The malware analysis service Any.Run on Monday shared details on a recent phishing attack targeting its employees.
The incident came to light on June 18, when all the employees of the malware sandbox service received a phishing email from another Any.Run employee. The attacker’s access was terminated within minutes, but an investigation showed that the hacker was present for several weeks.
The attack started on May 23, 2024, when an employee in Any.Run’s sales team received an email from a client they had previously communicated with.
The email contained a link and the employee did upload the message to a sandbox to check whether it posed a threat. However, since the link pointed to a trusted website that had been compromised and the sandbox environment was not properly configured, the threat was not detected.
The employee clicked on the link and was led to a Microsoft phishing website that prompted them to enter their login credentials and multi-factor authentication (MFA) code. The information was entered on the phishing page and the attacker was provided with everything they needed to access the employee’s account.
The attacker added their own mobile device for MFA in an effort to maintain access. The hacker also installed an application that allowed them to steal the information stored in the victim’s email account.
The attacker first accessed the Any.Run employee’s email account on May 27 and had access to it until June 18, when they sent out phishing emails to all the individuals in the employee’s contact list.
At this point, the malicious link from the attacker’s email was already present in Any.Run’s threat intelligence database after being identified during sandbox analysis sessions by free users of the service.
Once the breach was discovered, Any.Run rushed to revoke the attacker’s access and took steps to prevent such incidents in the future.
The company pointed out that the employee whose email account was compromised did not have access to the production environment or any code base.
Any.Run is still investigating the incident, but believes it’s part of a business email compromise (BEC) campaign.
Indicators of compromise (IoCs) have been made available to help others detect potential attacks.
Related: Autodesk Drive Abused in Phishing Attacks
Related: Phishing Platform LabHost Shut Down by Law Enforcement
Related: Cybercriminals Spoof US Government Organizations in BEC, Phishing Attacks
Related: FCC Employees Targeted in Sophisticated Phishing Attacks
