Multi-stage cyber attacks, characterized by complex execution chains, are designed to avoid detection and give victims a false sense of security. Knowing how they work is the first step to building a solid defense strategy against them. Let’s look at real-world examples of some of the most common multi-stage attack scenarios in action right now.
URLs and other embedded content in documents
Attackers often hide malicious links in seemingly legitimate documents, such as PDF or Word files. After opening the document and clicking on the embedded link, users are directed to a malicious website. These sites often use trickery tactics to get the victim to download malware onto their computer or share their passwords.
Another popular type of embedded content is QR codes. Attackers hide malicious URLs in QR codes and insert them into documents. This strategy forces users to turn to their mobile devices to scan a code that then directs them to phishing sites. These sites usually ask for login credentials, which attackers steal immediately upon login.
Example: PDF file with QR code
To demonstrate how a typical attack unfolds, let’s use ANY.RUN sandboxwhich offers a secure virtual environment for examining malicious files and URLs. Thanks to its interactivity, this cloud service allows us to work with the system in the same way as on a regular computer.
Get up to 3 ANY.RUN licenses as a gift with Black Friday offer→
To simplify our analysis, we will include an automated interactivity feature that can perform all user actions required to automatically launch an attack or perform a sample.
 |
| A phishing PDF with a malicious QR code is open in the ANY.RUN sandbox |
Let’s consider this sandbox sessionwhich contains a malicious .pdf file containing a QR code. When automation is enabled, the service extracts the URL inside the code and opens it in the browser on its own.
 |
| The latest phishing page where victims are offered to share their credentials |
After several redirects, the attack takes us to the latest phishing page designed to mimic the Microsoft site. It is controlled by threat actors and configured to steal users’ login and password data as soon as they are entered.
 |
| The Suricata IDS rule detected a chain of phishing domains during analysis |
The sandbox allows you to observe all the network activity that occurs during the attack and see the Suricata IDS rules that are running
Once the analysis is complete, the ANY.RUN sandbox provides a final verdict of “malicious activity” and generates a threat report that also includes a list of IOCs.
Multi-level redirects
Multi-step redirects involve a sequence of URLs that take users through multiple sites, ultimately leading to a malicious destination. Attackers often use trusted domains like Google or popular social media platforms like TikTok to make the redirect look legitimate. This method makes it more difficult for security tools to detect the final malicious URL.
Some redirection steps may include CAPTCHA challenges to prevent automated solutions and filters from accessing malicious content. Attackers can also include scripts that check the user’s IP address. When a host-based address commonly used by security solutions is detected, the attack chain is broken and the user is redirected to a legitimate website, preventing access to the phishing page.
Example: A chain of links leading to a phishing page
Here is a sandbox session showing the entire attack chain, starting with a seemingly legitimate TikTok link.
 |
| A TikTok URL that redirects to a Google domain |
However, a closer look shows how the full URL includes a redirect to a legitimate Google domain.
 |
| ANY.RUN automatically solves the CAPTCHA, moving to the next stage of the attack |
From there, the attack moves to another redirect site and then to the final phishing page, which, however, is protected with a CAPTCHA challenge.
 |
| A fake Outlook page designed to steal user data |
With advanced content analysis, the sandbox automatically solves this CAPTCHA, allowing us to observe a fake page designed to steal victims’ credentials.
Email attachments
Email attachments continue to be a common method of multi-stage attacks. In the past, attackers often sent emails with Office documents containing malicious macros.
Currently, the focus has shifted to archives that include payloads and scripts. Archives provide a simple and effective method for threat actors to hide malicious executables from security mechanisms and improve file reliability.
Example: Attaching an email with the Formbook malware
U this sandbox sessionwe see a phishing email containing a .zip attachment. The service automatically opens an archive containing several files.
 |
| Phishing letter with archive |
With Smart Content Analysis, the service identifies the main payload and executes it, which initiates the execution chain and allows us to see how the malware behaves on a live system.
 |
| Suricata IDS rule used to detect FormBook connection to C2 |
The sandbox detects FormBook and logs all of its network and system activity and provides a detailed threat report.
Get a Black Friday deal from ANY.RUN
Analyze suspicious emails, files and URLs in the ANY.RUN sandbox to quickly identify cyber attacks. Thanks to the automated interactivity, the service can perform all the necessary analysis steps on its own, saving your time and providing you with only the most important information about the existing threat.
 |
| Black Friday deal from ANY.RUN |
ANY.RUN is currently offering Black Friday deals. Get yours by December 8th:
- For individual users: 2 licenses for the price of 1.
- For teams: Up to 3 licenses + annual base plan for Threat Intelligence Lookup, ANY.RUN’s searchable database of the latest threat data;
See all offers and test the service with a free trial today →
Conclusion
Multi-stage attacks pose a significant threat to both organizations and individuals. Some of the most common attack scenarios include URLs and embedded documents, QR codes, multi-step redirects, email attachments, and archived payloads. By analyzing them with tools like ANY.RUN’s interactive sandbox, we can better protect our infrastructure.
