Microsoft is focusing on new phishing campaigns targeting US-based organizations that are likely to leverage code generated primarily using large-scale language models (LLM) to obfuscate payloads and avoid security defenses.
“As it appears to be supported by large-scale language models (LLM), activities obfuscate behavior within SVG files and leverage business terminology and synthetic structures to hide malicious intent,” the Microsoft Threat Intelligence team said in an analysis published last week.
The activity detected on August 28, 2025 shows how threat actors employ artificial intelligence (AI) tools in their workflows. The goal is often to create more persuasive fishing ladies, automate malware obfuscation, and generate code that mimics legitimate content.
In attack chains documented by Windows makers, bad actors have been observed to leverage their already compromised business email accounts to send phishing messages and steal victim qualifications. Messages are lure features decorated in the guise of file sharing notifications to direct you to open what looks like an ostensibly a PDF document, but they are actually scalable vector graphics (SVG) files.
The notable feature of the message is that attackers use self-restrained email tactics. There it is that the sender and receiver match and the actual target is hidden in the BCC field to bypass the basic detection heuristic.
“SVG files (scalable vector graphics) are text-based and scriptable, making them attractive to attackers and allow JavaScript and other dynamic content to be embedded directly within the file,” Microsoft said. “This allows for the provision of interactive phishing payloads that appear benign to both users and many security tools.”
Plus, he added that the fact that the SVG file format supports features such as invisible elements, encoded attributes, and running delayed scripts is ideal for enemies who try to avoid static analysis and sandboxing.
When launched, the SVG file may redirect the user to a page that serves Captcha for security verification, and be taken to a fake login page to complete it and harvest the credentials. Microsoft said the exact next step is unknown as the system flags and neutralizes the threat.
However, what stands out from the attacks is likely generated using LLM when it comes to the unusual obfuscation approach that uses business-related languages to disguise the phishing content of SVG files.
“First, the start of the SVG code is structured like a legitimate business analytics dashboard,” says Microsoft. “This tactic is designed to mislead anyone who casually inspects files, and it appears that SVG’s sole purpose is to visualize business data. But in reality, it’s a decoy.”
The second aspect is the core functionality of the payload: redirecting the user to the initial phishing landing page, triggering a browser fingerprint, and starting session tracking. It also becomes obscure using long business-related sequences such as revenue, operations, risk, quarterly, growth, or equities.
Microsoft said it ran the code to security co-pilots, but found that the program “is not something that humans usually write from scratch due to its complexity, redundancy and lack of practical utility.” Some of the metrics used to reach the conclusion include the use of –
Overly descriptive and redundant naming for features and variables Highly modular and overdesigned code structure comments General and redundant comments implement a formulaic technique for achieving obfuscation using business terms CDATA and XML declarations in SVG files in an attempt to mimic examples of documentation.
“The campaign was limited in scope and was effectively blocked, but similar technologies are increasingly being utilized by a variety of threat actors,” Microsoft said.
This disclosure details a multi-stage attack sequence in which ForcePoint uses a phishing email with a .xlam attachment to run shellcode that eventually uses a secondary payload to deploy Xworm rats, while simultaneously displaying blank or corrupt office files as tricks. The secondary payload acts as a conduit for loading .dll files into memory.
“The second stage .dll files from memory use heavy obfuscated packaging and encryption techniques,” Forcepoint said. “This second stage .DLL file used reflective DLL injection to reload another .DLL file into memory that caused the final malware to run.”
“The next final step is to perform process injection on its own main executable, maintaining persistence and removal data to its command and control server. We found that C2S with the data extended is related to the Xworm family.”
Over the past few weeks, phishing attacks have adopted U.S. Social Security Agency and copyright-related lures, distributing Screenconnect Connectwise, such as Lone None Stealers such as Connectine and Purelogs Stealers, as well as information steelers for their respective.
“The campaign claims various law firms that typically claim to require a takedown of copyright intrusive content on the victim’s website or social media pages,” the email security company says of the second set of attacks. “This campaign is notable for using a novel Telegram bot profile page to evolve the complexity seen through initial payloads, obfuscated Python script payloads, and multiple iterations of campaign samples.”
Source link
