A sophisticated phishing campaign is currently targeting users in the Latin America (LATAM) region. Cybercriminals are employing a multi-layered approach to bypass security measures and deceive victims into compromising sensitive information.

How the Attack Works

The attack starts with an email that contains a password and a link to a supposed “security check.”

Analysis of the phishing attack in the ANY.RUN sandbox

Clicking the link takes the victim to a page hosted on a trusted Google domain. This makes the site look legitimate.

The page offers a download link for a password-protected file. These files are harder for automated security systems to scan.

Downloading of the suspicious file in the safe sandbox environment

Because the file is hosted on a trusted domain and password-protected, it bypasses many security filters, making it easier for the attackers to deliver their malicious payload.

The malicious executable file is dropped on the virtual computer

For a detailed look at this phishing attack, visit this ANY.RUN sandbox session and see the entire process unfold.

Why This Attack is Dangerous

This phishing attack is tricky because it uses trusted services like Google to make the victim believe everything is safe. The password-protected file also helps it slip past security tools, making it more likely that users will fall for it.

Once the file is opened, it can run harmful programs on the victim’s computer, stealing data or installing more malware.

Investigating the Attack with ANY.RUN TI Lookup

ANY.RUN’s TI Lookup is a powerful tool for tracking and analyzing phishing campaigns like the one currently targeting LATAM. By using the right search query, you can find sandbox sessions that reveal detailed attack behaviors, making it easier to understand and stop these threats.

For phishing attacks similar to the one outlined above, the following query is useful:

submissionCountry:“Co” AND commandLine:“OUTLOOK.EXE” AND commandLine:“WinRAR” AND threatLevel:“malicious”

TI Lookup results related to the query

By running this search, you can quickly identify more examples of attacks and see how threat actors operate — whether they use the same techniques, file types, or delivery methods.

Thanks to TI Lookup’s integration with ANY.RUN’s sandbox, you can easily explore each sample in detail, see how it interacts with the system, and even rerun its analysis.

Try ANY.RUN TI Lookup for free with a 14-day trial — don’t miss the opportunity to explore the tool’s capabilities and improve your defenses against phishing attacks.

Stay Protected

Phishing attacks are evolving, with threat actors continually finding new ways to exploit trusted domains and bypass security measures. This phishing campaign targeting LATAM users underscores the importance of using advanced tools like ANY.RUN’s interactive sandbox to uncover and understand threats as they unfold. By analyzing live attacks, you gain insights into malicious techniques and can better protect yourself and your organization from falling prey to similar schemes.