- Code generated by the used in the Phishing campaign, blocked by Microsoft Defender
- The attackers used the SVG file disguised as PDF, with hidden business code inside
- Marked style features in backup, such as verbose identifiers and generic comments
The AI code is now used in all industries for a variety of tasks, and in cybersecurity, both security equipment and attackers are increasingly resorting to large language models to support their work.
Defenders apply AI to detect and respond to scale threats, while attackers experiment with it to prepare phishing lures, generate obfuscated code and disguise the malicious useful loads.
Microsoft Menazing Intelligence recently detected and blocked a phishing campaign that believed that it used code generated by AI to hide its payload within a SVG file.
Polished but not practical
The campaign used an email account of small businesses committed to send self -directed messages with real objectives hidden in the BCC fields, and the attached file was appointed to resemble a PDF while carrying SVG Scriptable content.
The SVG file included hidden elements made to resemble a business board, while a script within it turned the words related to code that revealed a hidden payload.
When it opens, the file redirected users to a Captcha door, a common social engineering tactic that can lead to a false page on the page destined to harvest credentials.
The obfuscation was based on concatenated commercial words and formula code patterns instead of cryptographic techniques.
The security co -pilot analyzed the file and the marked markers consisting of the output of LLM, such as long descriptive identifiers, repetitive modular structures, generic comments and an unusual combination of XML and Cdata declaration.
These features made the code seem polished on the surface but not practical, which led analysts to believe that it was probably generated by AI.
The researchers used tools fed with Microsoft Defender for Office 365 to collect clues that were more difficult to hide for the attackers.
The system marked the unusual self -in -email pattern, the SVG file impart disguised as PDF, the redirection to a known phishing site, the hidden code within the file and the follow -up methods used on the Phishing page.
The incident was limited, easily blocked and addressed mainly to US organizations, but Microsoft points out that it illustrates how attackers are increasingly experiencing with ia to create convincing lures and complex useful charges.
Through Infosecurity magazine
