- Computer pirates use AI tools to hide the Phishing Code in SVG files disguised as business tables
- SVGS encoded by SVGS using commercial terms, decoded by hidden scripts to steal data
- Microsoft attributes the complex obfuscation to the code generated by AI, not a typical malware written by humans
We have all heard that Gen AI is used to make bodies of the PHISHING ELECTRONIC POSTERIES convincing, however, Microsoft researchers have now discovered a campaign in which the threat actors took a use of AI in Phishing one step further to better hide the malicious code in sight.
In a shared report with Techradar ProMicrosoft said he observed a new Phishing campaign that originates in a compromised email account that belongs to a small business. The technique was nothing extraordinary: the attackers sent the message to the committed account and addressed the victims through the BCC field, a standard tactic to avoid being detected.
The email itself shared a malicious file whose objective was to reap people’s login credentials. It was a SVG file disguised as PDF. There is nothing unusual here, too. SVG files are scalable vector graphics used for web images. Since they admit integrated scripts, they are exploitable for phishing, since the attackers can hide malicious javascript inside, through the filters and deceive users to click Danñine links.
But then things get interesting.
Single Office Method
After analyzing the SVG code, Microsoft discovered that its method of obfuscation and behavior is quite unique.
“Instead of using cryptographic obfuscation, which is commonly used to obfuscate the phishing content, the SVG code in this campaign used a language related to the business to disguise its malicious activity,” says the report.
It turns out that the attackers hid malware within the SVG files by making them look like normal commercial graphics.
The graphics were invisible, so anyone who opened the file would only see blank graphics.
They also encoded the malicious code as a chain of commercial words such as “income” and “shares”, and a hidden script would read those words, decode them and turn them into actions such as redirecting the browser to a phishing site, tracking the user and collecting information from the browser.
Essentially, the file seemed harmless, but secretly executed a program that stole data and tracked the activity.
This must have been the work of an AI, Microsoft added: “Microsoft Security Copilot evaluated that the code” was not something that a human would normally write from scratch due to its complexity, verbosity and lack of practical utility. “
