AI-Powered Phishing: Microsoft Uncovers First-of-its-Kind Attack Using Generative Code Obfuscation
Experts at Microsoft Threat Intelligence have documented an attack in which adversaries, for the first time, employed artificial intelligence to disguise phishing code, with the aim of stealing corporate credentials from U.S.-based companies.
The malicious file, delivered in SVG format, concealed its true functionality beneath a veneer of pseudo-business terminology and the imitation of an analytics dashboard—an approach designed to bypass basic security checks. Analysis revealed that the code’s structure was atypical of manual programming and was most likely generated by a large language model.
The phishing emails were distributed from a compromised corporate account, with the recipient field matching the sender, while the real addresses were hidden in BCC. The attachment mimicked a PDF but was, in reality, an SVG file containing embedded JavaScript. Once opened, it redirected victims to a CAPTCHA page, which, according to Microsoft, was intended to lead to a fraudulent login form designed to harvest passwords.
The defining feature of the attack lay in its unusual obfuscation techniques. Within the SVG code were hidden elements labeled with names such as “Business Performance Dashboard”, rendered invisible through zero transparency. Furthermore, the malicious logic was disguised using a lexicon of business terms—“revenue,” “operations,” “dashboard,” “kpi,” and others—transformed into symbols and commands through a multi-layered algorithm. The script redirected browsers to a malicious resource, captured environmental fingerprints, and tracked sessions.
Microsoft’s analysis concluded with high confidence that the code had been generated by AI. Indicators included excessively descriptive function names with hexadecimal suffixes, redundant modularity, repetitive logic blocks, bloated comments styled after business documentation, and the formalized use of XML constructs—all hallmarks of generative models.
Despite the sophistication of the camouflage, the campaign was thwarted by Microsoft Defender’s cloud-based protections. Detection heuristics were triggered by multiple factors: suspicious use of BCC, self-addressed distribution, SVG attachments masquerading as PDFs, redirection to a known phishing domain (kmnl[.]cpfcenters[.]de), the presence of concealed logic, and evidence of session tracking.
Microsoft emphasized that the adoption of AI does not negate the possibility of detection. On the contrary, synthetic code often leaves behind distinctive artifacts that defenders can exploit. The company recommends administrators enable Safe Links for URL scanning, activate Zero-hour Auto Purge to isolate already delivered emails, deploy browsers with SmartScreen protection, and enforce phishing-resistant multi-factor authentication via Microsoft Entra.
This incident underscores that threat actors are already experimenting with neural networks to enhance stealth, yet it also demonstrates that AI-driven defense systems are equally capable of countering such campaigns effectively.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
