To compromise the entire system, you only need one email. Well-written messages can bypass filters, fool employees, and provide the attacker with the access they need. Without being detected, these threats can lead to credential theft, unauthorized access, and even full-scale breaches. As phishing techniques become more evasive, automated solutions alone cannot be reliably captured.
Let’s take a closer look at how SOC teams can guarantee fast and accurate detection of the most evasive phishing attacks using the example of Tycoon2FA, the number one phishing threat in today’s corporate environment.
Step 1: Upload the suspicious file or URL to the sandbox
Consider a typical situation. Suspicious emails are flagged by the detection system, but it is unclear whether they are indeed malicious.
The fastest way to check it is to perform a simple analysis inside a malware sandbox.
A sandbox is an isolated virtual machine that allows you to safely open files, click on links, and observe their behavior without putting your system at risk. A way for SOC analysts to investigate malware, phishing attempts and suspicious activity without triggering anything locally.
It’s easy to get started. Upload the file, paste the URL, select your OS (Windows, Linux, or Android), fine-tune the settings as needed, and within seconds, it’s in a completely interactive virtual machine ready to investigate.
Any.run Analysis Setup in Sandbox
To show how easy it is to detect phishing, let’s take a look at a real-world example.
Check out our phishing sample here
Phishing emails analyzed within a cloud-based any.run sandbox
The suspicious email includes a large green “play audio” button. This is a trick used to click on the victim.
Equipped with fast, detailed phishing analysis services to respond and prevent incidents in seconds.
Special offers will be obtained by May 31st
Step 2: Explode the complete attack chain
With the help of sandboxes like any.run, you can explode every stage of the attack, from the first click to the final payload. Even junior SOC members can do it easily. The interface is intuitive, interactive and built to make complex analysis easier.
In the phishing example, we have already seen how the attack begins. Suspicious email with a large green “play audio” button embedded in the thread. But what happens after clicking?
Within the sandbox session, we see it clearly:
As soon as the button is pressed, a series of redirects (another evasion tactic) will eventually lead you to the Captcha challenge page. This is where automated tools usually fail. You can’t click a button, unlock captures, and mimic the behavior of the user, so you often miss real threats.
But with any.run’s interactive sandbox, it’s not a problem. You can either manually resolve Captcha or enable Auto Mode to handle the sandbox. In both cases, the analysis continues smoothly, reaching the final phishing page and allowing you to observe the complete attack chain.
Captcha Challenge resolved inside an interactive sandbox
Once Captcha is resolved, you will be redirected to a fake Microsoft login page. At first glance, it is persuasive, but at closer inspection the truth is revealed.
The URL is clearly unrelated to Microsoft, and is full of random characters that are missing Favicon (browser tab icon). A small, small red flag that can be conveyed
Any.run phishing signs detected in the sandbox
Without an interactive sandbox, these details remain hidden. But here, every step that can be seen every move is traceable, and phishing infrastructure can be easily detected by tricking someone in your organization.
If left undetected, the victim can unconsciously enter their credentials into a fake login page and pass sensitive access directly to the attacker.
By making sandbox analysis part of a security routine, teams can see suspicious links or files in seconds. In most cases, any.run offers the first verdict in under 40 seconds.
Step 3: Analyze and collect IOCs
Once the phishing chain is completely exploded, the next step is the most important thing for your security team. Collects compromise (IOC) metrics that can be used for detection, response, and future prevention.
Solutions like any.run speed up and centralize this process. Some of the key findings from the phishing sample are as follows:
The process tree is displayed in the top right corner. This allows you to track suspicious behavior. One process stands out. It is labeled “phishing” and indicates exactly where the malicious activity occurred.
Malicious processes identified by sandboxes
Under the VM window[ネットワーク接続]You can inspect all HTTP/HTTPS requests in the tab. This reveals the external infrastructure used in the attack: domains, IPS, etc.
The Threats section displays Sricata alerts: Phishing [ANY.RUN] There is a suspected Tycoon2FA phishing kit domain. This checks which phishing kits are used and adds a useful context for threat classification.
Slikata rules triggered by tycoon2fa
In the top panel, the tag instantly identifies it as a Tycoon2FA-related threat, so analysts know what they are dealing with at a glance.
Big items detected by any.run sandbox
Do I need to see all the IOCs in one place? Simply click the IOC button and you will see a complete list of domains, hashes, URLs, and more. There is no need to jump between tools or collect data manually.
These IOCs can be used as follows:
Block malicious domains across infrastructure updates Email filters and detection rules Threat intelligence database Support Enrich incident response and SOC workflows
IOCs gathered inside any.run sandbox
Finally, Any.run generates a well-structured, shareable report that includes all the important details, from operational logs and network traffic to screenshots and IOCs.
This report is ideal for documenting, team handoffs, or sharing with external stakeholders, saving you valuable time during your response.
A well-structured report generated by an interactive sandbox
Why sandboxing is part of your security workflow
Interactive sandboxing helps teams get through the noise, expose real threats quickly, and make incident response more efficient.
Solutions like Any.run allow both teams to have access to experienced teams and teams who have begun building threat detection capabilities.
Speed up alert triage and incident response: No need to wait for a verdict. See the threat behavior and see live for faster decisions. Increased detection rate: Detailed trace of multi-stage attacks from origin to execution. Improved Training: Analysts work with live threats and gain hands-on experience. Increase team coordination: Real-time data sharing and process monitoring across team members. Reduced infrastructure maintenance: Cloud-based sandboxes do not require setup. Analyze anytime, anywhere.
Special Offer: From May 19th to May 31st, 2025, Any.run is celebrating its 9th birthday with an exclusive offer.
Equip your team with additional sandbox licenses and get limited-time offers across sandboxes, TI lookups and security training labs.
Details of any.run’s special birthday offer →
I’ll summarize
Phishing attacks are smarter, but it doesn’t have to be difficult to detect them. Interactive sandboxes allow you to find threats early, track the complete attack chain, and gather all the evidence your team needs to respond quickly and confidently.
Source link
