Lack of context makes it hard for Security Operations Centers (SOC) to tell actual threats from false positives. ANY.RUN’s connectors for Microsoft Defender bridge this gap by automating interactive sandbox analysis and providing real-time threat intelligence for correlation.  

As a result, security teams achieve faster incident resolution, reduced alert fatigue, and proactive threat detection all without disrupting existing workflows. Here’s how. 

ANY.RUN & Microsoft Defender Connectors 

SOCs using Microsoft Defender can seamlessly connect ANY.RUN’s solutions into their existing workflows, boosting their ability to combat advanced threats seamlessly and without disrupting existing processes.  

The ANY.RUN connectors include: 

• Interactive Sandbox connector: Automates the analysis of suspicious files and URLs, delivering detailed behavioral insights and IOCs directly within Microsoft Defender. 

• Threat Intelligence Feeds connector: Provides real-time, actionable indicators of compromise (IOCs) to enable proactive threat detection. 

These connectors empower SOC teams to triage alerts efficiently, detect elusive malware, and respond to incidents faster, all while reducing operational overhead. 

• Enhanced threat detection: Real-time IOCs and behavioral analysis uncover evasive and targeted attacks that signature-based systems may miss. 

• Reduced Mean Time to Respond (MTTR): Automation of sandbox analysis and threat intelligence correlation cuts incident resolution time by tens of percent, enabling faster response to critical threats. 

• Decreased analyst workload: By automating routine tasks like file analysis and alert enrichment, analysts can focus on high-priority incidents, reducing burnout and improving productivity. 

• Improved MSSP competitiveness: Automated workflows help MSSPs meet SLAs, deliver higher-value services, and stand out in a competitive market. 

• Cost efficiency: Seamless interoperability with Microsoft Defender eliminates the need for costly infrastructure changes, maximizing ROI on existing tools. 

Interactive Sandbox in Microsoft Defender 

ANY.RUN’s Interactive Sandbox is a cloud-based solution offering SOC teams immediate, real-time access to Windows, Linux, and Android virtual environments for analyzing suspicious files and URLs. 

Read documentation → 

With the ANY.RUN Sandbox connector in Microsoft Defender, users can: 

• Submit files and URLs for analysis across Windows, Ubuntu, or Android operating systems. 

• Retrieve detailed report details and IOCs in JSON or HTML formats. 

• Download file submission samples and analysis network traffic dumps for deeper incident response insights. 

The process is fully automated by default. The built-in playbook detects files or URLs in alerts/incidents and launches the analysis. Obtained IOCs are stored in the internal Threat Intelligence portal within Microsoft Defender. 

How Interactive Sandbox Boosts Microsoft Defender Workflows 

• Higher detection rate: Automated Interactivity ensures even evasive attacks are fully detonated and identified. 

• Faster incident resolution: Quick sandbox analysis insights accelerate response to critical threats. 

• Reduced alert fatigue: Focus only on severe incidents, while the sandbox provides verdicts for effective prioritization. 

Threat Intelligence Feeds in Microsoft Defender 

ANY.RUN’s Threat Intelligence Feeds empower SOCs and MSSPs to strengthen security with high-fidelity, actionable IOCs from real-time sandbox analysis. Indicators are continuously updated from sandbox investigations across 15,000+ organizations, delivering a curated stream of malicious IPs, domains, and URLs to detect ongoing attacks. 

Read documentation → 

With the ANY.RUN Threat Intelligence Feeds connector in Microsoft Defender, users can: 

• Correlate feed data with incoming alerts to identify high-risk threats. 

• Use indicators to create new detection rules for proactive threat mitigation. 

• Automate threat hunting and response workflows using Microsoft Defender playbooks. 

Data such as IP addresses, URLs, and domains are automatically pulled into the system for analysis, playbook creation, and correlation.  

The connector generates alerts if indicators from the feeds are detected in the client’s infrastructure, matching the feed entry’s status (medium, high). 

How Threat Intelligence Feeds Boost Microsoft Defender Workflows 

• Expanded threat coverage: Real-time IOCs from 15,000+ organizations boost SOC’s ability to detect current threats, reducing the number of possible security gaps. 

• Enhanced threat prioritization: Correlating alerts with IOCs helps SOC teams identify critical risks. 

• Proactive attack prevention: Fresh intelligence enables early threat detection to avoid any damage to the business. 

About ANY.RUN 

Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.     

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.     

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks.     

Ready to see the difference?    

Start your 14-day trial of ANY.RUN today → 

The post ANY.RUN & MS Defender: Enrich Alerts Faster, Stop Attacks Early  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Phishing links are no longer a rare sight. They’re increasingly common in messaging apps, and often come seemingly from people you know well, who, of course, are completely unaware. Scammers hijack accounts and cleverly impersonate friends and family — abusing trust to get closer to your wallet or your secrets.

To help you fight off this growing wave of threats, we’ve added some new features to Kaspersky for Android. In this post, we explain the new layer of defense against phishing and malicious links brought to you in the latest Kaspersky for Android update.

Phishing links and where to find them

By default, we consider any link designed to deceive to be a phishing link. These links often lead to fraudulent websites that mimic legitimate ones using typosquatting and other tricks. For example, this link — https://www.kaspersky.com/blog/, seemingly to our blog, will redirect you to our Telegram channel instead. This is a safe example, but scammers aren’t so harmless.

You can encounter phishing links just about anywhere: in emails, text messages, but especially in messaging apps. A common scam we’ve covered involves attackers using hacked accounts of friends and family to send fake gift subscriptions for apps like Telegram. But instead of a free Premium subscription, victims end up with their personal account hijacked.

Phishing scams can also lurk in job offers, Google Forms surveys, or crypto giveaways. Sometimes you don’t even have to do anything on a phishing site to get infected. This is called a zero-click attack. The victim doesn’t need to fill out any forms, click on buttons, or submit anything. All that’s required is to follow a link to the malicious page that exploits a vulnerability. Once you reach that page, your device is compromised.

Phishers have a plethora of ways to reach their victims. It’s often difficult to spot a fake URL with the naked eye — one mistake can get you trapped. That’s where an automated solution comes in handy, recognizing and neutralizing the suspicious link.

How anti-phishing security works in Kaspersky for Android

The updated Kaspersky for Android protects your devices from phishing with three distinct layers:

• Notification Protection detects and blocks malicious links in notifications from any apps, whether they be well-known like WhatsApp or Telegram, new apps, or even ones that don’t exist yet.
• Safe Messaging blocks dangerous links in text messages and the WhatsApp, Viber, and Telegram messaging apps.
• Safe Browsing checks links before opening them and blocks malicious and phishing websites in Google Chrome, Yandex Browser, Firefox, and some other pre-installed browsers like Samsung Internet and Huawei Browser.

Why do we call these features “layers”? Think of it as a medieval fortress with multiple defenses: the castle’s tall walls, archers atop the walls, and a moat. You might wonder, why bother building tall walls and employing archers if there’s a moat? Attackers wouldn’t be able to get across the moat anyway. The thing is, attacking archers could still fire on those inside if there were no tall fortress walls, and catapults could lob stones (or something more deadly) over both the moat and walls. So, a good fortress needs all three defenses.

Similarly, a smartphone needs security on every level. The Kaspersky for Android app has long blocked phishing links in browsers with Safe Browsing and in SMS messages, WhatsApp, Viber and Telegram with Safe Messaging.

The update adds a new layer. Now Kaspersky for Android locates and blocks malicious links in all notifications, from any apps. The new features are available to all Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium subscribers.

Here’s how it works. If any app — say, a messaging app — tries to show you a phishing link in a pop-up notification, our security solution hides the malicious notification and replaces it with its own. This new notification will have the title Dangerous link detected and the text of the original message, but with the malicious link removed.

Important: no Kaspersky employee can read your private messages. This security mechanism is fully automated and only scans for standard links within notification text. For this reason, it won’t be able to check links that are concealed with special formatting like hidden text in a messaging app or those disguised as a hyperlink with anchor text like “click here”.

How to enable maximum anti-phishing security

To give Kaspersky for Android the permissions it needs to find and repel threats, you need to enable certain settings in the Android OS. The first step is to turn on access to Accessibility features, which is required for all layers of security. If you don’t grant this permission, the app will warn you and provide instructions. You can also enable it manually: Settings → Accessibility → Kaspersky → Use Service → OK.

Next, you need to enable the first layer of security: Notification Protection. This allows the app to detect phishing links directly in your notifications.

• Open Kaspersky for Android.
• Go to All features → Safe Messaging → Check notifications.
• Grant notification access: Settings → Apps & notifications → Special app access → Notification access → Kaspersky → Allow.

The exact steps may vary slightly depending on your smartphone model. For this reason, all Kaspersky for Android users can access a quick link from the app itself to the correct settings section. Simply tap Check Notifications in the app, and in the window that opens, tap Show instructions → Continue.

The first layer of security is on. Now, Kaspersky for Android will alert you when it detects malicious links in notifications.

Now for the second layer, Safe Messaging, which blocks dangerous links in SMS messages and WhatsApp, Viber, and Telegram.

• Open Kaspersky for Android.
• Go to All features → Safe Messaging → Check SMS messages → Allow.
• Go to All features → Safe Messaging → Block dangerous links in messaging apps.

Now, the second layer of security, Safe Messaging, is also enabled.

Next, we turn on the third layer of anti-phishing security: Safe Browsing. This feature blocks you from visiting malicious websites in browsers.

• Open Kaspersky for Android.
• Go to All features → Safe Browsing.
• Activate the toggles next to Block dangerous websites and Check links you open from other apps.

Don’t forget to check the settings in the messaging apps you use, and make sure you allow new message notifications. We recommend paying attention not only to the general app settings, but also to individual chat settings. Remember that phishing links can even come from hacked accounts of people you know.

Here’s another important detail for Telegram users. This messaging app opens all links by default in its built-in browser, and scammers take advantage of this. Our Safe Browsing feature doesn’t work in Telegram’s built-in browser. For increased device security, you should change the default Telegram settings to open links in a third-party browser instead. To do this, in Telegram go to Settings → Chat Settings and turn off the switch for In-App Browser.

Install the best anti-phishing security on your devices, treat every unexpected link received in a messaging app or via SMS with due suspicion, and follow our Telegram channel to stay up to date on the latest cybersecurity trends.

Protect yourself from scams in messaging apps and SMS:

• WhatsApp and Telegram account hijacking: How to protect yourself against scams
• Setting up both security and privacy in WhatsApp
• What to do if your Telegram account is hacked
• Messengers 101: safety and privacy advice
• How to protect yourself from SMS blaster scams

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

“Back to the Future” is 40 years old this year, and at the risk of giving away sensitive information to an audience of hackers… so am I. 

I don’t really know what 40 is supposed to feel like. Honestly, I don’t feel all that different from my 20s, with two key exceptions: One, I care a whole lot less about what people think of me. And two, my trainer recently stopped mid-set to ask, “Was that your knee making that sound?” 

I’ve always loved “Back to the Future” (mommy issues aside). For my 30th birthday, I threw a BTTF-themed party. Guests had to dress for either 1955, 1985 or 1885. (2015 was also allowed, but only if you wore two ties.) 

But watching the documentary “Still” recently gave me a whole new appreciation for what Michael J. Fox went through to make it happen. 

Because he was still under contract with “Family Ties,” and because the original Marty had been fired five weeks into filming, Fox had to shoot both projects at the same time. He’d wrap “Back to the Future “at 2:00 a.m., sleep in the back of a car, then be on set for the sitcom a few hours later. 

In “Still,” he talks about mixing up lines between scripts, barely functioning from exhaustion and constantly fearing a call from his agent saying he wasn’t doing a good job. The pressure. The pace. The fear he was messing it up. Fox himself admits the experience nearly broke him. But he kept showing up, because people were counting on him. 

Sound familiar? 

That “I can’t stop, people are relying on me” mindset is something I see a lot in this industry. We care about the mission. We care about our teams. We don’t want to give the adversary any opportunity.  

So we say yes. We log back in. We fix the thing no one else will notice, but we know it matters. 

Fox’s schedule and resultant exhaustion weren’t the only issues behind the scenes of “Back to the Future.” The “What Went Wrong” podcast (a favourite of mine) recently covered the mishaps and difficulties, from the DeLorean doors constantly jamming shut, to having to change the entire ending. The film was originally supposed to climax at a nuclear test site, with Marty manufacturing a time machine out of a fridge.  

That ending was axed as the producers were concerned children would copy the idea and get trapped in fridges. Thankfully, Steven Spielberg (a producer on the film) would use the concept 20 years later in “Indiana Jones and the Kingdom of the Crystal Skull” to huge success. Ahem.  

So much about the making of “Back to the Future” was fraught and uncertain. But what we, the audience, saw was pure delight. And that’s the thing — what looks effortless on the surface is often the result of long hours, unfair compromises, and the kind of behind-the-scenes effort that nobody ever sees. 

I want to echo the thoughts of my colleague Joe from last week’s newsletter: Burnout is brutal, and it takes no prisoners. Trying to be there for everyone and everything all the time is unsustainable. And (trust me on this one), the longer we put off taking care of ourselves, the harder and longer the recovery.  

Creating boundaries is one of the best things we can do for ourselves. So, this week, whether you’re coordinating an incident, researching something cool, supporting your team or just trying to be a functioning human, give yourself a moment. Identify your boundaries. Move them closer if you need to.  

In fact, write down just one thing that will help decompress you this week, and do that thing. Whether that’s less screen time, a short walk after dinner or playing a game.  

Just… give yourself permission, okay? As Doc Brown says: 

“The future is whatever you make it. So make it a good one.”

The one big thing 

Cisco Talos uncovered a new PlugX malware variant targeting telecom and manufacturing sectors in Central and South Asia since 2022, using the same sneaky tactics as the RainyDay and Turian backdoors. These threats abuse legitimate software and share unique technical fingerprints, suggesting they’re the work of the same or closely linked attackers. The campaign shows a high level of sophistication and ongoing risk for targeted industries. 

Why do I care? 

If your organization is in telecom or manufacturing, especially in Central or South Asia, you’re squarely in the crosshairs of advanced attackers using updated, evasive malware that can compromise your systems, steal data and lurk undetected for years. 

Even if you’re in a different industry, attackers are getting smarter at hiding in plain sight and any organization could be at risk if these tactics spread. 

So now what? 

Double down on security controls. Make sure your endpoint, email and network protection solutions are up to date, review your defenses against DLL hijacking and stay alert for new updates.

Top security headlines of the week 

Microsoft fixed Entra ID vulnerability allowing Global Admin impersonation 
Microsoft rolled out a global fix on July 17, just three days after the initial report and later added further mitigations that block applications from requesting Actor tokens for the Azure AD Graph. (HackRead) 

U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area 
The U.S. Secret Service dismantled a network of electronic devices located throughout the New York tristate area that were used to conduct multiple telecommunications-related threats directed towards senior U.S. government officials. (U.S. Secret Service) 

European airport disruptions caused by ransomware attack  
ENISA said the type of ransomware involved in the attack has been identified and law enforcement is conducting an investigation. The cyberattack hit services provided by US-based Collins Aerospace, which is owned by RTX (formerly Raytheon). (SecurityWeek) 

ChatGPT targeted in server-side data theft attack 
The attack, dubbed ShadowLeak, targeted ChatGPT’s Deep Research capability, which is designed to conduct multi-step research for complex tasks. OpenAI neutralized ShadowLeak after notification. (SecurityWeek) 

Attackers abuse AI tools to generate fake CAPTCHAs in phishing attacks 
The fake CAPTCHA pages redirect victims to malicious websites hosted by the attackers. The apparent routine security check makes the malicious link appear more legitimate to the victim and helps bypass security tools. (Infosecurity Magazine) 

SystemBC malware turns infected VPS systems into proxy highway 
The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. (Bleeping Computer)

Can’t get enough Talos? 

The TTP: Threat Hunter’s Cookbook 
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco’s Foundation AI group), who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply. 

Engaging Cisco Talos Incident Response 
You’ve called Talos IR about a cyber incident — now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements. 

Tampered Chef: When malvertising serves up infostealers  
Imagine downloading a PDF Editor tool from the internet that works great… until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in malvertising and challenges in defense.

Upcoming events where you can find Talos 

• VB2025 (Sept. 24 – 26) Berlin, Germany 
• Wild West Hackin’ Fest (Oct. 8 – 10) Deadwood, SD 
• DEEP Conference (Oct. 22 – 23) Petrčane, Croatia

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
MD5: 1f7e01a3355b52cbc92c908a61abf643  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: 0a0dc0e95070a2b05b04c2f0a049dad8_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536  
MD5: 79b075dc4fce7321f3be049719f3ce27  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536 
Example Filename: RemCom.exe  
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

SHA256: 1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1  
MD5: 45f586861cc745a6b29a957fdbc03645  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1 
Example Filename: cleanup.bat  
Detection Name: W32.1E9EFD7B2B-90.SBX.TG 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201

Cisco Talos Blog – ​Read More

SOC teams may waste hours daily manually enriching alerts and switching between tools, delaying response. ANY.RUN’s Microsoft Sentinel Connector fixes this by introducing fast, accurate, and interactive sandbox analysis into Sentinel’s workflow, so alerts get auto-processed, enriched with IOCs, and prioritized in seconds.  

Here’s how you can speed up response times, filter out false positives, and focus on real threats without leaving your existing workspace. 

Maximize Your SOC’s Efficiency 

ANY.RUN’s Interactive Sandbox is a cloud-based solution offering security teams immediate, real-time access to Windows, Linux, and Android virtual environments for investigating suspicious files and URLs. 

With the Microsoft Sentinel connector, SOCs and MSSPs can automate triage and enrich alerts with actionable verdicts and IOCs to: 

• Cut MTTR by up to 21 minutes per incident by eliminating manual steps and speeding up analysis. 

• Boost threat detection by up to 36% thanks to ANY.RUN’s powerful capabilities to catch threats missed by standard security tools. 

• Increase team productivity by up to 3x through automation to free up analysts for high-value tasks. 

• Reduce alert overload, filtering false positives and prioritizing high-risk incidents. 

• Detect and respond to attacks early with clear, actionable threat insights. 

• Save resources and optimize costs by using your existing MS Sentinel setup without extra infrastructure expenses. 

Set up the connector → 

To expand threat coverage further, security teams can also utilize ANY.RUN’s Threat Intelligence Feeds connector for Microsoft Sentinel.  

It supplies a continuous stream of fresh, actionable IOCs extracted from attack data across 15K SOCs around the world straight to your Microsoft Sentinel environment, helping you proactively detect the latest malware active right now. 

How ANY.RUN’s Sandbox Improves Microsoft Sentinel Workflows

With the connector, SOC teams can analyze files and links right from Sentinel alerts: either with one click or automatically. You’ll instantly get the verdict, risk score, IOCs, and a link to the full analysis, while Sentinel’s threat database updates automatically.  

All analyses via the connector are launched in the Automated Interactivity mode. This means the sandbox will automatically perform the investigation, including by clicking links, opening files, and launching payloads on its own to ensure full attack detonation. 

As a result, security teams can: 

• Automate alert enrichment by getting verdicts and IOCs to assess incidents quickly. 

• Speed up and simplify triage with one-click analyses of files/attachments/links without the need for manual uploads or switching tools. 

• Prioritize threats automatically by checking incidents’ severity for faster decision-making. 

• Extract IOCs effortlessly, pulling IPs, domains, and hashes into Sentinel’s Threat Intelligence. 

• Respond to incidents faster thanks to ready-made analysis results and reports enabling quicker containment and remediation. 

How to Set Up Malware Sandbox Connector for Microsoft Sentinel 

Follow the official instruction to connect ANY.RUN’s Interactive Sandbox with your Microsoft Sentinel workspace.  

Please note that you need an API Key for it to work. To receive your key, please reach out to your account manager or request a demo access as part of the 14-day trial. 

About ANY.RUN   

Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.   

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.   

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks.   

Ready to see the difference?  

Start your 14-day trial of ANY.RUN today →     

The post ANY.RUN Sandbox & Microsoft Sentinel: Less Noise, More Speed for Your SOC appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Telecommunications companies are the digital arteries of modern civilization. Compromise a major telecom operator, and you don’t just steal data — you gain the power to intercept communications, manipulate network traffic, and bring entire regions offline. 
 
Every day, ANY.RUN’s solutions process thousands of threat samples, and hidden within them are patterns of activity targeting telecom operators. Some are opportunistic, others are advanced and carefully orchestrated.   

In this report, we’ll walk through real-world attacks where threat actors weaponized telecom brand trust to launch attacks. We’ll also show how analysts can detect these threats, extract indicators of compromise (IOCs), and strengthen defenses. 

Key Takeaways 

• Telecommunications under siege: The telecom sector faced sustained growth in malicious activity from May-July 2025, with 56% of observed APT campaigns targeting telecom and media companies.  

• Brand impersonation is weaponized trust: Attackers systematically abuse telecom brand recognition, using familiar logos, official-looking domains, and corporate communication styles to bypass human skepticism and technical filters. 

• Pattern recognition defeats mass campaigns: Simple YARA rules can expose large-scale operations.  

• Tycoon2FA phishing kit remains active: The phishing framework designed to steal Microsoft credentials and bypass two-factor authentication is a critical concern for enterprise telecom environments. 

• Interactive Sandbox reveals multi-stage attack progression: ANY.RUN’s Interactive Sandbox captured the complete attack flow from the initial PDF attachment to the final phishing page. This real-time analysis exposed the redirection chain from legitimate-looking emails to DGA-generated domains (xjrsel.ywnhwmard[.]es), enabling early detection before credentials could be harvested. 

• Proactive hunting scales defense: Combining YARA Search with Threat Intelligence Lookup transforms reactive incident response into proactive threat hunting, enabling security teams to build comprehensive defense before attacks succeed. 

Recent Telecom Attack Dynamics 

Attacks on communication operators can disrupt critical services, lead to leaks of confidential information, and be used as a springboard for large-scale cyber espionage operations. 

According to Cyfirma, telecommunications and media industry were targeted in 9 out of 16 observed APT campaigns in May–July 2025, accounting for 56% of all cases. The peak activity occurred in May, followed by a slight decline in June and a renewed increase in July. 

We at ANY.RUN have observed a steady increase in telecom-targeting attacks in May–July 2025. The Sandbox data shows a smoother continuous growth, reaching a maximum in July. This reflects the constant pressure of mass attacks. 

In our Threat Intelligence Reports highlighting the activity of top APT groups, we also see an increased targeting of media and telecom campaigns in the recent attacks.  

Analysis of Threats Targeting a Major Telecom Holding 

Let’s take the perspective of an information security specialist at a huge British telecommunications holding company operating in approximately 180 countries and providing fixed-line, broadband internet, mobile communications, and pay-TV services. 

Our goal is to determine how attackers spread malware, which families they use, which indicators can be collected, and the frequency, dynamics, and technical details of the attacks.   

We will start with Threat Intelligence Lookup, which allows SOC teams to navigate a database of live attack data from 15,0000 organizations. Using TI Lookup’s YARA Search, we can create a simple rule to find all emails uploaded into the sandbox where the recipient field contains the holding’s domain. This allows us to identify malicious attachments and links aimed at its employees. 

As a result of executing the YARA rule, dozens of files were discovered containing addresses with the corporation’s domain in the recipient field. Each of these files was linked to one or more analyses in ANY.RUN’s Sandbox, which also featured this domain, confirming the presence of potentially significant malicious activity directed at company employees.

ANY.RUN’s Interactive Sandbox allows security analysts to safely execute suspicious files and observe their behavior in real-time, capturing network communications, file modifications, and malicious redirections before they can impact production systems. This controlled environment reveals attack chains from initial email delivery through credential harvesting attempts.

Let us analyze one of the found emails.  

View sandbox analysis of the malicious email 

A Phishing Message Through a SOC Analyst Lens 

On July 9, 2025, an email addressed to giova[xx.xx]stantini@[thedomain dot]com was uploaded to ANY.RUN. The sender was listed as Bt_Bt_xu86@ksi.com.pk with the display name “DocSgn.” The domain ksi[.]com[.]pk belongs to Khatib Sons International, a Pakistani metal company, and has no relation to the email content. Coupled with the “DocSgn” branding, this impersonated a well-known electronic document signature service to trick the recipient. 

View sandbox analysis of the email 

The subject line — “Re: Re: Completed: For Sales contract (h4nc)” — mimicked an ongoing conversation, a common social engineering tactic to reduce suspicion. 

The email contained a PDF attachment and a form with a “Review and Sign” button in the body, luring the recipient to view and sign a supposed document. 

Additionally, at least five similar emails were detected targeting other employees, with generic content not tailored to specific recipients — indicating a mass campaign. 

Clicking the “Review and Sign” button redirected the user to a fake Microsoft login page hosted on xjrsel.ywnhwmard[.]es, a domain resembling a DGA-generated address, a common indicator of phishing or malicious resources. 

This threat was identified as the Tycoon2FA phishing kit, known for spoofing Microsoft login pages and harvesting credentials. 

Network-Level Detection 

Suricata rules triggered on network activity associated with the Tycoon2FA kit. The alerts provided details such as MITRE ATT&CK technique T1566 (Phishing), the suspicious DGA-like domain, and connection metadata. 

That’s exactly how ANY.RUN’s solutions help detect threats early, exposing phishing attempts before they do damage.  

Searching for Similar Threats Targeting UK Companies 

Using ANY.RUN’s Threat Intelligence Lookup, we’ve searched for samples uploaded from the UK containing the same PDF attachment. The query returned about 40 sandbox analyses, mostly from July 2025, including emails targeting a number of UK companies. 

sha256:”689cdb319d8cae155516d9f8ddfbd0c99de048252e84f529e0ccc538523a5eba” and submissionCountry:”GB” 

We’ve also identified repeating sender address patterns across multiple phishing emails, indicating automated mass distribution. 

Sorting Out Emails with Specific Sender Pattern 

Many malicious emails sent to telecom companies have fixed patterns for forming sender addresses in the From field. The structure looks as follows: 

“._*” <*_*_*@*.com> 

The display name usually began with “._” followed by a word in capital letters. The email address repeated a word twice, separated by underscores, followed by random characters before the @, and ending in .com. 

This structure strongly suggests automated mass phishing. 

Such a pattern is highly likely created automatically for mass mailings, so it can be used as a basis for a filtering rule that blocks similar emails. 

A YARA rule was created to detect such emails in ANY.RUN’s database of malware samples. The rule revealed 16 files with the sender pattern, linked to multiple sandbox analyses. From these, we can extract senders’ addresses, email and attachment hashes, URLs, phishing domains, IPs, subjects, and other indicators. 

This data allows analysts to assess the relevance of the threat, determine its timeframe and target organizations and countries. Based on this, you can prioritize this threat for your company and add indicators to the detection and response systems. 

Tracking Telecom Impersonation Attacks 

Let’s build a threat landscape where attackers use domains containing the element “telecom” in their names. We are interested in cases where such activity is classified as phishing to assess the scale, frequency, and targets of these attacks.

The search returned 86 analysis sessions, 70 related domains, and enriched context data such as headers, attachments, network artifacts, timelines, and submission geographies. 

domainName:”telecom” AND threatName:”phishing” and threatLevel:”malicious” 

These insights allow security teams to enrich TI sources, prioritize threats, identify campaign clusters, track temporal dynamics, update detection rules, and map related infrastructure. 

How ANY.RUN Helps Telecom Companies Withstand the Growing Pressure of Phishing Attacks 

Telecom companies are under constant fire from phishing campaigns that combine brand impersonation, malicious attachments, and fake domains. While attackers automate and scale their operations, security teams often struggle to keep up. ANY.RUN’s ecosystem of services provides telecom defenders with the tools to detect, investigate, and respond to these threats more effectively: 

Interactive Sandbox 

Quickly detonate suspicious emails, attachments, or links in a safe, interactive environment. Observe behavior in real time, identify phishing kits like Tycoon2FA, and capture artifacts such as malicious redirects, domains, or dropped files. 

Threat Intelligence Feeds 

Get continuously updated, actionable indicators of compromise (IOCs) drawn from global malware submissions. Telecom SOCs can integrate Threat Intelligence Feeds directly into SIEM or EDR systems to block known phishing infrastructure before it reaches employees or customers. 

Threat Intelligence Lookup 

Go beyond single-sample analysis by exploring related campaigns. With Threat Intelligence Lookup, analysts can pivot on domains, file hashes, or sender patterns to uncover broader phishing clusters targeting telecom brands. This makes it easier to map attacker infrastructure, understand campaign scope, and strengthen detection rules. 

By combining these services, telecom companies gain both the depth to analyze individual phishing attempts and the breadth to track large-scale campaigns. This layered approach enables faster detection, better prioritization, and ultimately stronger resilience against persistent phishing pressure. 

Conclusion 

The analysis confirms that phishing attacks against telecom companies’ employees remain highly relevant, often used to steal credentials and bypass 2FA. 

ANY.RUN’s TI Lookup and YARA Search allow analysts to research the attacks and the employed malware, find samples linked to a targeted company’s email addresses, and expose domains utilized for phishing. Security teams are able to gather valuable indicators (hashes, domains, IPs, headers) to enrich internal threat intelligence sources. 

Pattern-based detection methods tailored to telecom-sector targeting can help identify new campaigns faster and reduce organizational risk. 

About ANY.RUN

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.   

• Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions.   

• Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats.  

Start 14-day trial of ANY.RUN’s solutions in your SOC today 

The post Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More