Phishing has quietly turned into one of the hardest enterprise threats to expose early. Instead of crude lures and obvious payloads, modern campaigns rely on trusted infrastructure, legitimate-looking authentication flows, and encrypted traffic that conceals malicious behavior from traditional detection layers. For CISOs, the priority is now clear: scale phishing detection in a way that helps the SOC uncover real risk before it becomes credential theft, business interruption, and board-level fallout.

Why Scaling Phishing Detection Has Become a Priority for Modern SOCs

For many security teams, phishing is no longer a single alert to investigate — it is a continuous stream of suspicious links, login attempts, and user-reported messages that must be validated quickly. The problem is that most SOC workflows were never designed to handle this volume. Each investigation still requires time, context gathering, and manual validation, while attackers operate at machine speed.

When phishing detection cannot scale, the consequences quickly reach the CISO’s desk:

• Stolen corporate identities: Attackers capture employee credentials and gain access to email, SaaS platforms, VPNs, and internal systems.
• Account takeover inside trusted environments: Once authenticated, attackers operate as legitimate users, bypassing many security controls.
• Lateral movement through SaaS and cloud platforms: Compromised identities enable access to sensitive data, internal tools, and shared infrastructure.
• Delayed incident detection: By the time the SOC confirms malicious activity, the attacker may already be active inside the environment.
• Operational disruption and financial impact: Phishing-driven breaches can lead to fraud, data exposure, and business downtime.
• Regulatory and compliance consequences: Identity compromise and data access incidents often trigger reporting obligations and investigations.

For CISOs, the message is clear: phishing detection must operate at the same speed and scale as the attacks themselves, or the organization will always be reacting after the damage has begun.

What a Scaled Phishing Defense Looks Like

A SOC that can handle phishing at scale behaves very differently from one that cannot. Suspicious activity is validated quickly, investigation queues do not grow uncontrollably, and analysts spend less time researching indicators and more time acting on confirmed threats. Escalations are based on clear behavioral evidence rather than assumptions. Identity-driven attacks are detected before they spread across SaaS platforms and internal systems.

Check real phishing exposed in 55 seconds

A malicious Tycoon2FA sample on a legitimate Microsoft Blob Storage domain, analyzed in 55 seconds inside ANY.RUN sandbox

For CISOs, this means:

• Earlier detection of phishing campaigns before user exposure
• Faster decisions based on real behavioral evidence
• Actionable IOCs and TTPs for stronger downstream detection
• Lower risk of credential theft and account compromise

Step #2: Automation. Scaling Phishing Investigations Without Scaling the Team

Even with interactive analysis in place, most SOCs still face the same problem: volume. Suspicious links, attachments, QR codes, and user-reported messages arrive constantly, and manual review does not scale.

Automation helps solve this by executing suspicious artifacts in a controlled sandbox, collecting indicators, and returning an initial verdict in seconds. But modern phishing often includes CAPTCHAs, QR codes, multi-step redirects, and other interaction gates that break traditional automation. In those cases, analysts are forced to spend time clicking through pages, solving challenges, and trying to reach the real malicious content themselves. This slows investigations and drains valuable analyst time.

The stronger approach is automation combined with safe interactivity. In a sandbox like ANY.RUN, automated analysis can imitate real analyst behavior, interact with pages, solve challenges, and move through phishing flows automatically. Instead of stopping halfway through the attack chain or producing an inconclusive result, the sandbox continues execution until the full behavior becomes visible. 

Phishing with a QR code analyzed inside ANY.RUN sandbox

In 90% of cases, the verdict is available in under 60 seconds, giving SOC teams the speed they need to keep pace with phishing at scale.

55 seconds needed to reveal full attack chain, targeting enterprises

For CISOs, this hybrid model delivers clear operational benefits:

• Higher investigation throughput without expanding SOC headcount
• Less manual work for analysts, reducing fatigue and burnout
• More accurate verdicts, even for phishing attacks designed to evade automation

Step #3: SSL Decryption. Breaking the Illusion of Legitimate Traffic

Modern phishing campaigns increasingly operate entirely inside encrypted HTTPS sessions. Login pages, redirect chains, credential harvesting forms, and token theft mechanisms are delivered through legitimate infrastructure and protected by valid SSL certificates. To most monitoring systems, this traffic looks completely normal.

This creates a dangerous illusion of trust. A connection to port 443, a secure login page, and a valid certificate often appear indistinguishable from legitimate business activity, even while credentials are being stolen inside the session.

Traditional inspection methods struggle with this challenge. Many tools can see the encrypted connection, but cannot reveal what actually happens inside it. As a result, confirming phishing often requires additional investigation steps, which slows response and increases the risk of credential compromise.

An ordinary-looking page acts as the starting point for the phishing attack

Automatic SSL decryption inside the sandbox removes this barrier. By extracting encryption keys directly from process memory during execution, ANY.RUN decrypts HTTPS traffic internally and exposes the full phishing behavior during analysis. Redirect chains, credential capture mechanisms, and attacker infrastructure become immediately visible.

As phishing increasingly hides behind encryption, the ability to analyze HTTPS traffic without delay becomes important for maintaining reliable detection at scale.

Example: Detecting a Salty2FA Phishing Campaign Targeting Enterprises

In this sandbox analysis session, a Salty2FA phishing attack that looks like routine HTTPS traffic is exposed inside ANY.RUN during the first run. With automatic SSL decryption, the sandbox reveals the malicious flow, triggers a Suricata rule, and produces a response-ready verdict in 40 seconds.

See the full session here: Salty2FA Phishing Attack Analysis

ANY.RUN sandbox provides connection details, showing HTTPS traffic

For CISOs, this capability delivers critical security outcomes:

• Encrypted phishing is exposed before it turns into account takeover across core business platforms
• Stronger protection against MFA bypass, session hijacking, and identity-driven compromise hidden inside HTTPS traffic
• Faster, evidence-based confirmation during the first investigation, reducing escalation delays and analyst time spent on unclear cases

Build a Phishing Investigation Model That Scales

Modern phishing campaigns move quickly, hide behind trusted infrastructure, and increasingly rely on encrypted channels that make malicious activity appear legitimate. To keep pace, SOC teams need more than isolated tools; they need an investigation model designed to expose real phishing behavior early, handle growing volumes without overwhelming analysts, and reveal threats that hide inside encrypted traffic.

By combining safe interaction, automation, and SSL decryption, organizations can investigate suspicious activity faster, uncover hidden attack chains, and confirm malicious behavior with clear evidence during the first investigation.

ANY.RUN’s solution improving SOC processes

Many organizations have already adopted this approach, and CISOs report measurable operational improvements such as:

• 3× stronger SOC efficiency, giving CISOs more detection power without proportional team growth
• Up to 20% lower Tier 1 workload, easing analyst pressure and reducing operational strain
• 30% fewer escalations to Tier 2, preserving senior expertise for the incidents that matter most
• 21 minutes cut from MTTR per case, helping contain phishing threats before impact spreads
• Earlier detection and clearer response, reducing breach exposure and business risk
• Cloud-based analysis with no hardware burden, lowering infrastructure costs and complexity
• Faster verdicts with less alert fatigue, improving speed and consistency across triage
• Quicker development of junior talent, helping teams build capability faster

Strengthen your SOC with a phishing investigation model built for speed, visibility, and scale, reducing analyst overload, improving detection coverage, and lowering the business risk of delayed response.

Medical device company Stryker provided a fuller assessment of its recent cyber incident in a notice to the Securities Exchange Commission (SEC) on Wednesday evening. 

The attack came to light on Wednesday morning after employees took to social media to complain of phones, laptops and computers that had been wiped clean of all information. The company’s 5,500 employees were locked out of company systems across Ireland, the US, Australia and India

In an 8-K filing with the SEC, Stryker confirmed that the cyberattack caused a global disruption to the company’s Microsoft environment and said external cybersecurity experts were brought in to “assess and to contain the threat.”

“The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company’s information systems and business applications supporting aspects of the Company’s operations and corporate functions,” company officials said. 

“While the Company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known. The Company has business continuity measures in place to continue to support its customers and partners.”

Stryker said it is still unclear whether the cyberattack will have financial impacts on the company. It is one of the largest medical device makers in the U.S., reporting more than $25 billion in revenue last year. 

The SEC filing reiterates that the incident did not involve ransomware or malware. Several cybersecurity experts said it is likely that the hackers behind the attack used the native features and tooling in Microsoft Intune to cause damage. 

Microsoft Intune is a cloud-based unified endpoint management system that allows teams to secure and manage access to organizational resources across Windows, macOS, Linux, iOS and Android devices.

Employees of Stryker reported that all of their devices with Microsoft Intune had been wiped clean. 

“What makes the Stryker incident particularly concerning is the apparent use of enterprise management infrastructure — potentially weaponizing Microsoft Intune — to carry out destructive activity at scale,” said Kathryn Raines, cyber threat intelligence lead at cybersecurity firm Flashpoint.

Microsoft declined to comment on the situation when contacted by Recorded Future News.

Handala vs. APT34

The incident appeared to be the first evidence of  potential cyber fallout from the war between the U.S. and Iran. Since the beginning of the conflict, experts warned that cyberattacks by both Iranian state-backed groups and hacktivists would likely come as part of the response to airstrikes launched by U.S. and Israeli forces. 

Several alleged Iranian groups have defaced websites, conducted relatively minor espionage incursions and launched distributed denial-of-service (DDoS) attacks in recent days, but no major incidents were reported until the Handala group took credit for the attack against Stryker. 

Handala has existed since 2023 and is known to deploy the Hatef wiper malware as well as the Rhadamanthys stealer malware during its attacks, according to cybersecurity firm Optiv.

The group previously focused its efforts on attacking significant targets in Israel, generally opting to steal information before launching wiper malware. Optiv said Handala typically gains initial access through phishing emails or by impersonating legitimate organizations.

Handala has made several unverified claims of attacks on organizations since the onset of the conflict with the U.S., including the targeting of government organizations in Jordan and Israel. 

Optiv and several other cyber research firms claimed there is significant overlap between Handala and a state-backed group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) known as APT34.

Flashpoint’s Raines said they have been tracking Handala for the last year and found that the group presents itself as a grassroots resistance movement. But its tactics and targeting are “far more consistent with activity linked to Iranian state actors than with independent hacktivism.” 

APT34 was previously accused of increasing its attacks on government agencies in Saudi Arabia, Iraq, the Kurdistan Regional Government, the United Arab Emirates (UAE) and the broader Gulf region between 2023 and 2025.

Learn more.

Trump has a choice: him or the world; wants way out of war; Security Council blames Iran; Iranian ‘sleeper cells;’ the Pope’s deep sorrow; U.S. bases damaged as reckoning begins; and ‘Nothing Will Remain of Tehran.’

Smoke rises above Tehran in the war against the U.S. and Israel. (Avash/Wikimedia Commons)

WEDNESDAY

By Joe Lauria
Special to Consortium News

Trump’s Choice

Ari Ben-Menashe, a former Israeli military intelligence officer, told CN Live! that he believes Benjamin Netanyahu hinted to Donald Trump that certain Epstein files nailing Trump as a pedofile could wind up on the front page of The New York Times if he didn’t launch and continue the war against Iran. But now, after seeing how badly the war is going, Trump wants out — even possibly at his own potential expense since he realizes what a disaster he has unleashed. The moral choice is up to Trump: imperil the world or go down personally. 

The ex-officer thinks Iran and the U.S. could make a deal at Israel’s expense, though he didn’t put it past Netanyahu to use a nuclear weapon against Iran rather than lose the war and wind up in jail. Ben-Menashe says nuclear-armed Pakistan could be brought into play, warning Israel not to nuke Iran. India, whose prime minister visited Netanyahu two days before the war on Iran began could have been enlisted by nuclear-armed India to counter threaten Pakistan to lay off Israel.  [WATCH: CN Live! — ‘The Toll on Israel’]

Looking for a Way Out – Trump Says Nothing Left to Bomb

Trump is clearly looking for a way out of the historic meses he has created. He told Axios “in a brief phone interview Wednesday that the war with Iran will end ‘soon’ because there is ‘practically nothing left to target,’” Axios reported. “‘Little this and that… Any time I want it to end, it will end,’ Trump said during the five-minute call.” 

Meanwhile, the masters of the war say the war must  go on. “Israeli Defense Minister Israel Katz said Wednesday the war will continue ‘without any time limit, for as long as necessary, until we achieve all the objectives and decisively win the campaign,’” Axios said.

This conforms with what Ben-Menashe said, namely, that Netanyahu needs the war to go on.  With Israeli and American frustration growing that their war aims of regime change is not happening, the aggressors have unleashed their fury on civilians in Tehran and other Iranian cities. 

As early as  Monday The Wall Street Journal reported that Trump advisors were looking for a way out. The paper said that” some of his advisers privately urged him to look for an exit plan amid spiking oil prices and concerns that a lengthy conflict could spark political backlash.” But “some Trump administration officials said as long as Tehran continued to attack regional countries and Israel still wanted to strike Iranian targets, it was unlikely the U.S. could easily withdraw from the war.” 

Israel decides.

Unless Trump is willing to have his Epstein-related crimes revealed.

Meanwhile, Iran Threatens to Hit Western Banks in Gulf

Citi Bank and HSBC bank have temporarily shut their offices in the Gulf after Iran threatened to strike Israeli and Western banks in the region after an Israeli or U.S. missile struck a Tehran building housing offices of Bank Sepah, Iran’s first modern bank founded in 1922. Wall Street and the City of London probably weren’t banking on this. 

UN Security Council

Russia and China did not veto a scurrilous resolution in the U.N. Security Council that blame Iran as the “unprovoked” aggressor in the war. The most startling word in the resolution is “unprovoked,” which any clear-eyed observer would see as an out-and-out lie. It was sheer audacity to include that word when the whole world can see that the United States and Israel carried out an unprovoked attack and that Iran is defending itself according to the U.N. Charter.  This resolution brings further shame on the Security Council after its endorsement last November of the genocidal Trump/Kushner takeover of Gaza.

[See CN’s full report: WATCH: UN Security Council Blames Iran]

Trump Says ‘Full Steam Ahead’ and Tankers Get Bombed

Trump on Wednesday urged nervous captains to go “full steam ahead” through the Strait of Hormuz. “I think they should use the strait. We took out just about all of their mine ships in one night. Just about all of their navy is at the bottom of the sea,” said Trump despite an Iranian threat to blow them out of the water. So a Thai ship tried to pass later Wednesday and they were blown out of the water. 

Trump Speaks About Iranian ‘Sleeper Cells’

Trump talked to reporters about “Iranian sleeper cells” inside the U.S., saying authorities are “watching every single one of them.” He said: “We’ve been very much on top of it. We’ve got very, very good intelligence into that.” Trump even claimed: “We know where Iranian sleeper cells are… We have eyes on all of them, I think.” He thinks? 

Meanwhile, “The FBI warned police departments in California in recent days that Iran could retaliate for American attacks by launching drones at the West Coast, according to an alert reviewed by ABC News.”

How would the U.S. react if there were to be such an attack on U.S. soil?

NYT Show Damage to US Bases

The so-called Paper of Record was late to put it on the record. But on Wednesday the Times analyzed satellite photos that showed the extent of the damage done to U.S. bases in the Gulf by Iran’s retaliation for being attacked without provocation. “At Least 17 U.S. Sites Damaged in War With Iran, Analysis Shows,” was the headline. Except the Times was two later than independent journalist Richard Medhurst who brilliantly exposes the U.S. losses in the region.

Israelis no longer receiving proper warnings of Iranian strikes.

Iran has wiped out the entire US THAAD and Patriot radar system in the Gulf using $50k drones. It will cost billions and take a decade to replace.

I pieced together all the satellite photos of the strikes & bases. pic.twitter.com/uOBES78JdJ

— Richard Medhurst (@richimedhurst) March 10, 2026

TUESDAY

US Admission of Mistakes Begins

The NYT headline begins the reckoning of this war: “How Trump and His Advisers Miscalculated Iran’s Response to War.” 

The Times says the U.S. dismissing the possibility of a long oil shock is

“emblematic of how much Mr. Trump and his advisers misjudged how Iran would respond to a conflict that the government in Tehran sees as an existential threat. Iran has responded far more aggressively than it did during last June’s 12-day war, firing barrages of missiles and drones at U.S. military bases, cities in Arab nations across the Middle East, and on Israeli population centers. […]

Inside the administration, some officials are growing pessimistic about the lack of a clear strategy to finish the war. But they have been careful not to express that directly to the president, who has repeatedly declared that the military operation is a complete success.  [..] [Defense Secretary Pete] Hegseth acknowledged on Tuesday that Iran’s ferocious response against its neighbors caught the Pentagon somewhat off guard. […]

Some military advisers did warn before the war that Iran could launch an aggressive campaign in response, and would view the U.S.-Israeli attack as a threat to its existence. But other advisers remained confident that killing Iran’s senior leadership would lead to more pragmatic leaders taking over who might bring an end to the war.”

Pentagon Admits 140 Wounded

After Reuters reported 150 U.S. military personnel had been wounded so far the Pentagon owned up and said 14o were injured with eight seriously wounded. The Defense Department had previously only admitted to the eight. It is still sticking to only seven killed though independent analysts say that number must be much higher given the damage done to U.S. military installations in the Gulf region.  

‘Nothing Will Remain of Tehran’

The New York Times has a report remarkably from the point of view of any ordinary Iranian living under the hell being rained down on Tehran by the Israelis and Americans. The Times reported:

“’It seems they are striking everywhere: homes, schools, mosques, hospitals,’ said Javad, who like most people who spoke from inside Iran, asked that his full name be withheld for fear of retaliation. From 10 p.m. to past midnight, people in Tehran, the Iranian capital, could hear the sound of bombing ‘north, south, east and west,’ he said.

‘The air is not breathable,’ said Javad. ‘Last night they hit the high-voltage electricity lines. They will also strike gas and water. Acid rain fell and the air is polluted. They will hit all the infrastructure, and they have no hesitation about killing.’

‘If they keep hitting Tehran like this for another 10 days,’ he added, nothing will remain of Tehran.’”

In the frustration of not being able to overthrow the government or end the ballistic missile and drone barrages it appears the U.S. and Israel are turning to a scorched earth policy, to turn Iranian cities into Gaza. 

Iranian FM Blasts Israeli Censorship

Iranian Foreign Minister Abbas Araghchi blast Israel for censoring the results of Iran’s attacks on the Zionist state. “Netanyahu doesn’t want you to see how Iran’s powerful Armed Forces are punishing Israel for its aggression,” he said on X. “Here’s what our men & women on the ground report: utter destruction caused by our missiles, panicked leader and their air defenses in disarray,” he wrote, adding “we’re just getting started.”

NATO Poking Its Nose Into the Fight

Nato ambassadors are to meet Gulf representatives next week to talk about the war, according to a Reuters report, citing three European diplomats told Reuters.

Iraqi Militia Say 31 Attacks Have Killed ‘Several’ US Troops

The Islamic Resistance of Iraq claims 31 attacks against U.S. military in Iraq in the past day. The Shia militia allied to Iran says it has killed an injured several U.S. troops in 291 attacks over 12 days. The Pentagon is admitting to only seven G.I.s killed so far.