Particle.news
Download on the App Store
3 ARTICLES
·
3d ago

Microsoft Blocks AI-Aided Phishing That Hid Malicious Code in SVG File

Microsoft says verbose, business-themed obfuscation in the SVG showed LLM hallmarks, creating artifacts that defenders can now use to spot similar attacks.

Microsoft Flags AI Phishing Attack Hiding in SVG Files
Image
Image

Overview

  • The campaign targeted U.S. organizations using a compromised small-business mailbox to send self-addressed emails with real recipients hidden in Bcc and an attachment named like a PDF but actually an SVG.
  • The file (“23mb – PDF- 6 pages.svg”) redirected users to a CAPTCHA page and was likely intended to lead to a fake sign-in form to harvest credentials, though later stages were blocked.
  • The SVG was structured as a faux business analytics dashboard, with business terms such as revenue and operations encoded as hidden attributes that JavaScript decoded into malicious actions like redirects, fingerprinting, and session tracking.
  • Microsoft’s Security Copilot assessed the code as almost certainly LLM-assisted based on overly descriptive naming, over-engineered modularity, verbose generic comments, formulaic obfuscation, and unusual CDATA/XML usage.
  • Defender for Office 365 stopped the attack by flagging message-context anomalies and a known phishing domain, as Microsoft urged Safe Links, ZAP, phishing-resistant authentication, and cloud-delivered protection, with other vendors noting concurrent multi-stage campaigns involving .XLAM files and XWorm RAT.