{"id":8068,"date":"2024-06-24T14:44:24","date_gmt":"2024-06-24T14:44:24","guid":{"rendered":"\/cybersecurity-blog\/?p=8068"},"modified":"2024-06-24T14:57:28","modified_gmt":"2024-06-24T14:57:28","slug":"phishing-incident-report","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/","title":{"rendered":"Phishing Incident Report: Facts and Timeline\u00a0"},"content":{"rendered":"\n<p>On June 21, <a href=\"https:\/\/x.com\/anyrun_app\/status\/1804157392935870466\" target=\"_blank\" rel=\"noreferrer noopener\">we announced on our official X page<\/a> that our company had been hit by a phishing attack. &nbsp;<\/p>\n\n\n\n<p>Today, we are providing the first results of our investigation into what happened. We want to share a full account of the events with our community and what we will be undertaking to strengthen our security. &nbsp;<\/p>\n\n\n\n<p>In this post, we will cover:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An incident overview&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The timeline of the attack&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Our response actions&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s start with a summary of what happened.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How We Discovered the Incident&nbsp;<\/h2>\n\n\n\n<p>On the evening of June 18, 2024, all ANY.RUN staff members received a phishing email from an internal employee. The email was sent to the entire contact list of the said employee and led to a malicious page with a JS script masquerading as a Microsoft sign-in form.&nbsp;<\/p>\n\n\n\n<p>It soon became clear that an employee&#8217;s account had been compromised and was being used by an unauthorized entity to carry out a post-breach business email compromise (BEC) campaign.&nbsp;<\/p>\n\n\n\n<p>After implementing all necessary response measures, we promptly began our investigation into the incident.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Incident Summary<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"62\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-6-1024x62.png\" alt=\"\" class=\"wp-image-8069\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-6-1024x62.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-6-300x18.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-6-768x47.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-6-1536x94.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-6-370x23.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-6-270x16.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-6-740x45.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-6.png 1559w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>First unauthorized log in<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The earliest signs of unusual account activity were discovered to date back to May 27, 2024, at 07:37:09 (UTC), when an unauthorized entity first logged into the compromised account from IP 45[.]61[.]169[.]4 (Sheridan, Wyoming, US). &nbsp;<\/p>\n\n\n\n<p>The investigation revealed that the initial compromise happened through an AiTM phishing and BEC campaign. The employee received an email with a phishing link from a client who had been compromised. Due to insufficient access controls and flaws in our multi-factor authentication (MFA) policies, an unauthorized entity was able to register their own mobile device for the compromised account in the MFA service and retain access.&nbsp;<\/p>\n\n\n\n<p>Over the next 23 days, the unauthorized entity repeatedly accessed the compromised employee&#8217;s mailbox. We also discovered that they used PerfectData Software, an application that enabled them to potentially take a backup of the entire mailbox.&nbsp;<\/p>\n\n\n\n<p>Here is a detailed timeline of the incident.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Incident Timeline&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Initial Compromise&nbsp;<\/h3>\n\n\n\n<p><strong>May 23, 2024<\/strong>&nbsp;<\/p>\n\n\n\n<p>One of our sales team employees received an email via a third-party service from a client with whom they had previous communication. The email contained a link.&nbsp;<\/p>\n\n\n\n<p><strong>May 27, 2024, 07:37<\/strong>&nbsp;<\/p>\n\n\n\n<p>The employee took the precaution of uploading the email to the sandbox to check whether the link it contained posed any threat.&nbsp;<\/p>\n\n\n\n<p>The link in the email led to a trusted but compromised website with a fake login form. However, the employee\u2019s sandbox environment was not set up in MITM proxy mode, which would allow decryption of HTTPS traffic. This prevented Suricata IDS from detecting the malicious content and tagging the website as malicious.\u00a0<\/p>\n\n\n\n<p>Acting without proper consideration for consequences, the employee entered their actual login credentials and MFA in the login form on the fake page right inside the sandbox environment.<\/p>\n\n\n\n<p><strong>NOTE: Real credentials should never be used in a malware sandbox or any similar setting.<\/strong>\u00a0 \u00a0<\/p>\n\n\n\n<p>They then replied to the client that they could not access the content sent.<\/p>\n\n\n\n<p>At this point, the threat actor gained access to the employee\u2019s account for the first time.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Persistence&nbsp;<\/h3>\n\n\n\n<p><strong>May 27, 2024, 08:22<\/strong>&nbsp;<\/p>\n\n\n\n<p>The attacker was able to add their own mobile device to the MFA service for the compromised account, allowing them to maintain access.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Data Access &amp; Exfiltration<\/h3>\n\n\n\n<p><strong>June 5, 2024<\/strong>\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"89\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-6-1024x89.png\" alt=\"\" class=\"wp-image-8071\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-6-1024x89.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-6-300x26.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-6-768x67.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-6-1536x134.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-6-370x32.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-6-270x24.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-6-740x64.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-6.png 1573w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Registered PerfectData activity<\/figcaption><\/figure><\/div>\n\n\n<p>The attacker installed the PerfectData Software application (Azure App ID: ff8d92dc-3d82-41d6-bcbd-b9174d163620) and used it to steal the contents of the compromised email account.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Phishing Attack<\/h3>\n\n\n\n<p><strong>June 18, 2024, 17:16<\/strong>\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"417\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-1-1024x417.jpg\" alt=\"\" class=\"wp-image-8072\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-1-1024x417.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-1-300x122.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-1-768x312.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-1-370x151.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-1-270x110.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-1-740x301.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image-1.jpg 1251w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The phishing email sent by the attacker using our employee\u2019s account<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The attacker sent out emails that were similar to the original one to the entire contact list of the employee.&nbsp;<\/p>\n\n\n\n<p>These links had been already present in our Threat Intelligence database for over a week. However, they were identified during sandbox analysis sessions conducted by free users. These users lacked access to the most recent operating system version and the MITM proxy, tools that could have made it possible to recognize these domains as harmful in advance.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Our Response Actions&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Revocation of Access&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identification of Compromised Accounts\/Systems:<\/strong>&nbsp;Using Azure audit and sign-in logs suspicious activities were confirmed.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Timeframe:<\/strong>&nbsp;Unauthorized activities were detected on&nbsp;<strong>June 18, 2024, 17:18:00<\/strong>. Access was terminated by&nbsp;<strong>June 18, 2024, 17:21:55<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Method of Revocation:<\/strong>&nbsp;Compromised and affected accounts were disabled. Additionally, compromised and affected accounts credentials were reset and active sessions revoked.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Impact:<\/strong>&nbsp;Immediate revocation of access halted potential lateral movement, preventing further unauthorized activities and data exfiltration attempts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Containment Strategy&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Short-term Containment:<\/strong>&nbsp;As part of the initial response, additional accounts activity monitoring was conducted, hindering any lateral movement by the threat actor.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Long-term Containment:<\/strong>&nbsp;The next phase of containment involves a more robust implementation of access controls, more restrictive MFA and conditional access policies and continuous access evaluation, ensuring that only compliant and trusted devices are allowed by access policies.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Effectiveness:<\/strong>&nbsp;The containment strategies were deemed successful in limiting the incident\u2019s impact, but not in detecting or preventing similar incidents from happening again in the future.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Eradication Measures&nbsp;<\/h3>\n\n\n\n<p>Persistence artifacts removal:\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identification:<\/strong>\u00a0During the investigation following artifacts were observed to be confirmed or potential persistence techniques:\u00a0 \n<ul class=\"wp-block-list\">\n<li>Adversary controlled MFA devices (<strong>T1098.005<\/strong>)\u00a0<\/li>\n\n\n\n<li>PERFECTDATA SOFTWARE application\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Outlook Rules (<strong>T1137.005<\/strong>)&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Removal Techniques:<\/strong>&nbsp;All identified artifacts were manually removed.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Verification:<\/strong>&nbsp;Post-removal, no unauthorized activity was observed or detected.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Recovery Steps&nbsp;<\/h3>\n\n\n\n<p>No data or system integrity was affected, so no recovery processes were initiated.&nbsp;<\/p>\n\n\n\n<p>We also requested a report from the company that was the source of the phishing attack but did not receive a response from them.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">IP addresses&nbsp;<\/h3>\n\n\n\n<p>8 different IP addresses, listed below, were used to access the compromised account over 23 days.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>45.61[.]169[.]4 (Sheridan, Wyoming, US)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>40.83[.]133[.]199 (San Jose, California, US)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>172.210[.]145[.]129 (Boydton, Virginia, US)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>162.244[.]210[.]90 (Dallas, Texas, US) \u2013 the main VPS used in the attack, which was taken down on our request.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>52.162[.]121[.]170 (Chicago, Illinois, US)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>68.154[.]52[.]201 (Boydton, Virginia, US)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>140.228[.]29[.]111 (Ada, Ohio, US)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>52.170[.]144[.]110 (Washington, Virginia, US)&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">URLs&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https:\/\/www.dropbox[.]com\/scl\/fi\/vimfxi3mq0fch1u232uvp\/Here-is-your-incoming-voice-mail-information_.paper?rlkey=69qgqvpkxn3mdvydkr8cgcd83&amp;dl=0&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https:\/\/batimnmlp[.]click\/m\/?cmFuZDE9Yldwa2IyRmFZa3hDVWc9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVJsQjJXbWRPZFZsTE1BPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9UlRGWGFUSlNkVFJ0ZWc9PQ==N0123N[EMail]&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https:\/\/www.reytorogroup[.]com\/r\/?cmFuZDE9YXpkcVJIbHpZa0kwVVE9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVVIb3libFEyWjA5NFNBPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9VEdscFdFSTNVVzlzZFE9PQ==N0123N%5bEMail%5d&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https:\/\/threemanshop[.]com\/jsnom.js&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">The Investigation Is Ongoing&nbsp;<\/h2>\n\n\n\n<p>We&#8217;ve decided to disclose this incident to the community to show our dedication to stopping such events in the future.&nbsp;<\/p>\n\n\n\n<p>Our next step is to analyze the phishing sample and share our comprehensive findings with you.&nbsp;<\/p>\n\n\n\n<p>This situation will be used as an opportunity to make our security stronger and improve our products for everyone&#8217;s benefit.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On June 21, we announced on our official X page that our company had been hit by a phishing attack. &nbsp; Today, we are providing the first results of our investigation into what happened. We want to share a full account of the events with our community and what we will be undertaking to strengthen [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8073,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[57,10,34],"class_list":["post-8068","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Phishing Incident Report: Facts and Timeline\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"We are providing the first results of our investigation into the recent incident and share a full account of the events with our community. \u00a0\" \/>\n<meta name=\"robots\" content=\"noindex, nofollow\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Phishing Incident Report: Facts and Timeline\u00a0\",\"datePublished\":\"2024-06-24T14:44:24+00:00\",\"dateModified\":\"2024-06-24T14:57:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/\"},\"wordCount\":1184,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/\",\"name\":\"Phishing Incident Report: Facts and Timeline\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-06-24T14:44:24+00:00\",\"dateModified\":\"2024-06-24T14:57:28+00:00\",\"description\":\"We are providing the first results of our investigation into the recent incident and share a full account of the events with our community. \u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Phishing Incident Report: Facts and Timeline\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Phishing Incident Report: Facts and Timeline\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"We are providing the first results of our investigation into the recent incident and share a full account of the events with our community. \u00a0","robots":{"index":"noindex","follow":"nofollow"},"twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Phishing Incident Report: Facts and Timeline\u00a0","datePublished":"2024-06-24T14:44:24+00:00","dateModified":"2024-06-24T14:57:28+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/"},"wordCount":1184,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/","url":"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/","name":"Phishing Incident Report: Facts and Timeline\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-06-24T14:44:24+00:00","dateModified":"2024-06-24T14:57:28+00:00","description":"We are providing the first results of our investigation into the recent incident and share a full account of the events with our community. \u00a0","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-incident-report\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"Phishing Incident Report: Facts and Timeline\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8068"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8068"}],"version-history":[{"count":5,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8068\/revisions"}],"predecessor-version":[{"id":8082,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8068\/revisions\/8082"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8073"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}