Microsoft has identified a sophisticated new phishing campaign targeting U.S. organizations, which appears to be utilizing Large Language Models (LLMs) to craft malicious Scalable Vector Graphics (SVG) files. These AI-generated files are designed to obfuscate malicious payloads and bypass traditional email security defenses, marking a significant advancement in cyber threat tactics.

Key Takeaways

• Threat actors are increasingly using AI tools like LLMs to enhance phishing attacks.

• SVG files are being exploited due to their scriptable nature and ability to embed dynamic content.

• LLM-generated code exhibits unusual complexity and verbosity, often using business jargon for obfuscation.

The Evolving Threat Landscape

Microsoft's Threat Intelligence team observed a phishing campaign on August 28, 2025, where attackers leveraged compromised business email accounts to distribute malicious messages. These messages, disguised as file-sharing notifications, contained an SVG file instead of the expected PDF. The use of a self-addressed email tactic, with targets hidden in the BCC field, further aided in bypassing initial detection mechanisms.

Exploiting SVG Files

SVG files are attractive to attackers because they are text-based and can embed JavaScript and other dynamic content. This allows for interactive phishing payloads that can appear benign to both users and many security tools. Features like invisible elements, encoded attributes, and delayed script execution make SVGs ideal for evading static analysis and sandboxing.

AI-Driven Obfuscation Techniques

What sets this campaign apart is the unusual obfuscation approach, which appears to be AI-generated. The SVG code was structured to mimic a legitimate business analytics dashboard, serving as a decoy. The core functionality, designed to redirect users to a fake login page for credential harvesting, was obscured using a long sequence of business-related terms such as "revenue," "operations," "risk," and "growth."

Microsoft's Security Copilot analyzed the code and flagged it as atypical for human creation due to its complexity, verbosity, and lack of practical utility. Indicators included overly descriptive naming, a highly modular structure, generic comments, and formulaic obfuscation techniques using business terminology.

Broader Implications

While this specific campaign was limited and effectively blocked by Microsoft, the techniques observed are becoming more prevalent among various threat actors. This development underscores the growing need for advanced security solutions capable of detecting AI-assisted malicious activities. Other recent phishing attacks have employed lures related to government agencies and copyright infringement to distribute malware like ScreenConnect and information stealers, highlighting the diverse and evolving nature of cyber threats.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.