Threat hunting is widely recognized as one of the most important capabilities of a mature SOC. It uncovers stealthy attackers early, reduces dwell time, and prevents security incidents from impacting the business. Yet, in practice, many organizations find that their threat hunting efforts don’t consistently deliver these outcomes. 

Let’s take a look at how high-performing security teams make threat hunting more repeatable, measurable, and effective. 

Why Threat Hunting Programs Often Fail Before They Start 

Most threat hunting teams are doing many things right. They understand attacker techniques, follow threat intelligence reports, and rely on established frameworks. Even so, translating this knowledge into reliable detections can be harder than expected. 

The challenge is rarely about analyst skill or methodology. More often, it comes down to the lack of rich, current, behavior-driven intelligence that makes hunts actionable at scale. 

Most teams operate with fragmented and incomplete inputs:  

1. Teams know attacker techniques but don’t see them in action: Without real execution data such as processes, files, registry and network behavior, TTP hunts stay theoretical and detections remain generic, leaving real business exposure undiscovered. 

2. Indicators come without context: IOCs alone don’t explain how attacks unfold, what happens next, or which assets are at risk, leading to late detection and higher incident impact for the business. 

3. Third-part threat reports cost more effort than they deliver value: Being outdated, fragmented, and too high-level, they slow down hunting and detection engineering, increasing the likelihood of incidents and response costs. 

The result is predictable. Threat hunting consumes significant analyst time while delivering low ROI. Hunts take weeks, detections are rolled out with low confidence, and leadership struggles to see a clear business outcome. 

What Ineffective Threat Hunting Means for the Business 

When threat hunting fails, the security risks and expenses for companies start to grow, leading to: 

• Later detection of active threats: Attacks are identified after user interaction, credential abuse, or persistence, expanding impact and recovery effort. 

• Higher and less predictable incident costs: Delayed visibility forces broader containment, longer investigations, and extended recovery timelines. 

• Unclear risk posture at the executive level: Leadership lacks evidence that proactive security efforts are reducing exposure, limiting informed decision-making. 

• Inefficient use of security resources: Analyst time is spent on activities that do not measurably reduce incident likelihood or impact. 

How to Make Threat Hunting Work in Your SOC or MSSP

Effective and scalable threat hunting starts with real attacker behavior, not theory. Teams build hunting ideas around how attacks actually happen today and continuously adjust them based on what they observe in real investigations. 

This keeps threat hunting practical, repeatable, and aligned with what is actually happening in the threat landscape, rather than relying on abstract models or outdated intelligence. 

This is where ANY.RUN’s Threat Intelligence Lookup proves to be essential for hundreds of SOC teams in companies across finance and transportation to technology and MSSPs in healthcare.  

How TI Lookup Transforms Your Hunts for Maximum Business Impact 

TI Lookup supports instant search across a vast database of threats and indicators. It is built on real-time attack investigations from ANY.RUN’s Interactive Sandbox, where 15,000+ SOC teams and 600,000+ analysts manually analyze live malware and phishing every day. Each investigation immediately feeds fresh data into TI Lookup. 

While most threat intelligence on the market is recycled from other sources, TI Lookup delivers original intelligence derived from live attack activity.  

As a result, TI Lookup acts as a powerful starting point for hunters, giving them access to: 

• Massive attack volume for broader threat coverage: Millions of real executions across industries, regions, and campaigns, expanding your SOC’s visibility and reducing blind spots.

• Near real-time freshness for faster business risk awareness: Intelligence appears hours after attacks are observed, not days or weeks later, enabling earlier risk assessment and response.

• 40+ types of indicators for higher detection rate: Rich telemetry, spanning IOCs, IOBs, and IOAs (from IPs and domains to registry keys and TTPs) is searchable and available to hunters in 2 seconds, reducing the chance of missed threats.

• Behavior-first context for quick prioritization: Every indicator is tied to an actual malware or phishing attack, helping teams quickly separate business-critical risk from low-impact noise.

• Integration with SOC tools for scalability: Thanks to ready-made connectors and API/SDK support, TI Lookup works seamlessly with SIEM/SOAR/TIP and other types of solutions. 

By giving hunters direct access to real attacker behavior, TI Lookup turns threat hunting into a process that delivers measurable outcomes. 

By giving hunters direct access to real attack behavior from millions of sandbox sessions, TI Lookup turns threat hunting into a process that delivers measurable value for SOC performance and business risk reduction. 

• SOC effort shifts from research to risk reduction: TI Lookup helps teams concentrate on threats that are actively used in real attacks, instead of spending time on low-impact hypotheses. 

• Hunting turns into visible results: Instead of producing observations, threat hunting leads to clear decisions: what to investigate, block, monitor, or escalate. 

• Threat hunting becomes a repeatable SOC process: With consistent context and validation, hunting no longer depends on individual expertise and produces predictable outcomes across teams and shifts. 

• Business relevance is built into every hunt: Hunts are aligned with real attack targets and objectives, making their value clear for both SOC management and leadership. 

• Threat hunting delivers measurable security impact: Earlier discovery of hidden threats reduces incident probability and justifies threat hunting as a cost-effective risk control. 

TI Lookup enables SOC teams to validate and refine hunting patterns, understand which malware families and campaigns they truly correlate with, and prioritize threats based on real activity levels, affected industries, and geographic spread.

As a result, threat hunting becomes faster, more precise, and firmly grounded in observed attacker behavior rather than assumptions or isolated IOCs. 

Earlier detection and better prioritization reduce incident likelihood, minimize response costs, protect critical assets, and allow security teams to focus resources on threats that pose real, measurable risk to the organization. 

5 Use Cases for Intelligence-Driven Threat Hunting in Your SOC 

Use Case 1: Turn MITRE Techniques into Detectable Attacks 

Hunting problem 

Teams know which MITRE techniques matter, but lack concrete data to build high-quality hunts. 

How hunters usually struggle 

They write generic detections based on technique descriptions, leading to noisy alerts and weak coverage. 

How TI Lookup helps 

Hunters can search directly by MITRE technique, for example T1036.003, one of the top techniques in 2025 according to ANY.RUN’s research. TI Lookup returns dozens of real attack executions, including processes, file artifacts, registry changes, and network activity. 

MITRE:”T1036.003″ 

Click any of the links to view an analysis session, observe a malware’s detonation, and watch the technique you explore in action.

Instead of guessing how a technique might look, hunters see how it actually behaves in live attacks. 

SOC / Business impact: 

• More precise hunts based on observed adversary behavior; 

• Fewer false positives due to less generic detection logic; 

• Faster time-to-detection for new implementations of known techniques. 

Use Case 2: Catch Relevant Threats while They’re Still Active 

Hunting problem 

Most security incidents escalate because detections lag behind fast-moving attack campaigns. By the time indicators are deployed, the campaign has already evolved and the business is exposed. 

How hunters usually struggle  

Teams rely on vendor reports and shared IOCs that arrive too late. By the time blocking rules are deployed, attackers have already rotated domains or delivery methods. 
 
How TI Lookup helps 

Hunters can validate campaign patterns against real, recent sandbox data.  

For example, when tracking enterprise email phishing using fake Microsoft login pages, hunters can search for domain patterns to identify the latest malicious domains. Sandbox sessions reveal full attack chains and associated artifacts. 

domainName:”^loginmicrosoft” 

Correlation with malware families such as EvilProxy provides additional context. Collected data is immediately usable for detection updates. 

SOC / Business impact: 

• Earlier disruption of active campaigns; 

• Higher confidence in detection updates with less post-deployment noise; 

• Reduced risk of compromise thanks to timely blocking. 

Use Case 3: Test YARA Rules Before They Flood Your SOC With False Positives 

Hunting problem 

YARA rules are powerful, but deploying them without proper validation often creates noise, blind spots, or both, directly impacting business security. 

How hunters usually struggle 

Rules are tested on limited sample sets, increasing the risk of false positives. 

How TI Lookup helps 

Test your YARA rule against millions of real malware samples before deployment and immediately see which samples it matches. 

Examine the matched files to understand precisely what your rule detects. You can identify false positives early, refine your rule to be more specific, or broaden it to catch additional variants. This validation happens in minutes rather than weeks, and in a controlled environment rather than production. 

See how it works on an example of an AgentTesla rule available in TI Lookup.

The rule targets the strings that Agent Tesla typically uses when building and sending stolen data reports (via email/SMTP, HTTP, Telegram bots, etc.). These strings come from the formatted logs or HTML-like reports the malware creates. 

SOC / Business impact: 

• Higher true positive rates for file-based detections; 

• Reduced false positives that would otherwise waste analyst time; 

• Confidence in detection coverage before production deployment. 

Use Case 4: Hunt What Actually Threatens Your Business 

Hunting problem 

Your team has a backlog of potential hunting hypotheses, but limited time and resources. You need to prioritize based on what’s actually threatening your organization right now. 

How hunters usually struggle 

They rely on intuition or outdated threat reports, wasting time on low-impact scenarios. 

How TI Lookup helps 

TI Lookup allows teams to focus hunts using real, recent attack data, filtered by industry, geography, and timeframe. 

Hunters can immediately see which malware families, campaigns, and techniques are actively targeting organizations like theirs right now. 

Let’s try to search for attack data relevant to financial organizations based in the United States. 

submissionCountry:”US” and industry:”finance” 

Contextual filtering reveals which malware families, attack techniques, and delivery methods are currently active against organizations like yours.  

• EvilProxy is linked to multiple campaigns in 2023-2025 specifically targeted senior executives in US banking and financial services (FinCEN). 

• As of early 2025, Tycoon is the most widespread phishing kit threatening the financial sector (Invenio IT).  

You can prioritize hunting efforts based on actual observed threats rather than general industry chatter. 

SOC / Business impact 

• Focus on real business risk rather than theoretical threats; 

• Less wasted hunting time on irrelevant attack patterns; 

• Better alignment between security operations and business priorities.  

Use Case 5: Turn TI Reports into Actionable Hunts 

Hunting problem 

By the time threat intelligence reports are published, many of the described attack patterns are already outdated or no longer active. 

How hunters usually struggle 

SOC teams invest effort into reports that no longer reflect active threats, resulting in delayed detections and wasted hunting time. 

How TI Lookup helps 

ANY.RUN’s Threat Intelligence Reports are created by analysts based on the freshest sandbox investigation data and come with ready-to-use TI Lookup queries. 

Instead of manually extracting indicators, teams can immediately test report findings against current, real attack data, verify whether the described patterns are still active, and collect fresh indicators for detections. 

Intelligence moves directly from the report to a hunt, enabling SOC teams to quickly gather additional details for enriching the company’s proactive defense. 

commandLine:”powershell*=Get-Date” 

By tying indicators from the reports to sandbox sessions, threat hunting teams get to observe the entire attack execution and use the evidence to build effective detection rules.  

SOC / Business impact 

• Faster hunt cycles from intelligence to detection; 

• Better ROI from threat intelligence research and subscriptions; 

• Continuous learning loop between intelligence and operations. 

What SOCs Gain, and Why the Business Cares 

For SOC teams:  

• Faster hunt planning: Reduce the research phase of threat hunting from hours to minutes. Access real attack examples immediately rather than piecing together information from multiple sources. 

• Better detection quality: Build detection rules based on actual attack behavior, not assumptions. Test and validate detections against real malware before production deployment, reducing both false positives and false negatives. 

• Less manual research: Eliminate the tedious work of correlating IOCs, searching through OSINT repositories, and extracting technical details from reports. Focus analyst time on analysis and decision-making rather than data collection. 

For businesses:  

• Earlier risk exposure: Identify threats proactively before they impact operations. Detect active campaigns targeting your industry while they’re still developing, not after damage occurs. 

• Fewer missed attacks: Close detection gaps by building comprehensive coverage of current attack techniques. Reduce the window between attack and detection through intelligence-driven hunting. 

• Higher ROI from existing security stack: Maximize the value of your current tools by feeding them better detection logic. Improve the signal-to-noise ratio across your security infrastructure, making every tool more effective. 

Your Move: From Reactive Defense to Proactive Discovery 

Threat hunting is only as effective as the intelligence that drives it. Without access to current, contextual attack data, even skilled analysts struggle to build detections that protect the business. 

TI Lookup and YARA Search change this equation by providing direct access to millions of real attack sessions. This intelligence-first approach, starting with observable attack behavior rather than isolated indicators, enables SOC teams to hunt more effectively and demonstrate clear business value. 

About ANY.RUN 

ANY.RUN develops advanced solutions for malware analysis and threat hunting, trusted by 600,000+ cybersecurity professionals worldwide.  

Its interactive malware analysis sandbox enables hands-on investigation of threats targeting Windows, Linux, and Android environments. ANY.RUN’s Threat Intelligence Lookup and Threat Intelligence Feeds help security teams quickly identify indicators of compromise, enrich alerts with context, and investigate incidents early. Together, the solutions empowers analysts to strengthen overall security posture at enterprises.   

Request ANY.RUN access for your company   

The post How to Build Threat Hunting that Defends Your Organization Against Real Attacks appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Technologies for creating fake video and voice messages are accessible to anyone these days, and scammers are busy mastering the art of deepfakes. No one is immune to the threat — modern neural networks can clone a person’s voice from just three to five seconds of audio, and create highly convincing videos from a couple of photos. We’ve previously discussed how to distinguish a real photo or video from a fake and trace its origin to when it was taken or generated. Now let’s take a look at how attackers create and use deepfakes in real time, how to spot a fake without forensic tools, and how to protect yourself and loved ones from “clone attacks”.

How deepfakes are made

Scammers gather source material for deepfakes from open sources: webinars, public videos on social networks and channels, and online speeches. Sometimes they simply call identity theft targets and keep them on the line for as long as possible to collect data for maximum-quality voice cloning. And hacking the messaging account of someone who loves voice and video messages is the ultimate jackpot for scammers. With access to video recordings and voice messages, they can generate realistic fakes that 95% of folks are unable to tell apart from real messages from friends or colleagues.

The tools for creating deepfakes vary widely, from simple Telegram bots to professional generators like HeyGen and ElevenLabs. Scammers use deepfakes together with social engineering: for example, they might first simulate a messenger app call that appears to drop out constantly, then send a pre-generated video message of fairly low quality, blaming it on the supposedly poor connection.

In most cases, the message is about some kind of emergency in which the deepfake victim requires immediate help. Naturally the “friend in need” is desperate for money, but, as luck would have it, they’ve no access to an ATM, or have lost their wallet, and the bad connection rules out an online transfer. The solution is, of course, to send the money not directly to the “friend”, but to a fake account, phone number, or cryptowallet.

Such scams often involve pre-generated videos, but of late real-time deepfake streaming services have come into play. Among other things, these allow users to substitute their own face in a chat-roulette or video call.

How to recognize a deepfake

If you see a familiar face on the screen together with a recognizable voice but are asked unusual questions, chances are it’s a deepfake scam. Fortunately, there are certain visual, auditory, and behavioral signs that can help even non-techies to spot a fake.

Visual signs of a deepfake

Lighting and shadow issues. Deepfakes often ignore the physics of light: the direction of shadows on the face and in the background may not match, and glares on the skin may look unnatural or not be there at all. Or the person in the video may be half-turned toward the window, but their face is lit by studio lighting. This example will be familiar to participants in video conferences, where substituted background images can appear extremely unnatural.

Blurred or floating facial features. Pay attention to the hairline: deepfakes often show blurring, flickering, or unnatural color transitions along this area. These artifacts are caused by flaws in the algorithm for superimposing the cloned face onto the original.

Unnaturally blinking or “dead” eyes. A person blinks on average 10 to 20 times per minute. Some deepfakes blink too rarely, others too often. Eyelid movements can be too abrupt, and sometimes blinking is out of sync, with one eye not matching the other. “Glassy” or “dead-eye” stares are also characteristic of deepfakes. And sometimes a pupil (usually just the one) may twitch randomly due to a neural network hallucination.

When analyzing a static image such as a photograph, it’s also a good idea to zoom in on the eyes and compare the reflections on the irises — in real photos they’ll be identical; in deepfakes — often not.

Lip-syncing issues. Even top-quality deepfakes trip up when it comes to synchronizing speech with lip movements. A delay of just a hundred milliseconds is noticeable to the naked eye. It’s often possible to observe an irregular lip shape when pronouncing the sounds m, f, or t. All of these are telltale signs of an AI-modeled face.

Static or blurred background. In generated videos, the background often looks unrealistic: it might be too blurry; its elements may not interact with the on-screen face; or sometimes the image behind the person remains motionless even when the camera moves.

Odd facial expressions. Deepfakes do a poor job of imitating emotion: facial expressions may not change in line with the conversation; smiles look frozen, and the fine wrinkles and folds that appear in real faces when expressing emotion are absent — the fake looks botoxed.

Auditory signs of a deepfake

Early AI generators modeled speech from small, monotonous phonemes, and when the intonation changed, there was an audible shift in pitch, making it easy to recognize a synthesized voice. Although today’s technology has advanced far beyond this, there are other signs that still give away generated voices.

Wooden or electronic tone. If the voice sounds unusually flat, without natural intonation variations, or there’s a vaguely electronic quality to it, there’s a high probability you’re talking to a deepfake. Real speech contains many variations in tone and natural imperfections.

No breathing sounds. Humans take micropauses and breathe in between phrases — especially in long sentences, not to mention small coughs and sniffs. Synthetic voices often lack these nuances, or place them unnaturally.

Robotic speech or sudden breaks. The voice may abruptly cut off, words may sound “glued” together, and the stress and intonation may not be what you’re used to hearing from your friend or colleague.

Lack of… shibboleths in speech. Pay attention to speech patterns (such as accent or phrases) that are typical of the person in real life but are poorly imitated (if at all) by the deepfake.

To mask visual and auditory artifacts, scammers often simulate poor connectivity by sending a noisy video or audio message. A low-quality video stream or media file is the first red flag indicating that checks are needed of the person at the other end.

Behavioral signs of a deepfake

Analyzing the movements and behavioral nuances of the caller is perhaps still the most reliable way to spot a deepfake in real time.

Can’t turn their head. During the video call, ask the person to turn their head so they’re looking completely to the side. Most deepfakes are created using portrait photos and videos, so a sideways turn will cause the image to float, distort, or even break up. AI startup Metaphysic.ai — creators of viral Tom Cruise deepfakes — confirm that head rotation is the most reliable deepfake test at present.

Unnatural gestures. Ask the on-screen person to perform a spontaneous action: wave their hand in front of their face; scratch their nose; take a sip from a cup; cover their eyes with their hands; or point to something in the room. Deepfakes have trouble handling impromptu gestures — hands may pass ghostlike through objects or the face, or fingers may appear distorted, or move unnaturally.

Screen sharing. If the conversation is work-related, ask your chat partner to share their screen and show an on-topic file or document. Without access to your real-life colleague’s device, this will be virtually impossible to fake.

Can’t answer tricky questions. Ask something that only the genuine article could know, for example: “What meeting do we have at work tomorrow?”, “Where did I get this scar?”, “Where did we go on vacation two years ago?” A scammer won’t be able to answer questions if the answers aren’t present in the hacked chats or publicly available sources.

Don’t know the codeword. Agree with friends and family on a secret word or phrase for emergency use to confirm identity. If a panicked relative asks you to urgently transfer money, ask them for the family codeword. A flesh-and-blood relation will reel it off; a deepfake-armed fraudster won’t.

What to do if you encounter a deepfake

If you’ve even the slightest suspicion that what you’re talking to isn’t a real human but a deepfake, follow our tips below.

• End the chat and call back. The surest check is to end the video call and connect with the person through another channel: call or text their regular phone, or message them in another app. If your opposite number is unhappy about this, pretend the connection dropped out.

• Don’t be pressured into sending money. A favorite trick is to create a false sense of urgency. “Mom, I need money right now, I’ve had an accident”; “I don’t have time to explain”; “If you don’t send it in ten minutes, I’m done for!” A real person usually won’t mind waiting a few extra minutes while you double-check the information.
• Tell your friend or colleague they’ve been hacked. If a call or message from someone in your contacts comes from a new number or an unfamiliar account, it’s not unusual — attackers often create fake profiles or use temporary numbers, and this is yet another red flag. But if you get a deepfake call from a contact in a messenger app or your address book, inform them immediately that their account has been hacked — and do it via another communication channel. This will help them take steps to regain access to their account (see our detailed instructions for Telegram and WhatsApp), and to minimize potential damage to other contacts, for example, by posting about the hack.

How to stop your own face getting deepfaked

• Restrict public access to your photos and videos. Hide your social media profiles from strangers, limit your friends list to real people, and delete videos with your voice and face from public access.
• Don’t give suspicious apps access to your smartphone camera or microphone. Scammers can collect biometric data through fake apps disguised as games or utilities. To stop such programs from getting on your devices, use a proven all-in-one security solution.
• Use passkeys, unique passwords, and two-factor authentication (2FA) where possible. Even if scammers do create a deepfake with your face, 2FA will make it much harder to access your accounts and use them to send deepfakes. A cross-platform password manager with support for passkeys and 2FA codes can help out here.
• Teach friends and family how to spot deepfakes. Elderly relatives, young children, and anyone new to technology are the most vulnerable targets. Educate them about scams, show them examples of deepfakes, and practice using a family codeword.
• Use content analyzers. While there’s no silver bullet against deepfakes, there are services that can identify AI-generated content with high accuracy. For graphics, these include Undetectable AI and Illuminarty; for video — Deepware; and for all types of deepfakes — Sensity AI and Hive Moderation.
• Keep a cool head. Scammers apply psychological pressure to hurry victims into acting rashly. Remember the golden rule: if a call, video, or voice message from anyone you know rouses even the slightest suspicion, end the conversation and make contact through another channel.

To protect yourself and loved ones from being scammed, learn more about how scammers deploy deepfakes:

• How phishers and scammers use AI
• How fraudsters bypass customer identity verification using deepfakes
• Watch the (verified) birdie, or new ways to recognize fakes
• Is it the boss — or is it a fraudster? Scams disguised as urgent orders from top brass
• Don’t believe your ears: voice deepfakes

Kaspersky official blog – ​Read More

Over the past two months researchers have reported three vulnerabilities that can be exploited to bypass authentication in Fortinet products using the FortiCloud SSO mechanism. The first two – CVE-2025-59718 and CVE-2025-59719 – were found by the company’s experts during a code audit (although CVE-2025-59718 has already made it into CISA’s Known Exploited Vulnerabilities Catalog), while the third – CVE-2026-24858 – was identified directly during an investigation of unauthorized activity on devices. These vulnerabilities allow attackers with a FortiCloud account to log into various companies’ FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb accounts if the SSO feature is enabled on the given device.

To protect companies that use both our Kaspersky Unified Monitoring and Analysis Platform and Fortinet devices, we’ve created a set of correlation rules that help detect this malicious activity. The rules are already available for customers to download from Kaspersky SIEM repository; the package name is: [OOTB] FortiCloud SSO abuse package – ENG.

Contents of the FortiCloud SSO abuse package

The package includes three groups of rules. They’re used to monitor the following:

• Indicators of compromise: source IP addresses, usernames, creation of a new account with specific names;
• critical administrator actions, such as logging in from a new IP address, creating a new account, logging in via SSO, logging in from a public IP address, exporting device configuration;
• suspicious activity: configuration export or account creation immediately after a suspicious login.

Rules marked “(info)” may potentially generate false positives, as events critical for monitoring authentication bypass attempts may be entirely legitimate. To reduce false positives, add IP addresses or accounts associated with legitimate administrative activity to the exceptions.

As new attack reports emerge, we plan to supplement the rules marked with “IOC” with new information.

Additional recommendations

We also recommend using rules from the FortiCloud SSO abuse package for retrospective analysis or threat hunting. Recommended analysis period: starting from December 2025.

For the detection rules to work correctly, you need to ensure that events from Fortinet devices are received in full and normalized correctly. We also recommend configuring data in the “Extra” field when normalizing events, as this field contains additional information that may need investigating.

Learn more about our Kaspersky Unified Monitoring and Analysis Platform at on the official solution page.

Kaspersky official blog – ​Read More