Phishing campaigns are getting tougher to identify, typically hiding in information you’d by no means suspect. ANY.RUN’s cybersecurity analysts just lately uncovered one such case: a malicious SVG disguised as a PDF, hosted on a professional area and filled with hidden redirects. By mid-September, it scaled right into a full spam wave with Microsoft-themed lures.
Let’s have a look at the way it labored, and the way analysts can collect the complete chain of intel in a protected sandbox setting.
Contained in the Current SVG Assault
Right here’s a sandbox session that exhibits the complete habits. Test the true case to look at the redirects and payload extraction stay:
View the sandbox session (SVG assault)
ANY.RUN’s sandbox session revealing malicious SVGs in phishing assault
Supply & disguise: The file arrives wanting like a PDF attachment however is an SVG (XML) file. As a result of SVG helps scripts, attackers embed lively content material as a substitute of static pixels.
Malicious SVG file despatched utilizing Sharesync
Uncover hidden threats, lower investigation time from hours to minutes, and keep forward of evolving assault strategies.Strive ANY.RUN now
Pretend immediate proven: Opening the file in a browser shows a “protected doc” message to social-engineer the consumer into clicking or ready.
Social engineering employed by attackers
Script execution (XOR decoder): The embedded JavaScript runs an XOR decode routine that reconstructs the true redirect code after which executes it (by way of eval).
You’ll be able to see this straight in ANY.RUN’s static/HEX view: the decoder variables, the hex/escaped bytes (for instance ‘x65′,’x76’,…) and the reconstructed script are all uncovered within the session. That view lets analysts dump the decoded payload and assessment the precise instructions the SVG runs.
ANY.RUN’s static view exhibiting script execution
Layered redirects: The decoded code pushes the browser by means of a number of middleman domains, obfuscating the path. Examples noticed on this chain embrace:
loginmicrosft365[.]powerappsportals[.]com
loginmicr0sft0nlineofy[.]52632651246148569845521065[.]cc
Closing phishing web page: The consumer lands on a Microsoft-branded credential web page that even makes use of a Cloudflare Turnstile widget to look professional and bypass cursory checks. With ANY.RUN’s automated interactivity, these verifications are dealt with routinely, so analysts don’t waste time clicking by means of manually.
Cloudflare Turnstile widget utilized by attackers, uncovered inside ANY.RUN sandbox
Credential assortment & persistence: Entered credentials are captured and forwarded to attacker-controlled infrastructure constructed for scale (PhaaS-like), enabling mass harvesting.
Pretend Microsoft web page for credentials assortment
What the sandbox reveals: The interactive session exhibits each redirect and HTTP transaction, exposes the decoded JavaScript in HEX/Textual content, and captures runtime artifacts.
Exportable IOCs and stories will be straight built-in with SIEM, EDR, and threat-intel platforms, so analysts get the info contained in the instruments they already use, saving time and chopping further steps.
Properly-structured report generated by ANY.RUN sandbox
The Sandbox Benefit: Quick Detection of New Assaults
As you possibly can see, interactive sandboxes are particularly beneficial for recognizing new and evasive assaults. As a substitute of ready on static signatures or delayed alerts, they run the file in a stay setting and floor malicious behaviors in actual time.
With ANY.RUN, analysts can:
Get malicious verdicts in beneath 60 seconds: 88% of threats are detected this shortly.
Reveal the complete assault chain immediately: each redirect, script, and payload mapped out with out guesswork.
Speed up triage and response: groups report as much as 94% quicker triage and three× increased SOC efficiency.
Flip findings into motion: export IOCs and TTPs straight into SIEM, EDR, or TI platforms to replace detections and launch hunts instantly.
By reworking hours of handbook work into minutes of automated visibility, sandboxes give analysts the pace, readability, and context wanted to remain forward of recent assault strategies.
Request your 14-day trial and see how briskly you possibly can catch new assaults with ANY.RUN’s sandbox.
