How MSSPs Can Analyze and Investigate Phishing Attacks with ANY.RUN 

How MSSPs Can Analyze and Investigate Phishing Attacks with ANY.RUN 

Phishing attacks targeting industries like finance are increasingly sophisticated, posing significant challenges for Managed Security Service Providers (MSSPs). ANY.RUN’s Threat Intelligence Lookup and Interactive Sandbox provide MSSPs with effective tools for detecting, analyzing, and responding to phishing threats such as the Tycoon phishing kit. #Tycoon #Phishing #ANYRUN

Keypoints

  • Phishing attacks are a growing threat especially targeting financial institutions, manufacturing, and healthcare sectors.
  • ANY.RUN’s Threat Intelligence Lookup enables identification and contextual analysis of phishing payloads like ElectronicReceiptATT0001.htm linked to Tycoon phishing campaigns.
  • The Tycoon phishing kit has been observed in multiple real-world malware samples often delivered via outlook.exe exploiting email attachments.
  • Detailed sandbox analysis reveals social engineering tactics, authentication failures indicating sender spoofing, and fraudulent credential harvesting sites mimicking Microsoft login pages.
  • Indicators of compromise include malicious IP addresses such as 141.95.114.239 and suspicious domains like nq.jrerqaoiha.ru used to host phishing infrastructure.
  • ANY.RUN’s solutions help MSSPs improve client protection by enabling faster investigations, real-time malware detonation, and reduced response times through streamlined workflows.
  • MSSPs can leverage the platform to train teams and clients with realistic phishing case studies, enhancing detection and prevention capabilities.

MITRE Techniques

  • [T1566] Phishing – The Tycoon phishing kit used malicious email attachments to social engineer victims. (“connection to the domain nq.jrerqaoiha.ru classified as part of the Tycoon2FA phishing kit was linked to T1566”)

Indicators of Compromise

  • [IP Address] sender spoofing and phishing infrastructure – 141.95.114.239 involved in unauthorized email sending, and 141.95.114.239
  • [Domain] phishing pages hosting – nq.jrerqaoiha.ru used to host fraudulent Microsoft login pages
  • [File Name] phishing payload – ElectronicReceiptATT0001.htm associated with Tycoon phishing campaigns


Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/how-to-investigate-phishing-attacks/