ANY.RUN

🚨 𝗡𝗲𝘄 𝗥𝗲𝗱𝗶𝗿𝗲𝗰𝘁 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 𝗧𝘂𝗿𝗻𝘀 𝗟𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗪𝗲𝗯𝘀𝗶𝘁𝗲𝘀 𝗜𝗻𝘁𝗼 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 We’re tracking a surge in activity linked to Bulletproof Redirect Engine, a previously unknown framework that helps attackers manage #phishing redirects through compromised legitimate websites. ❗️ Since late April, #ANYRUN has recorded 170+ public submissions linked to this activity, with observed targets mainly in the US and Europe across manufacturing, consulting, and technology. ⚠️ Hosted in hidden directories on compromised sites, the framework uses trusted domain names to generate phishing links and redirect users to pages built with known phishkits: #Sneaky2FA, #Tycoon, #EvilTokens, Greatness, and EvilProxy. Based on the observed activity, the tool is likely distributed as a PhaaS. Reputation-based URL controls are not enough when phishing infrastructure hides behind trusted domains and obfuscated browser logic. This increases the chance of victim interaction and creates a SOC blind spot that may lead to missed compromise. ⚡️ Attack chains like this are now faster and easier to investigate in #ANYRUN Sandbox. In-browser data inspection shows exactly what happens inside the browser, exposing phishing behavior that static URL analysis can miss. 👨‍💻 Using the Browser Data tab, we can quickly review requests sent by the redirect page and locate the same activity in the HTML DOM Changes: https://t.co/pobLzcgv55 The code is heavily obfuscated, so the final phishing page is not directly visible in the DOM. But the HTTP Requests tab still exposes the next-stage redirect to an #EvilProxy phishing page impersonating Microsoft sign-in flow. This gives analysts a clear pivot point for detection, investigation, and response ✅ 🚀 Expose phishing activity hidden behind trusted infrastructure and obfuscated browser logic, then turn it into faster triage, sharper response, and stronger detection rules. See how #ANYRUN closes phishing blind spots: https://t.co/nANS7uDw4I #ExploreWithANYRUN

⚠️ 𝗜𝗳 𝘁𝗵𝗲 𝗴𝗮𝘁𝗲𝘄𝗮𝘆 𝗳𝗹𝗮𝗴𝗴𝗲𝗱 𝗻𝗼 𝗽𝗵𝗶𝘀𝗵𝗶𝗻𝗴, 𝗵𝗼𝘄 𝗱𝗶𝗱 𝘁𝗵𝗲 𝘂𝘀𝗲𝗿 𝗿𝗲𝗮𝗰𝗵 𝘁𝗵𝗲 𝗽𝗮𝘆𝗹𝗼𝗮𝗱 𝗽𝗮𝗴𝗲? Modern phishing attacks are engineered to pass static checks. The first link looks clean. The final page — credential form, redirect chain, injected scripts — never gets inspected. 🚀 #ANYRUN’s in-browser data inspection closes the visibility gap by showing what happened inside the browser, helping analysts reach a verdict faster with evidence they can use to contain, escalate, or build detection logic. ⚡️ #ANYRUN Sandbox is the verification layer for cases that sit in the gray zone. See how SOC teams investigate phishing inside the browser: https://t.co/dq2BcXuSxm

❓ How often do your SOC reports drive action? We believe that a report should guide the next decision ⚡️      Our SOC-ready Tier 1 reports, generated automatically after every sandbox analysis, are structured for triage, escalation, and leadership reporting. Curious how it works in your team. Share your perspective in the comments 💬 👨‍💻 See how SOC teams provide a decision-support layer with standardized Tier 1 reports: https://t.co/oNrboF5GDW