Modern detection systems can filter most malicious attempts. Yet, there are still too many instances of companies falling victim to business email compromise (BEC) simply due to relying too much on automation. The way to solve this is to introduce a protocol for analyzing suspicious correspondence using tools like a sandbox.

What is a malware sandbox?

A malware sandbox is a virtual environment designed to open and analyze suspicious files and URLs without putting your own machine at risk. It provides a safe space to study how malware behaves, what actions it performs, and what resources it tries to access. Emails are just one of the many file formats that can be submitted to a sandbox for analysis.

While many automated sandboxes prevent manual engagement with the analyzed email, services like ANY.RUN offer a fully-interactive experience similar to a standard computer.

This interactivity is particularly useful when analyzing suspicious emails, as they often contain elements that require user interactions, such as password-protected archive attachments or redirects with CAPTCHA challenges.

Examples of Suspicious Emails Analyzed in a Sandbox

Let’s consider a couple of examples to see how a malware sandbox can help you expose a phishing attack.

Credentials Stealing Attempt

Check out this analysis session of a phishing email.

The email contains a message asking the target user to view the attached documents. It also creates a sense of urgency by requesting to do so “at the earliest convenience”.

The phishing email opened in ANY.RUN

Attached to the email are two files: an image and a pdf. The latter format is commonly used by attackers to hide malicious links.

Thanks to our interactive sandbox, we can safely open the pdf in the virtual environment.

The pdf attached to the phishing email

Inside, we find a text saying, “secure online document” and a CTA, inviting the user to click on a link. To see where it leads, let’s follow along.

Attackers use CAPTCHA to hide malicious websites

Clicking the link inside the pdf sends us to a cloudflare CAPTCHA page. This is a common method for attackers to protect the final phishing link in their chain of redirects from being detected by automated security solutions, which fails to go beyond this primitive check.

We can easily solve the challenge to move to the final page.

The final fake SharePoint page

Eventually, we get forwarded to the main phishing page of the entire attack. It uses a design and layout of the legitimate Microsoft program SharePoint.

The victim is asked to enter their credentials into a malicious form which sends the stolen login and password data straight to the attackers’ server.

Information Stealing Malware

Phishing email attacks may also lead to the installation of malicious software on your machine.

Let’s check out a sandbox analysis session of one such email.

Phishing email containing an archive

In this email, we find a message asking the potential victim to check a fake payment invoice inside the attached archive. To make it appear more believable, the attackers added a sum of money owed to the victim.

Executable file extracted from the archive

Thanks to the sandbox, we can download this archive to see what is inside. After extracting its contents, we are presented with an .exe file with a name that is more fitting for a document.

After running this file, the sandbox instantly detects malicious activity and assigns it to AgentTelsa, a widespread malware that steals victims’ sensitive information.

Malicious activities related to AgentTesla

We can see what actions are being taken by the malware by viewing the process related to its execution.

As you can see in the picture above, the malware immediately begins pulling data from browsers and exfiltrating it to attackers.

Conclusion

Having a reliable sandbox can help you quickly study suspicious emails to determine if they pose a risk to your organization. ANY.RUN sandbox helps you do this with ease, as it provides:

Comprehensive threat reports

In-depth analysis of network traffic, registry and file system activities, process, and more.

