SOCs Turn to Sandboxes and Threat Intel to Stop Phishing

Security operations centers are increasingly using interactive sandboxes and threat intelligence to examine suspicious phishing links and determine whether a click exposes credentials, one-time passwords or remote management tools.

Interactive sandboxes let analysts open attachments, follow URLs and observe redirects and multi-step flows in a controlled environment. In an investigation by researchers at ANY.RUN, a fake invitation that included a CAPTCHA and an event-themed page produced credential prompts, fields to capture one-time passwords and signs of remote management tool delivery once executed inside the sandbox. The full attack chain appeared in about 40 seconds.

Phishing campaigns are focusing more on identity. Stolen credentials can grant access to email, SaaS applications, cloud platforms and internal systems. Some campaigns include steps to capture one-time passwords, which can reduce the protection provided by multi-factor authentication. Early signals such as CAPTCHA checks, login pages or calendar invites can resemble routine activity, complicating initial triage.

After sandbox runs reveal malicious behavior, analysts use threat intelligence to link that activity to other domains and infrastructure. In the fake-invitation case, repeated request patterns for paths such as /favicon.ico, /blocked.html and image resources under /Image/*.png helped connect multiple pages and domains to the same campaign. Linking those indicators across infrastructure supports assessment of how widely the campaign may extend.

Behavior-based indicators and campaign context are exported to security tools for detection and hunting. Sandbox outputs can be converted into indicators of compromise and pushed into SIEMs, SOAR platforms, threat intelligence platforms, network detection and response tools and firewalls. Those feeds enable blocking of malicious domains, enrichment of alerts and searches for related exposed accounts or endpoints.

ANY.RUN reported that its dataset includes analyses across about 15,000 organizations and roughly 600,000 security professionals. The company reported users experienced a reduction in mean time to recovery of about 21 minutes per case, triage times 94% faster, a roughly 30% drop in Tier 1 to Tier 2 escalations, up to 20% lower Tier 1 workload and up to threefold efficiency gains in validation, enrichment and response workflows.

The vendor offered anniversary pricing and bonus seats for teams adopting its sandbox and threat intelligence products, with the promotions available through May 31.

Security teams are using sandbox analysis to confirm what a suspicious link does, apply threat context to connect related infrastructure and distribute detections across existing security stacks.