Phishing remains a pervasive cybersecurity threat responsible for over 80% of security incidents, costing businesses billions annually and eroding trust.
Threat intelligence real-time, actionable data on cyber threats, actors, and tactics empowers organizations to stay ahead of these risks.
Tools like ANY.RUN’s Threat Intelligence Lookup provide critical insights by analyzing malicious artifacts, campaigns, and attacker behaviors, enabling proactive defense.
Here are five examples of how solutions like ANY.RUN’s Threat Intelligence Lookup can help investigate, anticipate and defend against phishing threats.
1. Analyze Indicators from Suspicious Emails
As email remains the primary delivery channel for 91% of phishing attacks, threat intelligence is essential to safeguard businesses.
Phishing emails often contain indicators of compromise such as malicious URLs, attachments, domains (sender addresses). Threat Intelligence Lookup allows users to search for these IOCs and provides contextual information, aiding in swift identification and response.
A security analyst can determine if the indicators are associated with known phishing campaigns or malware variants and block malicious emails before they reach inboxes.
A number of fresh malware samples have been found by searching for the domain. We can see what campaigns they are associated with and view each analysis session to gather more IOCs for setting up monitoring and alerts.
Try for yourself: you have 50 test queries from ANY.RUN to check suspicious artifacts
2. Follow updates on fresh email phishing threats in your country
Phishing campaigns often target specific regions, exploiting local events or cultural nuances. Threat intelligence provides real-time updates on emerging email phishing threats tailored to a country.
What suspicious emails have ANY.RUN’s users from, say, Colombia recently analyzed? What trends does it illustrate? Threat Intelligence Lookup can show that in response to a simple search query:
commandLine:”OUTLOOK.EXE” and submissionCountry:”Co”
We can see that one of the urgent threats to Colombian auditory are emails sent via Amazon’s Simple Email Service (Amazon SES) and containing a message allegedly from Federal Express asking to confirm customer’s address.
Such emails can be flagged as malicious or suspicious due to the use of Amazon SES, which is often abused for phishing, so the findings demand further research.
Each analysis session can be viewed to observe processes, detections, YARA rules triggers, HTTP and DNS requests and connections to understand whether an emerging threat is actually present.
More than that, users can subscribe to real-time updates of the results on their queries. In case a new phishing campaign is unfolding, more topical malware samples will be added by users and found by Threat Intelligence Lookup.
Click on the bell icon in the top right corner above the search results to subscribe to their updates.
When properly informed, SOC teams can adjust email filters and help train employees to recognize region-specific lures, reducing the 96% likelihood of encountering at least one phishing attack annually.
3. Collect intel on the latest APT attacks
Advanced persistent threats (APTs) top the charts of the most formidable cybersecurity challenges due to their strategic nature, the resources behind them, and their capability to adapt and evolve over time.
Threat intelligence fuels a number of APT-resisting tactics, allows to identify patterns and tactics used by these groups. The journey usually starts with basic research. Use the APT’s name as a search request to TI Lookup:
threatName:”storm1747″
As we can see, Storm1747, in accordance with their prevalent strategy, runs ransomware campaigns leveraging Tycoon 2FA phishing kit. Further TTP analysis and IOC collection will procure proactive protection against the threat.
4. Investigate artifacts in logs to discover undetected threats
Phishing attacks often evade initial detection, but leave traces in system logs, such as unusual login attempts or network traffic to suspicious IPs. Threat intelligence enables forensic analysis of these artifacts to uncover undetected threats.
Threat Intelligence Lookup supports over 40 search query parameters so threat hunters can combine them to architect complicated queries and cross-reference artifacts with contextual data.
One dubious string spotted in the logs, being thoroughly explored, can point out an unnoticed threat. Suppose we see an unfamiliar command run via PowerShell.
Checking this command, we uncover a number of cases of malicious network activity, including those tagged “stegocampaign”.
commandLine:”Codigo” and imagePath:”powershell”
This malware campaign utilizes steganography: the practice of hiding malicious code in the source code of images or other benign objects to avoid detection.
5. Detect Phishing Campaigns Abusing Microsoft Services
Cybercriminals frequently exploit business-trusted platforms like Microsoft 365, OneDrive, or Teams to host phishing pages or deliver malicious payloads, leveraging their legitimacy to bypass filters.
Threat intelligence identifies phishing campaigns abusing these services, which are critical to corporate operations.
Threat Intelligence Lookup allows to explore latest attacks mimicking Microsoft and using legitimate brand assets such as site backgrounds or styles to lure users to phishing pages.
For example, attackers often use backgrounds or login forms of the Azure Content Delivery Network (CDN).
To find these examples with TI Lookup, we specify the Azure domain and filter out non-malicious instances by excluding Microsoft’s domains from the query using the NOT operator and setting the threat level to “suspicious.”
Parameters with empty values request to show all possible results for those parameters. Adding domainName:”” and suricataMessage:”” will display all domains and Suricata messages found across sandbox sessions that match the query.
We get a list of sandbox sessions that feature examples of actual phishing attacks abusing Microsoft’s infrastructure and can analyze and blacklist indicators linked to these attacks.
Along with relevant sandbox sessions, we can retrieve a list of command lines extracted from them, allowing us to see the URLs used by attackers that include emails of victims.
Conclusion
Phishing’s evolving sophistication demands proactive defenses. Beyond financial damage, successful attacks cause data breaches, reputational harm, and operational disruptions. Threat intelligence is a cornerstone of effective protection.
By checking email indicators, tracking regional threats, analyzing APT tactics, investigating logs, and detecting abuse of trusted services like Microsoft’s, organizations can significantly reduce their vulnerability.
ANY.RUN’s Threat Intelligence Lookup helps with all these tasks and empowers businesses with actionable insights, turning the tide against phishing’s staggering financial and operational toll.
Arm your business against phishing with top threat intelligence, test TI Lookup with 50 trial requests
