Expanding Phishing Detection at Scale with Automatic SSL Decryption

90% of modern cyberattacks start with phishing and it’s getting worse. The volume of compromise attempts keeps surging, leaving companies more exposed to credential theft and heavy financial hits.

As phishing evolves, we focus on countering the core tactics that make it effective. That’s why ANY.RUN is upgrading the threat detection capabilities of the Interactive Sandbox across all subscription tiers with the new SSL decryption technology.

By extracting encryption keys directly from process memory, it increases the detection rate of phishing inside the sandbox, helping every user and SOC team in our community to see critical threats early.

Phishing Pressure Is Rising. Detection Needs to Catch Up

Phishing remains the #1 cyber risk for companies, and its scale is intensifying. Gartner predicts that AI agents will cut the time required to exploit exposed accounts by 50 percent by 2027. This means that the window for early detection is shrinking.

A top challenge in identifying modern phishing is encrypted HTTPS sessions. Credential harvesting, redirect chains, and token theft often look like normal web traffic.

*Traffic encryption prevents SOC teams from detecting phishing*

For SOC teams, this means more uncertainty. Alerts require deeper validation. Escalations increase. Investigations take longer. The risk of missing credential compromise rises.

Encrypted traffic is typically inspected using man-in-the-middle (MITM) interception. While effective in specific scenarios, MITM is resource-intensive and can disrupt realistic analysis. As encryption becomes the default channel for phishing, this approach is no longer enough.

Detection must work at scale, without slowing confirmation or disrupting execution.

Scaling Phishing Detection Across Every Investigation with Automatic SSL Decryption

To remove one of the biggest obstacles in phishing detection for every ANY.RUN user, the Interactive Sandbox now automatically decrypts HTTPS traffic by default, boosting visibility into the most evasive attacks.

Here’s how it works:

The sandbox detonates the sample.

Session keys are pulled straight from process memory, instead of relying on external interception or certificate substitution.

Traffic is decrypted internally with the full plaintext available for analysis.

Suricata IDS rules, detection signatures, payload inspection, IOC extraction all work on the decrypted content.

Malicious traffic gets detected instantly, and a conclusive verdict is delivered along with an actionable report in seconds.

By allowing Suricata rules and other detection mechanisms to analyze decrypted content immediately, phishing gets confirmed without extra steps, saving tens of minutes of analysts’ time.

Since traffic decryption applies to 100% of sandbox sessions, the phishing detection coverage is now systematically wider and stronger across every investigation.

*The technology made a significant impact on ANY.RUN’s capabilities*

Our stats show a 5x increase in SSL-decrypted phishing after implementing the new technology in the sandbox. This also provided an extra 60K confirmed malicious URLs to Threat Intelligence Lookup monthly.

For your SOC, this means:

Higher detection rate: Analysts now can see phishing that is missed by most detection systems, bringing down the risk of incidents.

Faster MTTD & MTTR: SOC confirms malicious behavior earlier and blocks phishing before it harms your infrastructure.

Reduced Tier 1-to-Tier 2 escalation volume: Tier-1 closes more cases independently, escalating only truly complex incidents.

By raising the sandbox’s capability to catch evasive attacks, ANY.RUN transforms your entire triage & response pipeline to be quicker and more effective.

Wider Phishing Coverage for the Entire ANY.RUN Ecosystem

As the SSL decryption helps us detect more phishing at scale, each validated case further boosts the capabilities of all ANY.RUN’s solutions, driving even wider coverage of new attacks for your SOC.

Interactive Sandbox: More Rules for Identifying Emerging Threats

Automatic SSL decryption increases the number of phishing cases that are fully confirmed during analysis. This gives our research team a larger set of real-world attack patterns for building powerful detection rules.

As detection is refined using confirmed behavior, new phishing techniques and campaigns are identified earlier and more consistently. This means higher detection rate over time and fewer attacks slipping through unnoticed.

TI Lookup: Deeper Context on Active Phishing Campaigns

More confirmed phishing sessions mean more reliable indicators of compromise (IOCs), behavior (IOBs), and action (IOAs) entering Threat Intelligence Lookup. For malicious URLs alone, TI Lookup now adds an average of 60,000 more per month.

With clearer relationships between domains and assets, analysts spend less time validating indicators and more time acting on confirmed threats.

This increases investigative speed while improving the attribution, helping SOC and MSSP teams respond to phishing campaigns with clearer context and stronger confidence.

TI Feeds: Fresh, Unique Intel on the Latest Attacks

Since more phishing activity is validated during analysis, Threat Intelligence Feeds also get more, fully validated network IOCs (IPs, domains, URLs) belonging to the threats that are currently facing over 15K organizations worldwide.

Those signals reflect confirmed attack behavior, not just suspicious metadata.

As a result, active phishing infrastructure is identified in your SIEM and EDR, allowing your team to prevent attacks before they escalate.

Real-World Example: Detecting Salty2FA Phishing Campaign

Salty2FA, a Phishing-as-a-Service kit, is designed to steal Microsoft 365 credentials and bypass MFA through session hijacking. It relies entirely on encrypted HTTPS communication for fake login pages, redirect flows, and credential exfiltration, which is exactly why it often looks harmless at first glance.

*An ordinary-looking page acts as the starting point for the phishing attack*

In real SOC conditions, this type of attack often looks like routine HTTPS activity. A seemingly harmless CAPTCHA page becomes the entry point, while credential capture and session reuse happen inside encrypted flows.

Without automatic decryption, confirming malicious intent would require additional validation steps or escalation. That delay increases the likelihood of successful credential compromise.

But thanks to the new technology, ANY.RUN’s Interactive Sandbox decrypts the HTTPS session during the first run and marks it as malicious.

Check out the attack analysis

*The sandbox provides connection details, showing HTTPS traffic*

We can see that the threat tries to establish an HTTPS connection using the port 443. At the network level, this traffic appears legitimate, but with the sandbox, the threat becomes visible instantly.

*A triggered Suricata IDS rule exposes the link as malicious*

Thanks to traffic decryption, a relevant Suricata IDS rule is applied without any problem, allowing the sandbox to identify the threat.

response-ready report for SOC — *The response-ready report gives your SOC a confident verdict and details for containment*

Within 40 seconds, sandbox produces a response-ready report, containing;confirmed indicators, decrypted traffic evidence, and validated malicious behavior.

For the business, this means an early detection of an attack that might have gone unnoticed and caused data theft.

Conclusion

Phishing is now encrypted by default. HTTPS is no longer a signal of trust; it is simply the delivery channel.

Detection effectiveness increasingly depends on the ability to analyze encrypted traffic without delay or instability. Automatic SSL Decryption strengthens confirmation at the sandbox layer by exposing phishing behavior during the first analysis run.

By embedding decryption directly into the sandbox architecture and making it broadly accessible, ANY.RUN reinforces phishing detection coverage at a structural level.

This is not an isolated feature release. It is a deliberate expansion of encrypted-layer coverage designed to improve detection resilience against modern phishing campaigns.

As phishing evolves, detection must evolve with it. Expanding coverage at the encrypted layer ensures SOC teams can confirm, correlate, and respond to phishing threats before they escalate into business-impacting incidents.

About ANY.RUN

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, integrates seamlessly into modern SOC operations and supports investigations from the first alert through containment and detection improvement.

Security teams use ANY.RUN’s Sandbox to safely execute suspicious files and URLs, observe real behavior in controlled environments, extract actionable indicators, and enrich findings instantly through TI Lookup and Threat Intelligence Feeds. This unified approach reduces uncertainty, improves validation accuracy, and strengthens response consistency across the organization.

Today, more than 600,000 security professionals across 15,000+ organizations rely on ANY.RUN to accelerate investigations, enhance detection resilience, and stay ahead of evolving phishingand malware campaigns.