Particle.news

Download on the App Store

Microsoft Blocks AI-Aided Phishing That Hid Malicious Code in SVG File

Microsoft says verbose, business-themed obfuscation in the SVG showed LLM hallmarks, creating artifacts that defenders can now use to spot similar attacks.

Overview

  • The campaign targeted U.S. organizations using a compromised small-business mailbox to send self-addressed emails with real recipients hidden in Bcc and an attachment named like a PDF but actually an SVG.
  • The file (“23mb – PDF- 6 pages.svg”) redirected users to a CAPTCHA page and was likely intended to lead to a fake sign-in form to harvest credentials, though later stages were blocked.
  • The SVG was structured as a faux business analytics dashboard, with business terms such as revenue and operations encoded as hidden attributes that JavaScript decoded into malicious actions like redirects, fingerprinting, and session tracking.
  • Microsoft’s Security Copilot assessed the code as almost certainly LLM-assisted based on overly descriptive naming, over-engineered modularity, verbose generic comments, formulaic obfuscation, and unusual CDATA/XML usage.
  • Defender for Office 365 stopped the attack by flagging message-context anomalies and a known phishing domain, as Microsoft urged Safe Links, ZAP, phishing-resistant authentication, and cloud-delivered protection, with other vendors noting concurrent multi-stage campaigns involving .XLAM files and XWorm RAT.