Phishing attacks have long relied on deceiving individuals into divulging sensitive information. However, a recent campaign has escalated this threat by not only targeting users but also attempting to manipulate AI-based security defenses. This sophisticated approach represents an evolution from previous Gmail phishing strategies, introducing hidden AI prompts designed to confuse automated analysis systems.
The Phishing Email: A Deceptive Facade
The attack begins with an email bearing the subject line: Login Expiry Notice 8/20/2025 4:56:21 p.m. The message warns the recipient that their password is about to expire, urging them to confirm their credentials promptly. This tactic leverages urgency and impersonates official Gmail branding to provoke a quick, unthinking response from the user.
Prompt Injection: Undermining AI Defenses
The true innovation of this campaign lies beneath the surface. Embedded within the email’s source code are texts crafted in the style of prompts for large language models like ChatGPT or Gemini. This prompt injection technique aims to hijack AI-powered security tools that Security Operations Centers (SOCs) increasingly use for threat classification.
Instead of identifying the malicious links and flagging the email, an AI model might be distracted by the injected instructions. These commands can lead the AI into long reasoning loops or generate irrelevant perspectives, effectively causing automated systems to misclassify the threat, delay critical alerts, or allow the phishing attempt to bypass defenses entirely.
Sophisticated Delivery Chain: A Multi-Layered Approach
The attackers employ a complex delivery chain to enhance the credibility and effectiveness of their phishing attempt:
1. Email Delivery: The phishing email originates from SendGrid, a reputable email delivery service. It successfully passes SPF and DKIM checks but fails DMARC, allowing it to land in the user’s inbox.
2. Staging Redirect: The initial link in the email uses Microsoft Dynamics to create a trustworthy-looking first hop.
3. Attacker Domain with CAPTCHA: The redirect leads to a page with a CAPTCHA designed to block automated crawlers and sandboxes from accessing the final phishing site.
4. Main Phishing Site: After the CAPTCHA, the user is directed to a Gmail-themed login page containing obfuscated JavaScript.
5. GeoIP Request: The phishing site collects the victim’s IP address, ASN, and geolocation data to profile the user and filter out analysis environments.
6. Beacon Call: A telemetry beacon or session tracker is used to distinguish real users from bots.
By leveraging SendGrid, the attackers bypass initial email filters. The use of a legitimate Microsoft Dynamics URL for the first redirect adds an additional layer of trustworthiness. The CAPTCHA serves to deter automated scanners, and the final phishing page employs multi-layered, obfuscated JavaScript to steal credentials.
Geographical Indicators: Clues to Attribution
While definitive attribution is challenging, certain clues suggest a possible link to threat actors in South Asia. WHOIS records for the attacker’s domain list contact information in Pakistan, and URL paths for telemetry beacons contain Hindi/Urdu words. These indicators, though not conclusive, provide valuable context for understanding the potential origins of the attack.
Implications: A New Era of AI-Aware Threats
This campaign highlights a clear evolution in phishing tactics. Attackers are now constructing AI-aware threats, attempting to poison the very tools designed to defend against them. This development necessitates a shift in defensive strategies, requiring organizations to protect not only their users from social engineering but also their AI tools from prompt manipulation.
