- Hackers use AI tools to hide phishing code in SVG files disguised as business charts
- Malicious SVGs encoded payloads using business terms, decoded by hidden scripts to steal data
- Microsoft attributes the complex obfuscation to AI-generated code, not typical human-written malware
We’ve all heard of Gen AI being used to craft bodies of convincing phishing emails, however Microsoft researchers have now discovered a campaign in which threat actors took AI use in phishing a step further – to better hide malicious code in plain sight.
In a report shared with TechRadar Pro, Microsoft said it observed a new phishing campaign originating from a compromised email account belonging to a small business. The technique was nothing extraordinary – the attackers sent the message back to the compromised account, and targeted victims through the BCC field – a standard tactic to avoid being spotted.
The email itself shared a malicious file whose goal was to harvest people’s login credentials. It was an SVG file disguised as a PDF. Nothing unusual here, as well. SVG files are scalable vector graphics used for web images. Since they support embedded scripts, they’re exploitable for phishing, as attackers can hide malicious JavaScript inside, bypassing filters and tricking users into clicking harmful links.
But then things get interesting.
Unique method of obfuscation
After analyzing the SVG code, Microsoft found that its method of obfuscation and behavior is rather unique.
“Instead of using cryptographic obfuscation, which is commonly used to obfuscate phishing content, the SVG code in this campaign used business-related language to disguise its malicious activity,” the report reads.
As it turns out, the attackers hid malware inside SVG files by making them look like normal business charts.
The charts were invisible, so anyone opening the file would just see blank graphics.
They also encoded the malicious code as a string of business words like “revenue” and “shares,” and a hidden script would then read those words, decode them, and turn them into actions like redirecting the browser to a phishing site, tracking the user, and collecting browser info.
Essentially, the file looked harmless, but it secretly ran a program that stole data and tracked activity.
This must have been the work of an AI, Microsoft added: “Microsoft Security Copilot assessed that the code was ‘not something a human would typically write from scratch due to its complexity, verbosity, and lack of practical utility.’”
Add Comment