Phishing Incident Report: Facts and Timeline
Essential information
- Published
- 25/06/2024 07:41
- Modified
- 25/06/2024 07:52
- Tags
- 2024-06-25 data exfiltration email compromise incident response mfa bypass phishing
- Related entities
- 9 observables, 1 others
Description
On June 18, 2024, an employee's account at ANY.RUN was compromised and used to carry out a phishing attack against the company's entire contact list. The initial compromise occurred on May 27 through an AiTM phishing campaign targeting the employee. Over the following weeks, the attacker maintained access by registering their device for multi-factor authentication and used tools like PerfectData Software to potentially exfiltrate data from the mailbox. The phishing emails sent on June 18 contained links already flagged as malicious but not properly detected due to a lack of up-to-date security controls. ANY.RUN has taken steps to revoke access, contain the incident, remove persistence mechanisms, and prevent future occurrences.