Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses.
“Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent,” the Microsoft Threat Intelligence team said in an analysis published last week.
The activity, detected on August 28, 2025, shows how threat actors are increasingly adopting artificial intelligence (AI) tools into their workflows, often with the goal of crafting more convincing phishing lures, automating malware obfuscation, and generating code that mimics legitimate content.
In the attack chain documented by the Windows maker, bad actors have been observed leveraging an already compromised business email account to send phishing messages to steal victims’ credentials. The messages feature lure masquerading as a file-sharing notification to entice them into opening what ostensibly appears to be a PDF document, but, in reality, is a Scalable Vector Graphics (SVG) file.
What’s notable about the messages is that the attackers make use of a self-addressed email tactic, where the sender and recipient addresses match, and the actual targets were hidden in the BCC field so as to bypass basic detection heuristics.
“SVG files (Scalable Vector Graphics) are attractive to attackers because they are text-based and scriptable, allowing them to embed JavaScript and other dynamic content directly within the file,” Microsoft said. “This makes it possible to deliver interactive phishing payloads that appear benign to both users and many security tools.”
On top of that, the fact that SVG file format supports features such as invisible elements, encoded attributes, and delayed script execution makes it ideal for adversaries looking to sidestep static analysis and sandboxing, it added.
The SVG file, once launched, redirects the user to a page that serves a CAPTCHA for security verification, completing which, they are likely taken to a fake login page to harvest their credentials. Microsoft said the exact next stage is unclear due to its systems flagging and neutralizing the threat.
But where the attack stands apart is when it comes to its unusual obfuscation approach that uses business-related language to disguise the phishing content in the SVG file — a sign that it may have been generated using an LLM.
“First, the beginning of the SVG code was structured to look like a legitimate business analytics dashboard,” Microsoft said. “This tactic is designed to mislead anyone casually inspecting the file, making it appear as if the SVG’s sole purpose is to visualize business data. In reality, though, it’s a decoy.”
The second aspect is that the payload’s core functionality – which is to redirect users to the initial phishing landing…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
