Analyzing phishing attacks have become challenging as these threats continue to evolve in complexity, employing more sophisticated techniques to bypass traditional defenses.
The tools used to analyze such attacks must also adapt, requiring constant improvement to keep up with the attackers’ ingenuity.
Let’s explore a few real-world phishing attacks and demonstrate how to effectively analyze them using advanced tools like the ANY.RUN interactive sandbox.
Finding Fresh Phishing Samples Using MITRE Matrix in TI Lookup
Before diving into the analysis of phishing attacks, it’s important to know where to find them. The ANY.RUN TI Lookup homepage integrates the MITRE ATT&CK Matrix, offering a fast and efficient starting point for identifying threats and collecting TTPs.
The matrix links each tactic and technique to real-world malware analysis sessions. Simply navigate to the Phishing technique and click on it to explore related sub-techniques.
Each sub-technique provides access to corresponding analysis sessions, helping you understand how phishing attacks manifest and operate in different scenarios.
As a result, you will not only locate fresh phishing samples but also can get actionable insights into their behavior.
Examples of Phishing Attacks and Ways to Analyze Them
Now that we know how we can find examples of real-world phishing attacks, it’s time to discover different types of attacks and how we can analyze them easily.
Phishing email with an Excel attachment and a link inside
This type of phishing attack leverages an Excel file containing embedded links designed to redirect users to malicious websites or deliver malware.
Attacks like these can be safely analyzed using secure environments like ANY.RUN’s interactive sandbox.
Here is an example of such a phishing email, complete with a detailed analysis session: View Analysis Session
Initial observations
After running the session, the easiest way to identify the nature of the attack is by checking the upper-right corner of the sandbox interface.
Here, you’ll see a malicious activity label, accompanied by tags such as attachments and phishing, confirming that this email contains a malicious file.
Analyze phishing threats with ANY.RUN’s sandbox! Get 3 free ANY.RUN licenses this Black Friday!
Examining the Excel file
Opening the Excel file reveals an attempt to make it appear legitimate, with the attacker embedding a Dropbox logo for credibility. However, clicking the link inside the document redirects you to a website hosting a malicious payload.
Payload delivery
On the website, two options are presented: View the PDF or Download it. Selecting the download option redirects to another site that requests your Microsoft account credentials.
A key red flag here is the suspicious URL—long, overly complex, and filled with random characters. This is a telltale sign of phishing.
Network indicators and threat triggers
By reviewing the Threats section in the Network Connections tab, you’ll notice a Suricata rule triggered for phishing. This provides further evidence of malicious activity, reinforcing the analysis findings.
Phishing email with an archive containing SVG file
This phishing attack begins with an email containing an archive attachment. The archive includes an SVG file, which serves as a gateway to download an encrypted archive containing the AsyncRAT payload.
AsyncRAT is a Remote Access Trojan used by attackers to gain unauthorized access to a victim’s system. Here’s the full analysis session: View Analysis Session.
Initial email and archive
The phishing email includes an attached ZIP file, which, when extracted, reveals an SVG file. SVG files are often used to mask malicious activities due to their seemingly innocuous nature.
Interacting with the SVG file
Upon opening the SVG file, a button prompts the user to click to continue. Clicking this button redirects to a malicious website, initiating the download of another encrypted ZIP file containing the actual payload.
Dealing with the encrypted file
The downloaded ZIP file requires a password to extract its contents. Cleverly, the attackers embed the password in the initial phishing email, encouraging the victim to retrieve and use it.
Payload extraction and infection
Once the password is entered, the archive reveals the AsyncRAT malware, which installs itself on the victim’s system, enabling attackers to remotely control the machine and steal sensitive information.
Phishing attack containing PDF file
This phishing attack leverages a seemingly harmless PDF file to initiate a multi-step process that ultimately attempts to steal sensitive credentials.
The attack is linked to malware such as Storm1747 and Tycoon, demonstrating the layered sophistication of modern phishing campaigns. Here is the detailed analysis session: View Analysis Session
Initial observation in ANY.RUN’s sandbox
When the PDF file is opened in the sandbox, it presents a button prompting the user to download another PDF. Clicking this button initiates a series of redirects.
Redirect chain and Cloudflare exploitation
The redirection leads to a website that employs Cloudflare’s human verification process. If you’ve enabled automated interactivity in ANY.RUN, the sandbox will complete this step for you without manual input, ensuring seamless analysis.
Malicious website and credential harvesting
After completing the verification process, a website that mimics Microsoft’s login page requests the user’s Microsoft account credentials.
A quick glance at the URL reveals that it is unrelated to any official Microsoft domain. The link is overly complex, filled with unnecessary characters—a clear red flag indicating a phishing attempt.
Malware Indicators
The sandbox captures and highlights the malicious behavior, showing evidence of Storm1747 and Tycoon malware activity, further confirming the attack’s intent.
Key Indicators of Phishing Attacks
Based on the analyzed examples, we can identify some common key indicators of phishing attacks:
- Suspicious attachments: Files like Excel documents, archives, or PDFs containing unexpected links or prompts.
- Misleading URLs: Links with overly complex, long, or random characters, often unrelated to legitimate domains.
- Credential requests: Fake login pages designed to mimic trusted platforms, such as Microsoft.
- Redirect chains: Use of multiple redirects or verification steps, often exploiting services like Cloudflare, to obscure malicious intent.
- Brand imitation: Incorporating logos or designs from trusted companies to appear legitimate.
Recognizing these signs and analyzing them with tools like ANY.RUN’s interactive sandbox can help uncover phishing attempts and mitigate their risks effectively.
Get Your Black Friday Deals from ANY.RUN
Get ready to elevate your cybersecurity workflow with ANY.RUN’s Black Friday 2024 deals! For a limited time, you can save big while gaining access to powerful tools for analyzing threats efficiently.
Exclusive Black Friday Offer
Take advantage of ANY.RUN’s Black Friday deals, available until December 8:
- For individual users: Get 2 licenses for the price of 1—perfect for solo researchers or analysts.
- For teams: Enjoy up to 3 free licenses and an annual Basic Plan for Threat Intelligence Lookup, providing access to the latest threat intelligence data.
Explore all offers and try the service with a free trial today