Cyber Incident Victim: ANY.RUN
Date:
May 2024
Location:
United States of America
Summary
A cybersecurity firm experienced a phishing incident when an employee's account was compromised after interacting with a malicious link from a trusted but breached client. The attacker gained initial access by exploiting the employee's entry of valid credentials and MFA codes in a sandbox environment, then maintained persistence by registering a rogue MFA device. Over 23 days, unauthorized mailbox access occurred, culminating in data exfiltration via PerfectData Software and a subsequent phishing campaign targeting the employee's contacts. The organization swiftly revoked compromised access, reset credentials, and contained lateral movement, though no data integrity loss occurred. The incident highlighted gaps in MFA policies and detection capabilities, prompting plans for enhanced access controls and continuous monitoring.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The phishing incident targeting ANY.RUN began on May 23, 2024, when a sales team employee received an email from a compromised client account via a third-party service. The email contained a malicious link, which the employee uploaded to ANY.RUN's sandbox environment for analysis on May 27 at 07:37 UTC. Due to the sandbox configuration lacking MITM proxy mode—which prevented decryption of HTTPS traffic and Suricata IDS detection—the employee entered legitimate credentials and MFA codes into a fake Microsoft login form hosted on a compromised trusted website. This action granted the attacker initial access from IP 45.61.169.4 in Sheridan, Wyoming. By 08:22 UTC that same day, the threat actor registered their own mobile device in the MFA service, establishing persistent access to the compromised account. Over the next 23 days, the attacker repeatedly accessed the employee's mailbox from eight distinct IP addresses across the United States, including a primary VPS in Dallas, Texas (162.244.210.90). On June 5, they escalated activities by installing PerfectData Software (Azure App ID: ff8d92dc-3d82-41d6-bcbd-b9174d163620), an application capable of creating full mailbox backups, indicating data exfiltration intent.
The attack culminated on June 18 at 17:16 UTC when the threat actor leveraged the compromised account to send phishing emails mimicking the original lure to the employee's entire contact list. ANY.RUN detected unauthorized activity at 17:18 UTC and within four minutes disabled the account, reset credentials, and revoked active sessions, preventing lateral movement. Investigation revealed the malicious links used in the campaign had been present in ANY.RUN's Threat Intelligence database for over a week but went undetected due to free-tier sandbox users lacking MITM proxy access and updated OS versions required for identification. Containment involved short-term monitoring of account activity and long-term plans for stricter MFA policies, conditional access controls, and device compliance requirements. Eradication measures removed adversary-controlled MFA devices, the PerfectData application, and malicious Outlook rules (T1137.005). No data loss or system integrity issues occurred, eliminating the need for recovery processes. The company confirmed the initial compromise vector as an AiTM phishing and BEC campaign originating from a compromised client, though the source entity did not respond to investigation requests. ANY.RUN disclosed four malicious URLs and eight attacker IPs as IoCs, including domains like batimnmlp.click and threemanshop.com hosting phishing infrastructure. The incident highlighted gaps in sandbox security configurations, MFA enforcement, and threat intelligence operationalization within the organization.