DUBAI, DUBAI, UNITED ARAB EMIRATES, April 13, 2026 /EINPresswire.com/ — ANY.RUN, the interactive malware analysis platform trusted by over 600,000 cybersecurity professionals worldwide, documented active phishing campaigns targeting German organizations across five critical industry sectors between January and March 2026.
Real-world attacks on finance, healthcare, IT, telecom, and manufacturing organizations present the growing threat to Germany’s economy and emphasize the limits of MFA as a standalone defense. The findings are based on threat investigations conducted using ANY.RUN’s Interactive Sandbox and Threat Intelligence solutions.
The research highlights how attackers are increasingly focusing on identity compromise, phishing, and session hijacking techniques to gain access to corporate environments and disrupt business operations.
𝗞𝗲𝘆 𝗙𝗶𝗻𝗱𝗶𝗻𝗴𝘀
• MFA was bypassed in all five attacks. EvilProxy, EvilGinx2, and FlowerStorm (commercially available phishing-as-a-service platforms) intercepted authenticated session cookies in real time, granting attackers full account access without requiring passwords or one-time codes.
• All five campaigns show signs of deliberate sector targeting. In several cases, phishing infrastructure was registered using the target company’s name, indicating advance reconnaissance.
• Social engineering lures were adapted to professional context. Attackers used salary-themed documents for finance employees, missed Microsoft Teams voice messages for manufacturing executives, and “Review document” prompts for IT professionals, tailoring each lure to the victim’s working environment.
• Legitimate platforms masked every attack. Mailchimp, Cloudflare Workers, Amazon SES, Format.com, and Microsoft’s own OAuth infrastructure were all used as routing layers, making attacks nearly invisible to conventional email and web filters.
• ANY.RUN’s Threat Intelligence Lookup identified more than 220 tasks linked to EvilProxy and FlowerStorm campaigns targeting German organizations in the 60 days prior to publication — confirming systematic, ongoing pressure rather than isolated incidents.
𝗔𝘁𝘁𝗮𝗰𝗸𝘀 𝗔𝗻𝗮𝗹𝘆𝘇𝗲𝗱
• Finance: FlowerStorm spearphishing campaign targeting a German private equity and hedge fund firm, delivering Microsoft 365 credential theft via QR-code PDF, browser fingerprinting, and a fake OAuth login flow.
• Healthcare: Microsoft OAuth 2.0 abuse targeting Germany’s largest medical research center, rerouting victims through a compromised WordPress site and decentralized storage to a fake Outlook login page with POST-based exfiltration.
• Technology: Combined EvilProxy and EvilGinx2 reverse-proxy attack on a German IT company, chaining Mailchimp tracking links, a compromised WordPress site, and Cloudflare Workers to deliver a real-time MFA-bypassing Microsoft login proxy.
• Telecommunications: EvilProxy phishing-as-a-service campaign targeting a German telecom provider, routing victims through a legitimate portfolio platform to a fake secure document portal before proxying Microsoft 365 authentication.
• Manufacturing: Highly targeted EvilProxy campaign against a global German chemical conglomerate, delivered via Amazon SES with Microsoft Teams voice message lure, custom company-branded phishing pages, and Okta credential harvesting.
The full article is available in ANY.RUN Cybersecurity Blog.
𝗔𝗯𝗼𝘂𝘁 𝘁𝗵𝗲 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀 𝗨𝘀𝗲𝗱 𝗶𝗻 𝗧𝗵𝗶𝘀 𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵
ANY.RUN Interactive Sandbox allows security analysts to safely execute suspicious files and URLs in an isolated cloud environment, capturing every network connection, process, redirect, and script call in real time.
ANY.RUN Threat Intelligence Lookup is a searchable database of threat indicators, threat families, and behavioral patterns drawn from millions of sandbox analyses. Security teams use it to identify active attack infrastructure, search for indicators of compromise relevant to their industry and geography, and enrich security alerts with actionable context.
ANY.RUN TI Feeds deliver verified, structured indicators of compromise directly into SIEM platforms, firewalls, DNS filters, and SOAR systems — automatically, in real time.
𝗔𝗯𝗼𝘂𝘁 𝗔𝗡𝗬.𝗥𝗨𝗡
ANY.RUN is a cybersecurity platform that provides interactive malware analysis and threat intelligence solutions to over 15,000 security teams worldwide. Since 2016, the company has supported over 600,000 users, including enterprises and Fortune 100 organizations, in detecting, analyzing, and responding to cyber threats.
ANYRUN FZCO
ANYRUN FZCO
+ +1 657-366-5050
email us here
Visit us on social media:
LinkedIn
X
Legal Disclaimer:
EIN Presswire provides this news content “as is” without warranty of any kind. We do not accept any responsibility or liability
for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this
article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
Media gallery
