Threat Actors Leverage Real Enterprise Email Threads to Deliver Phishing Links - CyberSecurityNews

HomeANY.RUN Threat Actors Leverage Real Enterprise Email Threads to Deliver Phishing Links By Guru Baran January 28, 2026 In a sophisticated supply chain phishing attack, threat actors hijacked an ongoing email thread among C-suite executives discussing a document awaiting final approval. The intruder, posing as a legitimate participant, replied directly with a phishing link mimicking a Microsoft authentication form. Researchers attribute this to a compromised sales manager account at an enterprise contractor, allowing seamless insertion into a trusted business conversation. Attack Chain (Source: ANY.RUN) This incident underscores a rising tactic: adversaries exploiting real enterprise communications rather than crafting cold phishing lures. By early January 2026, analysis revealed ties to a broader campaign active since December 2025, primarily targeting Middle Eastern firms. Tested samples in the ANYRUN Sandbox exposed the EvilProxy phishkit, a proxy-aware phishing tool that evades traditional session-based detection, while TI lookups confirmed overlapping infrastructure. Equip your SOC with early phishing detection, Bring MTTD to 15 seconds with ANY.RUN Integrate now Attack Mechanics and Execution Chain The attack unfolds through layered social engineering. It begins with a supply chain attack (SCA) phishing email sent to the contractor. This triggers seven forwarded messages, building plausibility as the payload ripples through internal channels. Email Thread (Source: ANY.RUN) The final reply embeds a phishing link leading to: An antibot landing page protected by Cloudflare Turnstile CAPTCHA. A phishing page with another Turnstile layer for human verification. EvilProxy deployment, capturing credentials via man-in-the-middle proxying. Fake Cloudflare Verification (Source: ANY.RUN) This chain mimics legitimate Microsoft 365 flows, using dynamic HTML/PDF attachments with embedded scripts. No zero-days or exploits were needed; success hinged on business trust and conversation hijacking. Infrastructure rivals phishing-as-a-service (PhaaS) platforms in scale, with rented domains and bot mitigation to filter analysts. ANYRUN Sandbox detonation visualized the full chain: network callbacks to C2 servers, credential exfiltration, and session token theft—all in under 60 seconds. Detected in Sandbox (Source: ANY.RUN) Indicators pivoted to dozens of victims, with a Middle East focus likely tied to regional finance and energy sectors. EvilProxy’s resurgence, post its 2023 debut, highlights PhaaS evolution: modular kits now integrate Turnstile and geo-fencing, complicating takedowns. Unlike technical vulnerabilities, these attacks weaponize human workflows. Compromised contractor accounts grant “perfect-looking” emails, bypassing DMARC and filters. Enterprises face elevated risk as remote work normalizes async approvals. Threat Lookup (Source: ANY.RUN) Mitigation Strategies and IOCs Defend with process hardening: Flag HTML/PDFs with dynamic content; sandbox suspicious files pre-interaction. Enforce four-eyes principle: separate initiation from approval. Train via realistic SCA simulations mimicking hijacked threads. ANYRUN equips SOCs with behavioral reports, slashing MTTD/MTTR. Key IOCs: Category Indicators URI Pattern POST ^(/bot/ Domains himsanam[.]com bctcontractors[.]com studiofitout[.]ro st-fest[.]org komarautikat[.]hu eks-esch[.]de avtoritet-car[.]com karaiskou[.]edu[.]gr Domain Pattern ^loginmicrosoft* Give your team faster threat validation Detect hidden phishing flows instantlly Contact ANY.RUN team Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network FBI Warns Cybercriminals Use Traffic Distribution Systems to Redirect Users to Fraudulent Websites EvilTokens Hides Its Attack Flow in the Browser, Exposing Static Analysis Gaps   Chrome Extensions’ Critical Flaws Let Attackers Easily Compromise Millions of Browsers Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign Latest News Cyber Security Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access Cyber Security Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation Cyber Security News Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users Cyber Security News PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability Cyber Security News Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability