Multi-stage cyber attacks, characterized by their complex execution chains, are designed to avoid detection and trick victims into a false sense of security. Knowing how they operate is the first step to building a solid defense strategy against them. Let’s examine real-world examples of some of the most common multi-stage attack scenarios that are active right now.
URLs and Other Embedded Content in Documents#
Attackers frequently hide malicious links within seemingly legitimate documents, such as PDFs or Word files. Upon opening the document and clicking the embedded link, users are directed to a malicious website. These sites often employ deceptive tactics to get the victim to download malware onto their computer or share their passwords.
Another popular type of embedded content is QR codes. Attackers conceal malicious URLs within QR codes and insert them into documents. This strategy forces users to turn to their mobile devices to scan the code, which then directs them to phishing sites. These sites typically request login credentials, which are immediately stolen by the attackers upon entry.
Example: PDF File with a QR Code#
To demonstrate how a typical attack unfolds, let’s use the ANY.RUN Sandbox, which offers a safe virtual environment for studying malicious files and URLs. Thanks to its interactivity, this cloud-based service allows us to engage with the system just like on a standard computer.
Get up to 3 ANY.RUN licenses as a gift with a Black Friday offer→
To simplify our analysis, we’ll enable the Automated Interactivity feature that can perform all the user actions needed to trigger attack or sample execution automatically.
 |
| Phishing PDF with malicious QR code opened in the ANY.RUN sandbox |
Consider this sandbox session, which features a malicious .pdf file that contains a QR code. With automation switched on, the service extracts the URL inside the code and opens it in the browser by itself.
 |
| The final phishing page where victims are offered to share their credentials |
After a few redirects, the attack takes us to the final phishing page designed to mimic a Microsoft site. It is controlled by threat actors and configured to steal users’ login and password data, as soon as it is entered.
 |
| Suricata IDS rule identified a phishing domain chain during analysis |
The sandbox makes it possible to observe all the network activity occurring during the attack and see triggered Suricata IDS rules
After completing the analysis, the ANY.RUN sandbox provides a conclusive “malicious activity” verdict and generates a report on the threat that also includes a list of IOCs.
Multi-stage Redirects#
Multi-stage redirects involve a sequence of URLs that move users through multiple sites, ultimately leading to a malicious destination. Attackers often utilize trusted domains, such as Google’s or popular social media platforms like TikTok, to make the redirects appear legitimate. This method complicates the detection of the final malicious URL by security tools.
Some redirect stages may include CAPTCHA challenges to prevent automated solutions and filters from accessing malicious content. Attackers might also incorporate scripts that check for the user’s IP address. If a hosting-based address, commonly used by security solutions, is detected, the attack chain gets interrupted and the user is redirected to a legitimate website, preventing access to the phishing page.
Example: Chain of Links Leading to a Phishing Page#
Here is a sandbox session showing the entire chain of attack starting from a seemingly legitimate TikTok link.
| TikTok URL containing a redirect to a Google domain |
Yet, a closer look reveals how the full URL incorporates a redirect to a legitimate google domain.
 |
| ANY.RUN automatically solves the CAPTCHA moving on to the next stage of the attack |
From there, the attack moves on to another site with a redirect and then to the final phishing page, which is, however, protected with a CAPTCHA challenge.
 |
| Fake Outlook page intended for stealing user data |
Thanks to advanced content analysis, the sandbox automatically solves this CAPTCHA, allowing us to observe the fake page designed to steal victims’ credentials.
Email Attachments#
Email attachments continue to be a prevalent vector for multi-stage attacks. In the past, attackers frequently sent emails with Office documents containing malicious macros.
Currently, the focus has shifted to archives that include payloads and scripts. Archives provide a straightforward and effective method for threat actors to conceal malicious executables from security mechanisms and increase the trustworthiness of the files.
Example: Email Attachment with Formbook Malware#
In this sandbox session, we can see a phishing email that contains a .zip attachment. The service automatically opens the archive, which has several files inside.
 |
| Phishing email with an archive |
With Smart Content Analysis, the service identifies the main payload and launches it, which initiates the execution chain and allows us to see how the malware behaves on a live system.
 |
| Suricata IDS rule used for detecting FormBook’s connection to its C2 |
The sandbox detects FormBook and logs all of its network and system activities, as well as providing a detailed threat report.
Get Your Black Friday Deal from ANY.RUN#
Analyze suspicious emails, files, and URLs in the ANY.RUN sandbox to quickly identify cyber attacks. With Automated Interactivity, the service can perform all the necessary analysis steps on its own, saving you time and presenting you only with the most important insights into the threat at hand.
ANY.RUN is currently offering Black Friday deals. Get yours before December 8:
- For individual users: 2 licences for the price of 1.
- For teams: Up to 3 licences + annual basic plan for Threat Intelligence Lookup, ANY.RUN’s searchable database of the latest threat data;
See all offers and test the service with a free trial today →
Conclusion#
Multi-stage attacks are a significant threat to organizations and individuals alike. Some of the most common attack scenarios include URLs and embeds in documents, QR codes, multi-stage redirects, email attachments, and archived payloads. By analyzing these with tools like ANY.RUN’s Interactive sandbox, we can better defend our infrastructure.
