Examples of Phishing Attacks and How to Effectively Analyze Them


Analyzing phishing attacks have become challenging as these threats continue to evolve in complexity, employing more sophisticated techniques to bypass traditional defenses. 

The tools used to analyze such attacks must also adapt, requiring constant improvement to keep up with the attackers’ ingenuity. 

Let’s explore a few real-world phishing attacks and demonstrate how to effectively analyze them using advanced tools like the ANY.RUN interactive sandbox.

Finding Fresh Phishing Samples Using MITRE Matrix in TI Lookup

Before diving into the analysis of phishing attacks, it’s important to know where to find them. The ANY.RUN TI Lookup homepage integrates the MITRE ATT&CK Matrix, offering a fast and efficient starting point for identifying threats and collecting TTPs.

The matrix links each tactic and technique to real-world malware analysis sessions. Simply navigate to the Phishing technique and click on it to explore related sub-techniques. 

MITRE ATT&CK Matrix techniques inside TI Lookup

Each sub-technique provides access to corresponding analysis sessions, helping you understand how phishing attacks manifest and operate in different scenarios.

As a result, you will not only locate fresh phishing samples but also can get actionable insights into their behavior.

Examples of Phishing Attacks
Phishing technique with its sub-techniques and corresponding analysis sample

Examples of Phishing Attacks and Ways to Analyze Them

Now that we know how we can find examples of real-world phishing attacks, it’s time to discover different types of attacks and how we can analyze them easily.

This type of phishing attack leverages an Excel file containing embedded links designed to redirect users to malicious websites or deliver malware. 

Attacks like these can be safely analyzed using secure environments like ANY.RUN’s interactive sandbox

Here is an example of such a phishing email, complete with a detailed analysis session: View Analysis Session

Phishing email displayed inside ANY.RUN sandbox

Initial observations

After running the session, the easiest way to identify the nature of the attack is by checking the upper-right corner of the sandbox interface. 

Here, you’ll see a malicious activity label, accompanied by tags such as attachments and phishing, confirming that this email contains a malicious file.

Malicious activity detected by ANY.RUN sandbox

Analyze phishing threats with ANY.RUN’s sandbox! Get 3 free ANY.RUN licenses this Black Friday!

Examining the Excel file

Opening the Excel file reveals an attempt to make it appear legitimate, with the attacker embedding a Dropbox logo for credibility. However, clicking the link inside the document redirects you to a website hosting a malicious payload.

Examples of Phishing Attacks
Excel file containing malicious link

Payload delivery

On the website, two options are presented: View the PDF or Download it. Selecting the download option redirects to another site that requests your Microsoft account credentials.

Website link analyzed inside ANY.RUN VM

A key red flag here is the suspicious URL—long, overly complex, and filled with random characters. This is a telltale sign of phishing.

Suspicious URL inside ANY.RUN sandbox

Network indicators and threat triggers

By reviewing the Threats section in the Network Connections tab, you’ll notice a Suricata rule triggered for phishing. This provides further evidence of malicious activity, reinforcing the analysis findings.

Suricata rule triggered by phishing attack

Phishing email with an archive containing SVG file

This phishing attack begins with an email containing an archive attachment. The archive includes an SVG file, which serves as a gateway to download an encrypted archive containing the AsyncRAT payload. 

Phishing email with archive analyzed inside ANY.RUN sandbox

AsyncRAT is a Remote Access Trojan used by attackers to gain unauthorized access to a victim’s system. Here’s the full analysis session: View Analysis Session.

Initial email and archive

The phishing email includes an attached ZIP file, which, when extracted, reveals an SVG file. SVG files are often used to mask malicious activities due to their seemingly innocuous nature.

Examples of Phishing Attacks
SVG file found inside ANY.RUN sandbox session

Interacting with the SVG file

Upon opening the SVG file, a button prompts the user to click to continue. Clicking this button redirects to a malicious website, initiating the download of another encrypted ZIP file containing the actual payload.

Malicious payload download inside secure environment

Dealing with the encrypted file

The downloaded ZIP file requires a password to extract its contents. Cleverly, the attackers embed the password in the initial phishing email, encouraging the victim to retrieve and use it.

Password entered for the download of malicious payload

Payload extraction and infection

Once the password is entered, the archive reveals the AsyncRAT malware, which installs itself on the victim’s system, enabling attackers to remotely control the machine and steal sensitive information.

AsyncRAT detected by ANY.RUN sandbox

Phishing attack containing PDF file

This phishing attack leverages a seemingly harmless PDF file to initiate a multi-step process that ultimately attempts to steal sensitive credentials. 

The attack is linked to malware such as Storm1747 and Tycoon, demonstrating the layered sophistication of modern phishing campaigns. Here is the detailed analysis session: View Analysis Session

Initial observation in ANY.RUN’s sandbox

When the PDF file is opened in the sandbox, it presents a button prompting the user to download another PDF. Clicking this button initiates a series of redirects.

Examples of Phishing Attacks
PDF file displayed inside ANY.RUN sandbox

Redirect chain and Cloudflare exploitation

The redirection leads to a website that employs Cloudflare’s human verification process. If you’ve enabled automated interactivity in ANY.RUN, the sandbox will complete this step for you without manual input, ensuring seamless analysis.

Cloudflare exploitation during the phishing attack

Malicious website and credential harvesting

After completing the verification process, a website that mimics Microsoft’s login page requests the user’s Microsoft account credentials.

Examples of Phishing Attacks
Website mimicking Microsoft login page

A quick glance at the URL reveals that it is unrelated to any official Microsoft domain. The link is overly complex, filled with unnecessary characters—a clear red flag indicating a phishing attempt.

Malware Indicators

The sandbox captures and highlights the malicious behavior, showing evidence of Storm1747 and Tycoon malware activity, further confirming the attack’s intent.

Examples of Phishing Attacks
Phishing attack detected by ANY.RUN sandbox

Key Indicators of Phishing Attacks

Based on the analyzed examples, we can identify some common key indicators of phishing attacks:

  • Suspicious attachments: Files like Excel documents, archives, or PDFs containing unexpected links or prompts.
  • Misleading URLs: Links with overly complex, long, or random characters, often unrelated to legitimate domains.
  • Credential requests: Fake login pages designed to mimic trusted platforms, such as Microsoft.
  • Redirect chains: Use of multiple redirects or verification steps, often exploiting services like Cloudflare, to obscure malicious intent.
  • Brand imitation: Incorporating logos or designs from trusted companies to appear legitimate.

Recognizing these signs and analyzing them with tools like ANY.RUN’s interactive sandbox can help uncover phishing attempts and mitigate their risks effectively.

Get Your Black Friday Deals from ANY.RUN

Get ready to elevate your cybersecurity workflow with ANY.RUN’s Black Friday 2024 deals! For a limited time, you can save big while gaining access to powerful tools for analyzing threats efficiently.

Exclusive Black Friday Offer

Take advantage of ANY.RUN’s Black Friday deals, available until December 8:

  • For individual users: Get 2 licenses for the price of 1—perfect for solo researchers or analysts.
  • For teams: Enjoy up to 3 free licenses and an annual Basic Plan for Threat Intelligence Lookup, providing access to the latest threat intelligence data.

Explore all offers and try the service with a free trial today



Source link