for phishing?\u00a0<\/strong> <p class=\"schema-faq-answer\">Attackers host phishing pages on legitimate services like Microsoft Azure Blob Storage, Google Firebase, and Cloudflare, allowing malicious activity to blend in with trusted cloud traffic and evade traditional detection.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1770109619646\"><strong class=\"schema-faq-question\">Why is cloud-hosted phishing harder to detect?\u00a0<\/strong> <p class=\"schema-faq-answer\">Because these attacks use trusted domains, valid HTTPS, and well-known cloud infrastructure, common indicators such as IP addresses, TLS fingerprints, and certificates\u00a0lose\u00a0effectiveness.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1770109624191\"><strong class=\"schema-faq-question\">What are\u00a0AiTM\u00a0phishing kits?\u00a0<\/strong> <p class=\"schema-faq-answer\">AiTM\u00a0(Adversary-in-the-Middle) phishing kits act as real-time proxies between victims and legitimate services, enabling attackers to bypass MFA and steal credentials without raising obvious suspicion.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1770109630034\"><strong class=\"schema-faq-question\">Which phishing kits most commonly target enterprises?\u00a0<\/strong> <p class=\"schema-faq-answer\">Tycoon2FA, Sneaky2FA, and\u00a0EvilProxy\u00a0are among the most active kits,\u00a0frequently\u00a0used in enterprise-focused campaigns abusing trusted cloud and CDN platforms\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1770109635868\"><strong class=\"schema-faq-question\">Can traditional email security tools stop modern phishing attacks?\u00a0<\/strong> <p class=\"schema-faq-answer\">Traditional tools alone are often insufficient, as modern phishing relies on trusted infrastructure and advanced evasion techniques that bypass static rules and reputation-based detection.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1770109643164\"><strong class=\"schema-faq-question\">How can organizations detect cloud-based phishing attacks early?\u00a0<\/strong> <p class=\"schema-faq-answer\">Early detection requires continuous monitoring of phishing campaigns, up-to-date threat intelligence, and behavioral analysis using interactive sandboxing and real-time investigation solutions like ANY.RUN.\u00a0<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>ANY.RUN&nbsp;observes&nbsp;a&nbsp;growing trend&nbsp;of&nbsp;phishing kit infrastructure&nbsp;being&nbsp;hosted on legitimate cloud and CDN platforms,&nbsp;rather than on&nbsp;newly registered&nbsp;domains.&nbsp;These campaigns&nbsp;often&nbsp;target enterprise users&nbsp;specifically, creating a global threat to businesses.&nbsp;The shift creates serious visibility&nbsp;challenges for security teams, as trusted platforms and valid indicators shield malicious activity from detection.&nbsp; For a deeper dive, read on and see the breakdown of such cases, along with [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":18261,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-18224","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Enterprise Phishing via\u00a0Microsoft\u00a0&amp;\u00a0Google\u00a0Cloud Platforms\u00a0<\/title>\n<meta name=\"description\" content=\"Find out how phishing kits abuse trusted cloud platforms to bypass enterprise defenses and what\u00a0your SOC can\u00a0do\u00a0to stop them.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"GridGuardGhoul\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/\"},\"author\":{\"name\":\"GridGuardGhoul\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Enterprise\u00a0Phishing:\u00a0How\u00a0Attackers\u00a0Abuse Trusted\u00a0Microsoft\u00a0&amp;\u00a0Google\u00a0Platforms\u00a0\",\"datePublished\":\"2026-02-03T09:41:32+00:00\",\"dateModified\":\"2026-02-06T09:31:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/\"},\"wordCount\":2277,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/\",\"name\":\"Enterprise Phishing via\u00a0Microsoft\u00a0&\u00a0Google\u00a0Cloud Platforms\u00a0\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-02-03T09:41:32+00:00\",\"dateModified\":\"2026-02-06T09:31:34+00:00\",\"description\":\"Find out how phishing kits abuse trusted cloud platforms to bypass enterprise defenses and what\u00a0your SOC can\u00a0do\u00a0to stop them.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109610613\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109615085\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109619646\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109624191\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109630034\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109635868\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109643164\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enterprise\u00a0Phishing:\u00a0How\u00a0Attackers\u00a0Abuse Trusted\u00a0Microsoft\u00a0&amp;\u00a0Google\u00a0Platforms\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"GridGuardGhoul\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg\",\"caption\":\"GridGuardGhoul\"},\"description\":\"I am a network security researcher and reverse engineer exploring malware, protocols, and exploits.\",\"url\":\"#molongui-disabled-link\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109610613\",\"position\":1,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109610613\",\"name\":\"What is enterprise phishing?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Enterprise phishing refers to targeted phishing attacks aimed at corporate users, often designed to steal credentials, session cookies, or gain access to business systems rather than personal accounts.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109615085\",\"position\":2,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109615085\",\"name\":\"How do attackers abuse Microsoft and Google platforms for phishing?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Attackers host phishing pages on legitimate services like Microsoft Azure Blob Storage, Google Firebase, and Cloudflare, allowing malicious activity to blend in with trusted cloud traffic and evade traditional detection.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109619646\",\"position\":3,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109619646\",\"name\":\"Why is cloud-hosted phishing harder to detect?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Because these attacks use trusted domains, valid HTTPS, and well-known cloud infrastructure, common indicators such as IP addresses, TLS fingerprints, and certificates\u00a0lose\u00a0effectiveness.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109624191\",\"position\":4,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109624191\",\"name\":\"What are\u00a0AiTM\u00a0phishing kits?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"AiTM\u00a0(Adversary-in-the-Middle) phishing kits act as real-time proxies between victims and legitimate services, enabling attackers to bypass MFA and steal credentials without raising obvious suspicion.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109630034\",\"position\":5,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109630034\",\"name\":\"Which phishing kits most commonly target enterprises?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Tycoon2FA, Sneaky2FA, and\u00a0EvilProxy\u00a0are among the most active kits,\u00a0frequently\u00a0used in enterprise-focused campaigns abusing trusted cloud and CDN platforms\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109635868\",\"position\":6,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109635868\",\"name\":\"Can traditional email security tools stop modern phishing attacks?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Traditional tools alone are often insufficient, as modern phishing relies on trusted infrastructure and advanced evasion techniques that bypass static rules and reputation-based detection.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109643164\",\"position\":7,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109643164\",\"name\":\"How can organizations detect cloud-based phishing attacks early?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Early detection requires continuous monitoring of phishing campaigns, up-to-date threat intelligence, and behavioral analysis using interactive sandboxing and real-time investigation solutions like ANY.RUN.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Enterprise Phishing via\u00a0Microsoft\u00a0&\u00a0Google\u00a0Cloud Platforms\u00a0","description":"Find out how phishing kits abuse trusted cloud platforms to bypass enterprise defenses and what\u00a0your SOC can\u00a0do\u00a0to stop them.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/","twitter_misc":{"Written by":"GridGuardGhoul","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/"},"author":{"name":"GridGuardGhoul","@id":"https:\/\/any.run\/"},"headline":"Enterprise\u00a0Phishing:\u00a0How\u00a0Attackers\u00a0Abuse Trusted\u00a0Microsoft\u00a0&amp;\u00a0Google\u00a0Platforms\u00a0","datePublished":"2026-02-03T09:41:32+00:00","dateModified":"2026-02-06T09:31:34+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/"},"wordCount":2277,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/","name":"Enterprise Phishing via\u00a0Microsoft\u00a0&\u00a0Google\u00a0Cloud Platforms\u00a0","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-02-03T09:41:32+00:00","dateModified":"2026-02-06T09:31:34+00:00","description":"Find out how phishing kits abuse trusted cloud platforms to bypass enterprise defenses and what\u00a0your SOC can\u00a0do\u00a0to stop them.\u00a0","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109610613"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109615085"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109619646"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109624191"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109630034"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109635868"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109643164"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Enterprise\u00a0Phishing:\u00a0How\u00a0Attackers\u00a0Abuse Trusted\u00a0Microsoft\u00a0&amp;\u00a0Google\u00a0Platforms\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"GridGuardGhoul","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg","caption":"GridGuardGhoul"},"description":"I am a network security researcher and reverse engineer exploring malware, protocols, and exploits.","url":"#molongui-disabled-link"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109610613","position":1,"url":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109610613","name":"What is enterprise phishing?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Enterprise phishing refers to targeted phishing attacks aimed at corporate users, often designed to steal credentials, session cookies, or gain access to business systems rather than personal accounts.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109615085","position":2,"url":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109615085","name":"How do attackers abuse Microsoft and Google platforms for phishing?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Attackers host phishing pages on legitimate services like Microsoft Azure Blob Storage, Google Firebase, and Cloudflare, allowing malicious activity to blend in with trusted cloud traffic and evade traditional detection.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109619646","position":3,"url":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109619646","name":"Why is cloud-hosted phishing harder to detect?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Because these attacks use trusted domains, valid HTTPS, and well-known cloud infrastructure, common indicators such as IP addresses, TLS fingerprints, and certificates\u00a0lose\u00a0effectiveness.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109624191","position":4,"url":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109624191","name":"What are\u00a0AiTM\u00a0phishing kits?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"AiTM\u00a0(Adversary-in-the-Middle) phishing kits act as real-time proxies between victims and legitimate services, enabling attackers to bypass MFA and steal credentials without raising obvious suspicion.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109630034","position":5,"url":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109630034","name":"Which phishing kits most commonly target enterprises?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Tycoon2FA, Sneaky2FA, and\u00a0EvilProxy\u00a0are among the most active kits,\u00a0frequently\u00a0used in enterprise-focused campaigns abusing trusted cloud and CDN platforms\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109635868","position":6,"url":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109635868","name":"Can traditional email security tools stop modern phishing attacks?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Traditional tools alone are often insufficient, as modern phishing relies on trusted infrastructure and advanced evasion techniques that bypass static rules and reputation-based detection.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109643164","position":7,"url":"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/#faq-question-1770109643164","name":"How can organizations detect cloud-based phishing attacks early?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Early detection requires continuous monitoring of phishing campaigns, up-to-date threat intelligence, and behavioral analysis using interactive sandboxing and real-time investigation solutions like ANY.RUN.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18224"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=18224"}],"version-history":[{"count":30,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18224\/revisions"}],"predecessor-version":[{"id":18361,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18224\/revisions\/18361"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/18261"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=18224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=18224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=18224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}