- Code generated by AI used in the phishing campaign, blocked by Microsoft Defender
- The attackers used the SVG file disguised as PDF, with a code on the theme of the hidden company inside
- Safety Copilot reported AI style traits, such as verbose identifiers and generic comments
The AI code is now used in all industries for a range of tasks, and in cybersecurity, safety teams and attackers are increasingly turning to large language models to support their work.
The defenders apply the AI to detect and respond to large -scale threats, while the attackers experience it to develop phishing lures, generate obscured code and hide useful malicious charges.
Microsoft Threat Intelligence recently detected and blocked a phishing campaign which, according to her, used code generated by AI to hide her payload in an SVG file.
Polite but not practical
The campaign used a compromised small business messaging account to send self-added messages with real targets hidden in the BCC fields, and the attachment was named to look like a PDF while transporting scriptable SVG content.
The SVG file included hidden elements designed to look like a commercial dashboard, while a script inside transformed the words related to the companies in code which revealed a hidden payload.
When open, the file has redirected users to a CAPTCHA door, a common social engineering tactic which can lead to a false sign page intended to collect identification information.
Darkness was based on crushed commercial words and formula models rather than cryptographic techniques.
Security Copilot analyzed the file and the markers indicated consistent with the LLM output, such as long descriptive identifiers, repetitive modular structures, generic comments and an unusual combination of XML declaration and CDATA.
These features made the surface but not practical polished code, which led analysts to believe that it was probably generated by AI.
Researchers used AI -powered tools in Microsoft Defender for Office 365 to reconstruct clues that were more difficult to hide for attackers.
The system reported the unusual unusual messaging model, the strange SVG file disguised as PDF, redirection to a known phishing site, the hidden code inside the file and the monitoring methods used on the phishing page.
The incident was limited, easily blocked and mainly targeted American organizations, but Microsoft notes that it illustrates how attackers are experiencing more and more AI to develop convincing lures and useful complex charges.
Via Infosecurity magazine
