Social engineering: how scammers manipulate their victims | Kaspersky official blog

Unfortunately, it’s not just the gullible who fall for scams and phishing attacks anymore — literally anyone can become a victim today. Cybercriminals spend years honing their tactics to guarantee results, relying on sophisticated psychological manipulation that’s often hard to spot. In the cybersecurity world, these type of mind games even have their own name: social engineering.

In this article, we break down the psychological tricks scammers use to deceive their targets, the red flags you need to watch out for, and exactly what to do if you realize you’re being played.

The emotions scammers weaponize

Social engineering works precisely because it triggers our deepest emotions. When a victim is anxious, terrified, or caught up in the heat of the moment, they tend to make split-second decisions without thinking about the consequences. And that’s exactly what hackers are banking on.

That’s why, in such tense moment when you’re talking or texting with someone and they’re making demands, you need to pause for a second and ask yourself: “What exactly am I feeling right now? What was I feeling just a moment ago? Is this person trying to exploit my emotional state?”

Most of the time, scammers try to prey on these emotions:

  • Fear and anxiety
  • Excitement
  • Shame and guilt
  • Surprise and shock

First, verify who you’re actually dealing with

Before you even start looking for red flags, you need to check one basic thing: who are you actually talking to? If you’re chatting with, say, someone who claims to be a “bank representative”, your best bet is to look up the bank’s official phone number and email address online. Call them back or write to an address you know is 100% legitimate — it’s always better to be safe than sorry.

You should be especially on guard if someone reaches out to you on a messaging app or social media. As a rule, major companies simply don’t operate that way.

Dead giveaways you’re dealing with a scammer

They’re putting you on an emotional rollercoaster

Say you get an email from the “support team” of a streaming service you use. The message claims someone just tried to sign in to your account from another country — cue immediate panic. But then, they instantly soothe you: “Don’t worry, we blocked the suspicious sign-in attempt just in time. Your account is secure.”

The scammers don’t stop there, though. The very next paragraph plunges you right back into panic mode: “Unfortunately, during our security check, we discovered that your payment information may have been compromised.” Finally, they throw you a lifeline: “We are ready to help you fix this right now; just click this link to verify your identity.”

By the end of it, you’ve been yanked back and forth the entire minute you spent reading this “urgent update”. The goal of this emotional rollercoaster is to knock you off balance so that you stop thinking critically and just start reacting. And the moment the scammer swoops in with a supposed solution to the problem, your judgment goes completely out the window.

They know a little too much about you

Scammers will often deliberately bombard you with your own personal information just to make it seem like they really know what they’re talking about and have legitimate access to your sensitive data.

Just because the person on the other end happens to know details about your identity, finances, or contracts, doesn’t mean they aren’t a con artist. Thanks to endless data breaches, there’s a pretty massive digital dossier out there on almost all of us. It’s incredibly easy for a hacker to find out exactly how much you spent on grocery deliveries last year, who your cellphone carrier is, or what email address is associated with your bank account.

They try to scare you — sometimes with threats and extortion

Arguably, the easiest way to throw someone off balance is to strike fear into them or ramp up their anxiety. When offers that are too good to be true stop working, cybercriminals bust out the scare tactics: “Your account has been compromised”, “You will be charged with tax evasion unless you hand over your crypto wallet seed phrase”, “You will lose access to our services unless you call us right now”, or “You have been placed on a sex offender registry. Contact us to resolve this, or else we will press charges and leak your info to the media.” The list goes on.

Sometimes, these messages can seem totally emotionless, and perfectly mimic a real email from support. But if the tone is overly dramatic and you feel like you’re being cornered, the odds that you’re dealing with a scammer are close to 99.9%. And if they’re demanding you take action — like wire money to a random account, or hand over sensitive data — under the threat of physical harm, public shaming, or criminal charges — you can round that up to 100%.

To learn more about how extortionists operate, check out our post Email extortion: how scammers use blackmail.

An “extremely important person” is messaging you

To crank up the anxiety, scammers often sign their messages with the names of high-ranking officials. When this happens, take a breath and ask yourself: are you really sure the head of the IRS or the local police chief would personally call or text you? High-level officials and investigators usually have much bigger fish to fry. And if you’re being accused of some outrageous crime in a message signed by, say, the city’s chief prosecutor, that’s your cue to call their bluff.

You’re getting a too-good-to-be-true offer

Don’t fall for random acts of generosity or gifts that appear out of thin air. Here’s just a short list of what could happen to you:

  • You get an unexpected package with a QR code printed on the box. They tell you to scan it — supposedly to find out who sent it, claim a free coupon from the seller, or confirm delivery so you don’t get stuck with a shipping fee. It’s not hard to guess that the QR code actually leads to a phishing site. From there, the scammers have a field day: they can trick you into handing over your card info, convince you to download an app that turns out to be malware, or get you to cough up a verification code for your banking app.
  • “Hi! I’m calling from the delivery hub. You’ve got a package (or a bouquet of flowers) on the way. Could you please give me the verification code from the text message we just sent so you can claim your gift?” Look, everyone loves getting surprise gifts. But in the heat of the moment, it’s easy to let your guard down and accidentally hand the scammers a gift of your own — like the access code to your government services account.
  • Talk about luck! All kinds of celebrities are announcing a free NFT giveaway that promises to make you a fortune. To claim your new crypto asset, you launch a mini-app, type in your details, and… boom, your Telegram account is gone. And looking back, those celebrity profiles pushing the giveaway did seem a little off…

They’re rushing you and trying to cut you off from the outside world

“Don’t hang up! This is your last chance to recover access to your account.” “If you do not reply to this email within eight hours, we will press criminal charges against you.” “You need to go to the bank immediately to save your remaining cash and deposit it into a secure account.” If similar phrases are used to spring you into immediate action, hit the brakes — the scammers are just trying to scare you and create a false sense of urgency.

This is a textbook tactic. Imagine getting a call from a scammer posing as a bank representative or even an official from the Department of Commerce, claiming your bank accounts have been hacked. They then ask you to sign a non-disclosure agreement — supposedly to help recover your money — and threaten legal action if you tell a soul, even your closest family members. They’ll insist the matter is “serious”, requires immediate action, and that cooperating with government agencies “must remain strictly confidential”.

Remember: legitimate company reps or government officials would never ask you to keep secrets unless you deal with classified government data or you’ve signed an actual corporate NDA. Scammers deliberately cut victims off from any support system, voice of reason, or outside opinion. And they don’t just isolate you from people; they cut you off from information entirely. They might intentionally keep you on the line or bombard you with emotionally charged texts, so you don’t even have a second to breathe, let alone look something up online.

When you’re in a state of high anxiety, it’s incredibly easy to fall for these manipulations and make reckless choices — even when you think you’re just trying to fix the problem. Never be afraid to reach out for help; getting a second opinion on what’s going on is always a smart move.

They try to shame you

Imagine getting a notification that your account has been compromised, and it ends with a prompt to contact support. But as the “support rep” looks into the issue, they simultaneously try to guilt-trip you: “When was the last time you changed your password? A while ago? Didn’t you see our urgent warnings to update your credentials?” or “Look, the text message literally says right there: do not share this code with anyone! Why on earth did you give it out?” This is a deliberate tactic to hook you with a sense of guilt, making you feel like you’ve lost control and need the scammer’s expertise and help.

Even if you actually did make a mistake, don’t beat yourself up. Falling for a scammer’s trap is much easier than you think — all it takes is one stressful day at work and a call coming in at the absolute worst moment.

You suddenly get a warning that you’ve been… talking to scammers

Scammers love using confusing, multi-stage schemes. For example, they might first try to trick you into giving up your banking app access code under the guise of updating your account information. But then, the call suddenly drops, or you get an immediate text warning you that you were just talking to a scammer, your account has been breached, and you need to contact support immediately for your own safety. Sometimes, self-proclaimed “federal agents” or “law enforcement officers” will even barge into the conversation.

The catch is that this “security team” is part of the same group of scammers keeping the con alive. They’ll start insisting that all your money is about to fall into criminal hands unless you move it to a “secure account”, or claim that someone has already taken out payday loans in your name.

Do not contact unfamiliar numbers or email addresses sent to you in messages — even if they promise to help. Find the company or agency’s legitimate website, look up their official contact channels, and use only those. Remember: no government agency — and certainly no private company — is wiretapping your phone to check if you’re talking to fraudsters.

What to do if you’ve fallen for a scam

First and foremost — don’t blame yourself. Anyone can be caught off guard and end up being tricked when they’re feeling vulnerable. Try not to panic, and think back to exactly what kind of information you handed over. Your next steps depend entirely on that:

  • You gave out a text verification code or an account password → Immediately change your password for that service, as well as for any other accounts where you reused it. Turn on two-factor authentication if you haven’t already.
  • You handed over your card details → Call your bank immediately and ask them to freeze your card. If money has already been withdrawn or wired from your account, ask how you can dispute the transaction.
  • You clicked a suspicious link or downloaded a file from an unknown sender → Scan your device with a reliable antivirus. Trying to figure out on your own whether you’ve picked up malware is practically impossible, as it often hides on your device without showing any obvious signs.

Don’t listen to the scammers

Here’s how you can protect your accounts, data, and money:

  • Take your time. If someone is rushing you to act immediately — enter your details, give up a code, or send money — you’re most likely talking to a cybercriminal. Hit pause, call the company back at the official number on their website, and check if they actually need anything from you.
  • Outsource your fears to Kaspersky Premium. Unlike a human, our security suite is completely unbiased and spots phishing emails and malicious files right where a person might get flustered. It’ll block you from opening suspicious websites, stop attempts to infect your device, neutralize any discovered malware, and keep your data and money safe.
  • Turn on two-factor authentication for your important accounts. With Kaspersky Password Manager, you can generate one-time login codes that change every 30 seconds — making them much harder for scammers to intercept than codes sent via email or text.
  • Stick to the golden rule: never reuse a password. If you use the same password across different services, a hacker only needs to crack one account to automatically gain access to all the others. Variations like “Password123” and “Password1234!” won’t cut it either — minor tweaks like that are incredibly easy to guess. Of course, memorizing dozens or even hundreds of different passwords manually is a superhuman feat. That’s where a password manager comes in handy, safely storing your data in an encrypted vault and generating truly complex, unique passwords for you.

Check out our other posts for even more security tips:

Kaspersky official blog – ​Read More

Release Notes: In-Browser Data Inspection, Torq Integration, and 1,100+ Threat Coverage Updates

Phishing pages don’t sit still anymore. They redirect, load scripts, harvest credentials through dynamic forms, and rebuild their DOM after the initial load — and most URL analysis workflows still only see the finish line, not the race. This June, ANY.RUN closed that gap directly inside the Interactive Sandbox and extended its automation reach with a new integration built for scale. 

Here’s what your team can put to work this month: full browser-level visibility for every URL analysis, a no-code path to embed ANY.RUN in Torq playbooks, and over 1,100 new detections across behavior signatures, Suricata rules, and YARA rules. 

Product Updates 

June’s releases focus on closing the visibility gap in phishing investigations and giving SOC and MSSP teams a faster route from alert to automated response. The headline update is in-browser data inspection, a new investigation layer in the Interactive Sandbox, alongside a new integration with the Torq AI SOC Platform. 

Closing the Phishing Blind Spot with In-Browser Data Inspection

Modern phishing campaigns rarely stop at a malicious URL. They rely on dynamic content, JavaScript, multi-stage redirects, credential harvesting forms, and browser-based tricks that often remain invisible to traditional analysis methods. 

This month, ANY.RUN introduced In-Browser Data Inspection, a new capability that captures browser-rendered content during URL analysis, revealing exactly what users would experience when interacting with a suspicious website. 

Instead of relying solely on page source or network data, analysts can now inspect: 

  • Fully rendered web pages and dynamic content; 
  • Phishing forms and credential collection attempts; 
  • Client-side JavaScript execution; 
  • Redirect chains and browser behavior; 
  • Hidden elements designed to evade detection.
See all URL details, DOM changes, network requests, and IOCs in one place 

For SOC analysts, this means fewer blind spots during phishing investigations and faster validation of suspicious URLs. 

For security managers and CISOs, it means higher confidence in phishing detection, quicker incident triage, and better protection against increasingly sophisticated browser-based attacks. 

Scaling Triage and Response with the ANY.RUN & Torq Integration

Alert volume keeps growing faster than SOC headcount, and every alert that lands without context costs an analyst time they don’t have. ANY.RUN’s new integration with the Torq AI SOC Platform puts conclusive malware and phishing verdicts directly into the automated workflows teams already build in Torq: no custom code, no months-long rollout. 

The integration ships with five ready-to-use Torq HyperAgents™ covering two workflow types: case-based templates that pull observables straight from an open Torq case for enrichment, and standalone sandbox workflows that accept a URL or file as input and return a full verdict, IOC list, and report link anywhere in a custom automation chain. Results — reputation data, threat names, tags, and structured JSON — land directly in Torq Case Management, ready to branch on. 

Teams integrating ANY.RUN into Torq gain: 

  • Faster incident resolution, with an average MTTR reduction of 21 minutes per case. 
  • Operational scaling without added headcount, as HyperAgents absorb routine Tier 1 enrichment work. 
  • Zero development overhead, with a no-code setup that’s live in minutes rather than months. 
  • Standardized investigation logic, so every alert is checked against the same high-fidelity criteria regardless of analyst experience. 
  • Higher ROI on existing tools, as ANY.RUN enriches the SIEM, EDR, and XDR data already flowing into Torq. 
ANY.RUN’s Sandbox provides fast case enrichment in Torq

The integration is available on ANY.RUN Threat Intelligence and Interactive Sandbox plans with API access, giving SOC and MSSP teams a direct path to scale triage and response without scaling the team itself. 

Experience the latest ANY.RUN capabilities.
Gain deeper browser visibility and accelerate investigations
with Torq-powered automation.



Integrate in your SOC


Threat Coverage Updates

Keeping pace with evolving malware remains a core priority for our detection team. During June, we significantly expanded threat coverage with:

  • 1,055 new Suricata rules,
  • 65 new behavior signatures,
  • 14 new YARA rules.

These additions improve detection across network traffic, behavioral activity, and malware samples, helping analysts identify emerging threats faster while increasing investigation accuracy. The continuous expansion of detection logic also strengthens the quality of intelligence powering ANY.RUN’s Interactive Sandbox and Threat Intelligence solutions.

New Behavior Signatures

The 65 new behavior signatures added this month target malware-specific activity helping analysts confirm what a sample actually does inside the sandbox, rather than inferring it from static traits alone. Coverage this month spans commodity stealers and loaders, RATs, and ransomware families active across recent phishing and malvertising campaigns.

Highlighted detections include: 

Cut response delays before threats become costly incidents.
Give your SOC faster, evidence-backed decisions



Integrate in your SOC


New Suricata Rules

A total of 1,055 new Suricata rules were implemented in June to improve visibility into malicious network activity, including:

  • Phishing Redirect Engine related URL (sid: 89003883) – Identifies various PhaaS operators’ infrastructure used as routing layer, delivering victim to specific phishkit landing pages.
  • Adobe-themed RMM phishing (sid: 84003399) – Tracks attempts to lure user into installing remote management tool, disguised as shared secure documents.
  • SilentNet CnC HTTP activity (sid: 84003444) – Detects SilentNet attempts to communicate with its C2-server.

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps businesses and organizations strengthen security operations with faster threat understanding andclearer evidence for response.

Its solutions include the Interactive Sandbox for enterprise-scale malware and phishing analysis, as well as Threat Intelligence solutions built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, detect active threats earlier, and support investigation and response workflows with relevant context.

ANY.RUN is SOC 2 Type II attested, reflecting its strong security controls and commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, the platform helps reduce investigationuncertainty, improve triage speed, and turn threat analysis into actionable insights for faster, better-informed decisions.

Integrate ANY.RUN into your SOC workflow → 

The post Release Notes: In-Browser Data Inspection, Torq Integration, and 1,100+ Threat Coverage Updates appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

This month in security with Tony Anscombe – June 2026 edition

Three-day patching deadlines, exposed fuel-tank systems, scams costing billions of dollars, and social media bans for children all gave Tony plenty to unpack in June 2026

WeLiveSecurity – ​Read More

Closing the Supplier Security Gap: How a US Manufacturer Cut Third-Party Risk and Doubled SOC Triage Speed

For a US automotive manufacturer working with more than 200 active vendors, supplier file intake had become a growing security and cost challenge. Suspicious submissions often reached the SOC without enough context, forcing Tier 1 analysts to escalate most cases and slowing detection and response across the business. 

By introducing a scalable triage and analysis process with behavioral sandboxing and threat intelligence, the company made alert processing and threat analysis 2x faster, improved MTTD and MTTR, increased its detection rate, reduced escalation pressure, and analyzed hundreds of files every week without adding headcount.

A US Automotive Manufacturer Built Around a Large Supplier Ecosystem 

The company is a US-based automotive manufacturer operating within a highly interconnected supply chain. Its daily operations depend on continuous collaboration with more than 200 active vendors and third-party contractors. 

These external partners regularly exchange files with the organization to support ongoing manufacturing, technical, and business processes. This makes supplier communication essential to keeping operations moving, but it also creates a large and constantly changing entry point for risk. 

The SOC is responsible for protecting the company’s environment while ensuring legitimate supplier activity is not delayed. As the volume of incoming files grew, the team needed a way to analyzesubmissions consistently, improve detection and response speed, and reduce third-party exposure without increasing staffing costs. 

The Challenge: Supplier Files Were Entering Without a Consistent Analysis Process 

Before ANY.RUN, the company had no systematic process for analyzing files received from vendors and third-party contractors. 

US Manufacturer’s security challenges
US Manufacturer’s security challenges 

Existing security controls could flag a submission as suspicious, but they did not always show what the file would actually do after execution. Without behavioral evidence, analysts were left with incomplete indicators and uncertain verdicts.

“The volume itself was not the only challenge. The bigger issue was that analysts did not have enough context to quickly decide which supplier files were safe and which required further action.” 

Head of SOC, US automotive manufacturer 

This created several problems for the SOC:

A Security Gap in Supplier File Intake 

Files could enter the environment without passing through a dedicated behavioral analysis layer.

This limited the company’s ability to identify threats that appeared harmless during static inspection but revealed malicious activity only after execution.

For a manufacturer with a large supplier ecosystem, this created meaningful third-party risk. A compromised vendor could become an indirect route into the organization, even when the manufacturer’s own internal defenses remained strong.

High Escalation Rates 

Tier 1 analysts often lacked enough context to confidently close suspicious submissions. 

As a result, the majority of these files were escalated to more experienced analysts. Senior team members had to spend time reviewing cases that could have been resolved earlier with clearer evidence. 

Rising Investigation Costs 

The supplier network continued to generate a high volume of files. Handling that growth through manual investigation would have required more analyst hours and, eventually, additional headcount. 

Without a more scalable process, the company risked paying more just to maintain the same level of protection.

Longer Exposure to Potential Threats 

Every delay in validating a suspicious file extended the period during which the organization could not confidently allow, block, or contain it. 

In a manufacturing environment, a missed threat can affect more than an individual endpoint. It can disrupt operations, expose sensitive data, and weaken trust across the supplier network. 

Building a Scalable Supplier File Triage and Analysis Process with ANY.RUN 

The manufacturer introduced a consistent process for analyzing files received from vendors and third-party contractors. 

By combining behavioral analysis with threat intelligence, the SOC gained both the evidence needed to understand what a file does and the context required to assess the wider threat behind it. 

“We have over 200 active vendors sending files into the environment. ANY.RUN gave us a scalable way to analyze that volume and make triage much faster without adding headcount”

Head of SOC, automotive manufacturer

Instead of relying on isolated alerts or incomplete indicators, analysts could detect malicious submissions more accurately, reach verdicts faster, resolve more cases at Tier 1, and reduce the amount of senior analyst time spent on routine reviews. 

This improved detection quality while contributing to lower MTTD and MTTR across supplier-related investigations. 

Reaching Faster Verdicts with Behavioral Evidence 

The SOC reduced triage time by giving analysts direct visibility into what suspicious supplier files did after execution. 

Files were safely analyzed in ANY.RUN’s cloud-based Interactive Sandbox, where the team could review process activity, network connections, system changes, commands, and other behavior without exposing the production environment. 

Full chain of a complicated EvilTokens attack on US companies analyzed in just 1 minute

This replaced incomplete indicators with clear evidence of whether a submission was malicious and how it could affect the business. 

“We no longer have to spend time piecing together what a supplier file might do. The behavior is visible in one place, which makes decisions faster and easier to defend.” 

Head of SOC, US automotive manufacturer 

Structured and visual results also helped Tier 1 analysts move from alert to verdict with fewer manual checks. Instead of reconstructing file behavior across disconnected tools, they could validatesuspicious submissions faster and make more confident decisions. 

The faster path from alert to confirmed verdict contributed to improved MTTD, while clearer evidence and fewer repeated checks helped reduce MTTR. 

Cut investigation time with clear behavioral evidence
Help analysts reach faster decisions.



Accelerate triage now  


Connecting Supplier Files to Wider Threat Activity 

Behavioral analysis showed the team what each suspicious file did. Threat intelligence helped reveal whether the submission was connected to a larger risk.

Indicators uncovered during analysis could be linked to malicious infrastructure, related samples, known campaigns, and attacker activity. This gave analysts a clearer view of whether they were dealing with an isolated file or broader activity involving the company’s supplier ecosystem. 

ANY.RUN’s Threat Intelligence used to explore broader threat context

The SOC also used this context to uncover additional indicators and behavioral patterns, strengthening internal detection controls beyond the original submission.

As a result, each investigation contributed to wider threat visibility. The team could resolve the immediate case while also identifying related activity that might otherwise remain hidden across the supply chain. 

Resolving More Supplier Files at Tier 1 

Before ANY.RUN, suspicious supplier files often moved up the escalation chain because Tier 1 analysts lacked enough evidence to confidently determine whether they were safe or malicious. 

With behavioral analysis, threat intelligence, and structured Tier 1 Reports available in the same workflow, first-line analysts received clearer summaries of each case, along with practical recommendations for the next step. 

AI Summary generated inside ANY.RUN’s sandbox for deeper analysis and faster handoff

This reduced the need to interpret every technical detail manually and helped analysts reach decisions faster. The company recorded a significant reduction in Tier 1 escalations, while Tier 2 received fewer low-context cases. 

“Cases that can be resolved at the first level no longer consume Tier 2 time. When escalation is necessary, senior analysts receive the relevant evidence instead of having to restart the investigation.” 

Head of SOC, US automotive manufacturer 

The change reduced duplicated work and made better use of specialist expertise. Senior analysts spent less time repeating initial validation and more time investigating complex or high-impact threats. 

More supplier files were resolved at the right level the first time, helping investigation queues move faster and lowering the cost of each case. 

Analyzing Hundreds of Files Without Adding Headcount 

The company now analyzes hundreds of supplier files every week without hiring additional analysts.

For the business, this is one of the clearest returns from the new process. The manufacturer increased its triage and analysis capacity while keeping staffing costs stable. 

Instead of treating headcount growth as the only solution to rising file volumes, the company gave its existing team a faster and more consistent way to detect malicious activity and reach verdicts. 

The SOC now absorbs more supplier activity without creating the same increase in labor costs or investigation backlogs. 

This also gives the company a more sustainable foundation for growth. As the vendor network expands or file volume rises, the security team has a triage process that can scale with it. 

Reduce third-party exposure before it affects operations.
Increase security capacity without increasing headcount.



Reduce risk now  


Improving MTTD and MTTR with 2x Faster Triage 

The manufacturer achieved a 2x improvement in alert processing and threat analysis speed, contributing to lower mean time to detect and mean time to respond. 

Suspicious supplier files moved through triage twice as fast. Analysts identified malicious behavior sooner, reached confirmed verdicts with less delay, and passed high-risk cases into response with clearer evidence already collected.

Legitimate submissions were also cleared faster, reducing the time business teams spent waiting for a security decision. 

“We cut the time it takes to move from a suspicious supplier file to a clear decision in half. That gave the business faster answers and reduced the time potential threats remained unresolved.” 

Head of SOC, US automotive manufacturer 

This faster process also reduced the company’s exposure window. Analysts reached evidence-backed verdicts sooner without sacrificing investigation depth, helping the SOC protect operations while keeping supplier workflows moving. 

Before ANY.RUN  Result with ANY.RUN  Business Impact 
No systematic process for analyzing vendor files  Hundreds of supplier files analyzed weekly  Greater triage capacity without additional hiring 
No behavioral analysis layer in supplier file intake  Malicious behaviordetected through direct execution evidence  Higher detection rate and lower third-party exposure 
Most suspicious submissions escalated by Tier 1  Significant reduction in Tier 1 escalations  More senior analyst capacity for critical incidents 
Slow, context-limited investigations  2x faster alert processing and threat analysis  Improved MTTD and MTTR with a shorter exposure window 

A Practical Model for Manufacturing Leaders Managing Third-Party Risk 

For manufacturing leaders, supplier security is not only a SOC issue. It affects operational continuity, staffing costs, executive accountability, and the company’s ability to grow without increasing exposure. 

A scalable approach should combine consistent file validation, broader threat context, and measurable outcomes. 

Turn Supplier File Intake into a Defined Risk Control 

A consistent triage helps the SOC apply the same standard to files received from vendors and contractors. 

With behavioral evidence from the Interactive Sandbox and additional context from Threat Intelligence, teams can replace inconsistent manual checks with a repeatable validation workflow.

For leadership, this creates clearer oversight of one of the company’s most exposed third-party risk channels. 

Increase Capacity Without Matching Growth with Headcount 

Faster verdicts and fewer unnecessary escalations allow the existing team to handle more supplier submissions. 

ANY.RUN reduces duplicated work, protects senior analyst capacity, and helps the SOC process higher file volumes without expanding at the same rate. 

The result is lower investigation cost and greater value from existing security resources. 

Protect Operations Without Slowing Supplier Activity 

Suspicious files can be analyzed in a controlled environment before they reach internal systems, while legitimate submissions move through review faster. 

This helps reduce the risk of supplier-borne threats without creating unnecessary delays for manufacturing, procurement, engineering, or other teams that depend on third-party collaboration. 

Connect Individual Submissions to Wider Exposure 

A suspicious file may be only one part of a larger campaign. 

ANY.RUN’s Threat Intelligence solutions help teams connect indicators to known infrastructure, related samples, active campaigns, and broader attacker activity. 

This gives leadership a clearer view of whether the company is dealing with an isolated submission or wider exposure involving suppliers and other external partners. 

Demonstrate Measurable Business Value 

The strongest supplier security programs are measured by outcomes, not by the number of files processed. 

With ANY.RUN, organizations can track improvements such as lower MTTD and MTTR, higher detection rates, fewer Tier 1 escalations, greater analysis capacity, and shorter exposure windows. 

These results make it easier to show how supplier security investments reduce risk, avoid additional staffing costs, and support business growth. 

Improve MTTD and shorten the business exposure window.

Reduce supplier-driven risk before it affects operations.



Strengthen supplier security  


Conclusion 

For this US automotive manufacturer, supplier file intake had become both a security risk and a growing cost center. More than 200 vendors were sending files into the environment, while analysts lacked a consistent way to validate behavior, add threat context, and reach fast decisions.

With ANY.RUN, the company built a scalable triage process that now supports hundreds of supplier files every week without additional headcount. Threat analysis became 2x faster, MTTD and MTTR improved, detection increased, and fewer cases required Tier 2 escalation. 

The result is a stronger security model for a complex supplier ecosystem: lower third-party exposure, better use of analyst time, and faster decisions that keep business operations moving. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate cyber threats faster and make evidence-based security decisions. 

Its cloud-based Interactive Sandbox enables teams to safely analyze suspicious files, URLs, and emails in real time, observe malicious behavior as it unfolds, and collect clear evidence for triage and response.

ANY.RUN’s Threat Intelligence solutions provide additional context around indicators, malicious infrastructure, emerging campaigns, and attacker activity. Together, these capabilities help organizations improve threat detection, reduce investigation time, and manage growing security demands without adding unnecessary operational costs. 

The post Closing the Supplier Security Gap: How a US Manufacturer Cut Third-Party Risk and Doubled SOC Triage Speed appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Inside the inbox: Why cybercriminals want to break into your email account

Your inbox is an identity system all of its own: whoever owns it may own a lot more

WeLiveSecurity – ​Read More

SMB cyber readiness: the road to resilience starts here

Your business may be small, but its attack surface is anything but. Readiness is the first step to resilience.

WeLiveSecurity – ​Read More

250,000 misconfigurations in GitHub Actions | Kaspersky official blog

Stories about supply chain attacks appear in the news with alarming regularity. In most cases they begin when attackers compromise publicly available packages. This may give the impression that the main danger of public repositories lies in the fact that someone could steal a developer’s credentials and inject malicious code into the software they create. However, in reality, this isn’t the only thing to be wary of when working with repositories hosting open-source projects. Misconfigurations of key components can also be a source of problems.

In particular, GitHub Actions — automation scripts that enable the creation of continuous integration and continuous delivery (CI/CD) pipelines — can pose a risk. Errors and misconfigurations in these scripts are periodically exploited by attackers in real-world attacks. A prime example is the recent Mini Shai-Hulud malware campaign. While it also began with the compromise of a popular project’s maintainer, the malware distributed during this campaign stole secrets specifically by exploiting a flaw in GitHub Actions.

Using a new set of rules for Kaspersky Container Security, our experts from the Global Research and Analysis Team (GReAT) conducted a security analysis of GitHub Actions across ~30,000 popular GitHub repositories. In short, automation pipelines in only 10% of these repositories raised no concerns.

Detailed research results

In total, the rules implemented as part of the latest KCS release were used to scan ~130,000 pipelines. They identified more than 250,000 potential deviations from recommendations for secure CI/CD configuration. Of course, these deviations cannot be considered vulnerabilities in and of themselves, but they do indicate areas where the configuration may require additional review and more careful tuning.

Of these 250,000+ deviations, 59.8% can be classified as low risk, and 39.8% — medium risk. However, in 0.4% of cases, more serious misconfigurations were found, which our technologies classified as high risk. Furthermore, critical flaws found in eight repositories could potentially lead to supply chain compromise. The affected repositories covered a wide range of use cases — including AI integration in enterprise environments, services for developers and automation, and as well as security testing tools. Of course, our experts reported these critical issues to the maintainers of the relevant repositories.

Here are the most common flaws found in the GitHub Actions we reviewed:

  • implicitly defined or overly broad access permissions,
  • lack of version pinning for used dependances,
  • configuration settings applied at the workflow level.

In addition, more dangerous patterns were found: (i) exposure of secrets at the top level, (ii) potentially insecure run conditions, and (iii) insecure handling of external data. Fortunately, however, these were much less common.

How can you stay safe?

Misconfigurations in GitHub Actions can potentially turn development pipelines into tools for attackers, allowing them to compromise the development environment or attack a company’s infrastructure. Issues identified in a timely manner will enable developers to build more secure processes and minimize the risk of supply chain compromise.

Searching for misconfigurations in GitHub Actions.

Searching for misconfigurations in GitHub Actions.

The set of rules mentioned above, which was used in this study, is now available to Kaspersky Container Security users following the latest update. With this set of rules, our solution can detect misconfigurations in GitHub Actions both by scanning repositories and by being integrated directly into CI/CD pipelines. You can learn more about the KSC solution on its page.

Kaspersky official blog – ​Read More

Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances

ESET Research analyzes Gamaredon’s new toolset and the group’s growing reliance on legitimate online services to hide its C&C infrastructure and exfiltrate stolen data

WeLiveSecurity – ​Read More

ANY.RUN & Torq Integration: Scale Triage & Respond with Confidence

Lack of alert context makes it difficult for Security Operations Centers (SOC) to distinguish actual threats from false positives. ANY.RUN’s integration with Torq, a no-code/AI SOC automation platform, bridges this gap by delivering conclusive malware & phishing verdicts and actionable intelligence.  

The result for your team is faster incident resolution, reduced alert fatigue, and proactive threat detection. 

ANY.RUN & Torq Integration 

Unlike legacy SOAR approaches that often require custom code and months of implementation, Torq allows SOC and MSSP teams to build response logic visually. The ANY.RUN integration adds a critical layer of malware analysis, phishing detection, and IOC enrichment to these workflows. 

At launch, users have access to 5 ready-to-use templates designed to accelerate time-to-verdict and standardize the investigation process. 

Teams can edit the current templates to fit their specific processes, adding actions, changing conditions, or using ANY.RUN as one specific step in a complex, multi-tool automation. 

Available on ANY.RUN Threat Intelligence and Interactive Sandbox plans with API access, the integration helps analysts streamline their workflows, gaining full alert or threat context quickly with an average reduction in MTTR of 21 minutes.  

Speed up triage & response inside Torq with ANY.RUN
Scale your SOC capability without adding headcount



Contact us 


Interactive Sandbox Templates in Torq 

The Interactive Sandbox workflows allow analysts to detonate suspicious objects in real-time environments (WindowsLinuxmacOS or Android) to uncover evasive behaviors. There are two types of templates available for sandbox analysis: 

1. Case-Based Workflows 

ANY.RUN’s Sandbox provides fast case enrichment in Torq

These are triggered directly from a Torq Case, where observables and attachments are automatically ingested from sources like EDR, SIEM, XDR, or email security tools. 

  • Process: The analyst opens a case and launches the workflow. The system automatically retrieves observables or attachments, filtering for supported objects such as URLs or files. Analysts can then select specific objects for detonation. 
  • Result: Analysis data is added to the case notes in real-time. This includes a brief context, reputation, threat names or tags, and a structured JSON response. Additionally, a direct link is provided, allowing the analyst to jump into the ANY.RUN session to continue a manual, interactive analysis. 

The list of case-based templates: 

2. Sandbox Analysis Workflows 

These templates are designed to be embedded as a specific step within a larger, custom incident response flow

  • Process: Unlike case-based templates, these function independently of a specific case. They accept a URL or File as an input parameter and initiate the ANY.RUN Sandbox analysis. 
  • Result: The workflow waits for the analysis to complete and returns a structured JSON object containing the final verdict, analysis metadata, a list of IOCs, and a link to the full report. This data can then be passed further down the custom automation chain. 

The list of sandbox analysis templates: 

Threat Intelligence Lookup Templates in Torq 

TI Lookup adds context to isolated indicators, giving SOC teams the clarity for correct decisions

The Threat Intelligence (TI) Lookup integration focuses on rapid enrichment of “raw” observables found in alerts, such as IPs, domains, hashes, and URLs. 

  • Automation at Scale: When a case contains suspicious indicators, the TI Lookup workflow queries ANY.RUN’s vast database of threat data—continuously updated from millions of sandbox sessions. 
  • Instant Context: The workflow returns high-fidelity data including the reputation of the indicator, threat names, and specific tags. This allows analysts to immediately understand the nature of a threat and decide whether to block the indicator or escalate the incident. 
  • Enrichment Integration: Much like the sandbox workflows, TI Lookup results are delivered directly into the Torq interface as JSON data or case notes, ensuring that the analyst never has to leave their primary workspace to gather intelligence. 

Explore the TI Lookup template

How to Integrate ANY.RUN in Torq 

Setting up the integration is straightforward and requires no custom coding: 

  1. Navigate to Integrations within Torq and locate ANY.RUN
  1. Click Add, create a new instance, and enter your API key
  1. Go to the Templates tab and search for ANY.RUN templates. 
  1. Select your previously configured ANY.RUN integration to begin using the workflows. 

By default, these playbooks are configured to be launched manually. This is a deliberate design choice to ensure that only appropriate objects are sent for analysis.  

However, for high-volume environments, these templates can be easily integrated into broader, fully automated playbooks

Key SOC & MSSP Benefits of Integrating ANY.RUN in Torq 

ANY.RUN’s deep behavioral visibility with Torq’s hyper-automated orchestration levels up the efficiency of modern security operations, moving beyond simple automation toward maximizing security ROI. 

  • Faster incident resolution (MTTR): Automating sandbox analysis and threat intelligence correlation allows you to cut incident resolution time by tens of percent. Analysts get clear verdicts in seconds, enabling them to block threats before they spread. 
  • Operational scaling: You can handle a growing volume of alerts with your current staff. By automating routine Tier 1 tasks, your team can focus on complex threats without a proportional increase in headcount. 
  • Zero development overhead: Unlike custom integrations that require months of engineering, this no-code setup is ready in minutes. You get a functional automation foundation without the cost of writing or maintaining scripts. 
  • Standardized investigation logic: Every alert is checked using the same high-fidelity criteria. This ensures consistent results and reduces the risk of human error, regardless of an analyst’s experience level. 
  • Higher ROI on existing tools: ANY.RUN works as an enrichment layer inside Torq, making your SIEM, EDR, and other security investments more effective by providing them with immediate, actionable context. 
  • Reduced analyst burnout: By eliminating manual data entry and constant switching between tools, you allow your team to focus on meaningful security work, which improves overall SOC productivity. 

Integrate ANY.RUN’s solutions in Torq
Close security gaps and reduce MTTR with confidence



Contact us 


About ANY.RUN 

Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations worldwide, ANY.RUN helps security teams investigate threats faster and with greater accuracy. 

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, while our Threat Intelligence solutions (TI Lookup and TI Feedsprovide the necessary context to anticipate and stop today’s most advanced attacks. 

The integration of ANY.RUN with Torq adds a specialized layer of malware analysis, phishing detection, and IOC enrichment to your security operations. By utilizing these automated workflows, SOC teams can seamlessly embed ANY.RUN’s deep visibility into their existing triage and incident response flows. 

The post ANY.RUN & Torq Integration: Scale Triage & Respond with Confidence appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

ESET takes part in Operation Endgame to disrupt Amadey and Stealc

ESET researchers assisted in the global disruption of the Amadey botnet and Stealc infostealer, providing technical analysis, infrastructure tracking, and affiliate-level insights

WeLiveSecurity – ​Read More