Phishing

Malware Sandbox Any.Run Targeted in Phishing Attack

Employees of the Any.Run malware analysis service were recently targeted in a phishing attack that was part of a BEC campaign.

Employees of the Any.Run malware analysis service were recently targeted in a phishing attack that was part of a BEC campaign.

The malware analysis service Any.Run on Monday shared details on a recent phishing attack targeting its employees. 

The incident came to light on June 18, when all the employees of the malware sandbox service received a phishing email from another Any.Run employee. The attacker’s access was terminated within minutes, but an investigation showed that the hacker was present for several weeks.

The attack started on May 23, 2024, when an employee in Any.Run’s sales team received an email from a client they had previously communicated with. 

The email contained a link and the employee did upload the message to a sandbox to check whether it posed a threat. However, since the link pointed to a trusted website that had been compromised and the sandbox environment was not properly configured, the threat was not detected.

The employee clicked on the link and was led to a Microsoft phishing website that prompted them to enter their login credentials and multi-factor authentication (MFA) code. The information was entered on the phishing page and the attacker was provided with everything they needed to access the employee’s account. 

The attacker added their own mobile device for MFA in an effort to maintain access. The hacker also installed an application that allowed them to steal the information stored in the victim’s email account. 

Advertisement. Scroll to continue reading.

The attacker first accessed the Any.Run employee’s email account on May 27 and had access to it until June 18, when they sent out phishing emails to all the individuals in the employee’s contact list. 

At this point, the malicious link from the attacker’s email was already present in Any.Run’s threat intelligence database after being identified during sandbox analysis sessions by free users of the service. 

Once the breach was discovered, Any.Run rushed to revoke the attacker’s access and took steps to prevent such incidents in the future. 

The company pointed out that the employee whose email account was compromised did not have access to the production environment or any code base.

Any.Run is still investigating the incident, but believes it’s part of a business email compromise (BEC) campaign. 

Indicators of compromise (IoCs) have been made available to help others detect potential attacks. 

Related: Autodesk Drive Abused in Phishing Attacks 

Related: Phishing Platform LabHost Shut Down by Law Enforcement

Related: Cybercriminals Spoof US Government Organizations in BEC, Phishing Attacks

Related: FCC Employees Targeted in Sophisticated Phishing Attacks

Related Content

Phishing

The attackers call victims to direct them to phishing websites mirroring Microsoft Entra ID login pages.

Phishing

The platform used more than 9,000 phishing sites, stealing nearly 4 million credit cards and causing roughly $1.9 billion in losses.

Phishing

Victims span across the aviation, critical infrastructure, energy, logistics, public administration, and technology sectors.

Phishing

The malicious emails claim to contain a conduct report and lure victims to a Microsoft phishing website that leverages AitM.

Phishing

Still under development, Bluekit provides users with automated domain registration and an AI Assistant.

Phishing

Legitimate-looking emails coming from Robinhood systems lured recipients to phishing websites.

Email Security

New analysis from Abnormal AI reveals how attackers have abandoned technical exploits to weaponize routine workflows and internal trust.

Phishing

Threat actors are reusing Tycoon 2FA tools across other phishing kits following the platform’s disruption.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version