The malware analysis service Any.Run shared details about a recent phishing attack targeting its employees. The incident was discovered on June 18, when all employees of the malware sandbox service received a phishing email from another Any.Run employee. Although the attacker’s access was terminated within minutes, an investigation revealed that the hacker had been present for several weeks.
The attack began on May 23, 2024, when a sales team employee at Any.Run received an email from a previously known client. The email contained a link, which the employee uploaded to a sandbox for threat assessment. However, since the link pointed to a trusted but compromised website and the sandbox environment was not properly configured, the threat was not detected.
The employee clicked on the link, leading them to a Microsoft phishing website that requested their login credentials and multi-factor authentication (MFA) code. The employee entered the information, providing the attacker with everything needed to access their account. The attacker then added their own mobile device for MFA to maintain access and installed an application to steal information from the victim’s email account.
The attacker first accessed the Any.Run employee’s email account on May 27 and maintained access until June 18, when they sent phishing emails to all the employee’s contacts. By this time, the malicious link from the attacker’s email was already in Any.Run’s threat intelligence database, identified during sandbox analysis sessions by free users of the service.
Once the breach was discovered, Any.Run quickly revoked the attacker’s access and implemented measures to prevent future incidents. The company noted that the compromised employee did not have access to the production environment or any code base.
Any.Run is still investigating the incident but believes it is part of a business email compromise (BEC) campaign. Indicators of compromise (IoCs) have been made available to help others detect potential attacks.