Cybercriminals are increasingly turning to artificial intelligence to enhance their attack capabilities, as demonstrated in a sophisticated phishing campaign recently uncovered by security researchers.
The campaign represents a significant evolution in malware obfuscation techniques, utilizing AI-generated code to disguise malicious payloads within seemingly legitimate business documents.
This development marks a concerning shift in the threat landscape, where attackers leverage the same AI technologies that defenders use to protect organizations.
The campaign, which primarily targeted US-based organizations, employed a unique approach to payload concealment that diverged from traditional cryptographic obfuscation methods.
Instead of relying on conventional encryption techniques, threat actors used AI to generate complex code structures that mimicked legitimate business analytics dashboards and employed business terminology to mask malicious functionality.
Phishing email example (Source – Microsoft)
The sophistication of this approach suggests a deliberate attempt to evade both automated detection systems and human analysis.
Microsoft researchers identified the campaign after detecting suspicious email activity that exhibited characteristics inconsistent with typical human-crafted malware.
The analysis revealed that the malicious code displayed levels of complexity, verbosity, and structural patterns that strongly indicated AI assistance in its creation.
Microsoft Security Copilot’s assessment concluded that the code was “not something a human would typically write from scratch due to its complexity, verbosity, and lack of practical utility.”
Security verification prompt (Source – Microsoft)
The attack vector leveraged compromised small business email accounts to distribute phishing messages designed to steal user credentials.
Attackers employed a self-addressed email tactic, where sender and recipient addresses matched while actual targets remained hidden in the BCC field, attempting to bypass basic detection heuristics.
The email content was carefully crafted to resemble file-sharing notifications, creating an appearance of legitimacy that would encourage recipients to interact with the malicious attachment.
Central to the campaign’s success was its use of SVG (Scalable Vector Graphics) files as the primary attack vehicle. The malicious file, named “23mb – PDF- 6 pages.svg,” was designed to appear as a legitimate PDF document despite its SVG extension.
This choice proved strategic, as SVG files are text-based and scriptable, allowing attackers to embed JavaScript and other dynamic content directly within the file structure while maintaining the appearance of benign graphics files.
Business Terminology Obfuscation Technique
The most innovative aspect of this campaign lies in its sophisticated obfuscation methodology, which represents a departure from conventional malware concealment techniques.
Rather than employing traditional cryptographic obfuscation, the attackers utilized AI to generate code that systematically disguised malicious functionality using business-related terminology and synthetic organizational structures.
The SVG file’s initial structure was meticulously crafted to resemble a legitimate Business Performance Dashboard, complete with chart bars, month labels, and analytical elements.
However, these components were rendered completely invisible to users through opacity settings of zero and transparent fill attributes.
This deceptive layer served as a decoy, designed to mislead casual inspection while concealing the file’s true malicious purpose.
<!– Background –>
<rect width=”100%” height=”100%” fill=”transparent” opacity=”0″ />
<!– Title –>
<text x=”400″ y=”40″ text-anchor=”middle” font-family=”Arial” font-size=”24″ font-weight=”bold”
fill=”transparent” opacity=”0″>
Business Performance Dashboard
</text>
<!– Chart bars –>
<rect x=”100″ y=”200″ width=”60″ height=”201″ fill=”transparent” rx=”5″ opacity=”0″ />
The payload’s core functionality was hidden within a sophisticated encoding scheme that utilized an extensive sequence of business-related terms.
Words such as “revenue,” “operations,” “risk,” and “shares” were concatenated into a hidden data-analytics attribute of an invisible text element within the SVG structure.
This creative approach transformed what appeared to be harmless business metadata into functional malicious code.
Embedded JavaScript systematically processed these business-related terms through multiple transformation steps, mapping pairs or sequences of terms to specific characters or instructions.
As the script executed, it decoded the sequence and reconstructed the hidden functionality, enabling browser redirection, fingerprinting, and session tracking capabilities.
This methodology demonstrated how AI-generated obfuscation could create entirely new paradigms for payload concealment while maintaining functional effectiveness.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Leverage AI-Generated Code to Obfuscate Its Payload and Evade Traditional Defenses appeared first on Cyber Security News.
