- Microsoft identified an AI-assisted phishing campaign targeting U.S. organizations using obfuscated SVG files.
- The scam uses compromised business emails to send messages disguised as file-sharing notifications with malicious SVG attachments.
- The SVG files contain hidden code employing business-related language and structure, likely generated by large language models (LLMs), to evade detection.
- The phishing leads victims to complete CAPTCHAs before reaching fake login pages to steal credentials.
- Other recent phishing campaigns use .XLAM attachments and information stealers, showing evolving attack methods.
Microsoft has reported a new phishing campaign detected on August 28, 2025, that uses Artificial Intelligence to create obfuscated payloads. The campaign mainly targets organizations in the United States by sending phishing emails designed to bypass security defenses through code likely generated by large language models (LLMs). The emails aim to steal credentials by embedding malicious content in SVG files disguised as PDF documents.
According to the Microsoft Threat Intelligence team, these phishing messages come from compromised business email accounts and use a technique where the sender and receiver addresses match, while actual targets are hidden in the BCC field to avoid detection. The SVG files sent are text-based and support embedded scripting, which enables attackers to hide malicious code inside seemingly legitimate visuals.
The file structure resembles a business analytics dashboard, making it look harmless to casual inspection. The malicious payload is further disguised through a sequence of business-related terms such as “revenue,” “operations,” and “growth,” a tactic suggesting it was created using an AI language model. “The program was not something a human would typically write from scratch due to its complexity, verbosity, and lack of practical utility,” said Microsoft’s analysis using Security Copilot. The file redirects users to a CAPTCHA page before leading to fake login pages designed to capture user credentials.
Microsoft highlighted SVG files are attractive to attackers because they allow JavaScript and dynamic content to be embedded directly, making it difficult for security tools to detect threats. Features like invisible SVG elements and encoded attributes further help in avoiding static analysis and sandboxing.
Separately, Forcepoint disclosed another multi-stage phishing campaign involving .XLAM email attachments that execute shellcode to deliver the XWorm Remote Access Trojan (RAT). This attack uses obfuscated secondary payloads and reflective DLL injections to maintain persistence and exfiltrate data.
Recent weeks have also seen phishing campaigns using lures related to the U.S. Social Security Administration and copyright infringement. These often distribute information stealers like Lone None Stealer and PureLogs Stealer. Cofense reported that one such campaign spoofs legal firms and uses a Telegram bot profile to hide its payloads, showing rising sophistication in phishing tactics.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Top 3 US Stocks Delivering Over 1,000% Returns Since 2020
- Tempus AI Short Interest Hits Record 25.7% as Shares Slide 19%
- How Ospree is Turning Modular Compliance Solutions Into a Growth Engine for Crypto Businesses
- Judge Allows PleasrDAO’s Trade Secret Suit Against Martin Shkreli
- Gold Hits Record $3818, Eyes $4K as Rally Shows No Signs of Slowing
