Microsoft has recently identified a sophisticated phishing campaign targeting organizations in the United States. This campaign employs code generated by large language models (LLMs) to obfuscate malicious payloads, effectively evading traditional security defenses.
The Microsoft Threat Intelligence team reported that the attackers utilized LLMs to embed obfuscated code within Scalable Vector Graphics (SVG) files. This technique leverages business-related terminology and synthetic structures to mask the malicious intent of the code. The campaign was first detected on August 28, 2025, highlighting the increasing integration of artificial intelligence tools by cybercriminals to enhance the effectiveness of their attacks.
Attack Methodology
The attack begins with cybercriminals compromising legitimate business email accounts. These accounts are then used to send phishing emails that appear to be file-sharing notifications. The emails contain what seems to be a PDF document but is actually an SVG file. Notably, the attackers employ a self-addressed email tactic, where the sender and recipient addresses are identical, with actual targets concealed in the BCC field. This strategy helps bypass basic detection mechanisms.
SVG files are particularly attractive to attackers because they are text-based and scriptable, allowing the embedding of JavaScript and other dynamic content directly within the file. This capability enables the delivery of interactive phishing payloads that appear benign to both users and many security tools. Additionally, SVG files support features such as invisible elements, encoded attributes, and delayed script execution, making them ideal for evading static analysis and sandboxing.
Upon opening the SVG file, the user is redirected to a page that presents a CAPTCHA for security verification. Completing the CAPTCHA likely leads the user to a counterfeit login page designed to harvest credentials. Microsoft’s systems flagged and neutralized the threat before the exact next stage could be determined.
Obfuscation Techniques
A distinguishing feature of this attack is its unique obfuscation approach, which uses business-related language to disguise the phishing content within the SVG file. This suggests that the code may have been generated using an LLM. The SVG code is structured to resemble a legitimate business analytics dashboard, misleading casual inspectors into believing the file’s purpose is to visualize business data. In reality, this is a decoy.
Furthermore, the core functionality of the payload—redirecting users to the phishing landing page, triggering browser fingerprinting, and initiating session tracking—is obscured using a sequence of business-related terms such as revenue, operations, risk, quarterly, growth, and shares.
Microsoft’s Security Copilot analyzed the code and concluded that it is unlikely to have been written by a human from scratch due to its complexity, verbosity, and lack of practical utility. Indicators supporting this conclusion include overly descriptive and redundant naming for functions and variables, a highly modular and over-engineered code structure, generic and verbose comments, and formulaic techniques to achieve obfuscation.
Implications and Recommendations
This incident underscores the evolving nature of cyber threats, with attackers increasingly leveraging AI tools to enhance the sophistication and effectiveness of their campaigns. Organizations must remain vigilant and adapt their security measures to counteract these advanced tactics.
To mitigate such threats, Microsoft recommends implementing robust email filtering solutions capable of detecting and blocking malicious attachments, even those employing advanced obfuscation techniques. Regularly updating security protocols and educating employees about the latest phishing tactics are also crucial steps in defending against these evolving threats.
As cybercriminals continue to exploit AI technologies to develop more convincing and evasive phishing campaigns, it is imperative for organizations to stay informed and proactive in their cybersecurity efforts.
