Microsoft says cybercriminals are now using artificial intelligence to hide their phishing scams, and US businesses are already being targeted.
The company’s security team spotted and blocked an email campaign that tried to steal login details.
The team says the attackers likely used an AI model to generate the code, adding complexity that made it harder for legacy defenses to catch.
It starts with fake emails that look like file-sharing notices. Each message had an attachment that seemed to be a six-page PDF. But the file was actually an SVG, a graphics file that can hold hidden code. When opened, it redirected the victim to a fake security page meant to trick them into typing their username and password.
“When opened, the SVG file redirected the user to a webpage that prompted them to complete a CAPTCHA for security verification, a common social engineering tactic used to build trust and delay suspicion. Although our visibility for this incident was limited to the initial landing page due to the activity being detected and blocked, the campaign would have very likely presented a fake sign-in page after the CAPTCHA to harvest credentials.”
The code had giveaway signs of being machine-written. Variables had long, clunky names, and comments were filled with generic business phrases like “Advanced business intelligence data processor.” To anyone peeking inside, it looked like boring business software, not a phishing attack.
The attackers even hid instructions inside common business words such as “revenue” and “operations.” The script later turned those words back into malicious commands that sent users to the fake site and tracked their browsers.
Microsoft says the operation was small, but it mainly targeted US companies. The emails were disguised so that the sender and recipient addresses matched, with real targets tucked into the blind copy field. The trick is often used to dodge basic filters.
A typical phishing campaign is designed to steal usernames and passwords that can be resold on underground markets, used to break into corporate accounts, or even combined with other stolen data for fraud. In many cases, a single compromised login can open the door to sensitive emails, financial systems, or private customer records, which criminals can exploit for direct theft or blackmail.
Disclaimer: Opinions expressed at CapitalAI Daily are not investment advice. Investors should do their own due diligence before making any decisions involving securities, cryptocurrencies, or digital assets. Your transfers and trades are at your own risk, and any losses you may incur are your responsibility. CapitalAI Daily does not recommend the buying or selling of any assets, nor is CapitalAI Daily an investment advisor. See our Editorial Standards and Terms of Use.