Cybercriminals are increasingly exploiting the trust organizations place in artificial intelligence platforms to conduct sophisticated phishing attacks, according to a new report from cybersecurity firm Cato Networks.
The company’s Managed Detection and Response (MDR) service recently uncovered a campaign where threat actors leveraged Simplified AI, a popular marketing platform, to steal Microsoft 365 credentials from US-based organizations.
The attack, discovered in July 2025, successfully compromised at least one US investment firm before being detected and contained.
While the campaign is no longer active, security experts warn it represents a dangerous evolution in cybercrime tactics that could affect organizations across all industries.
Weaponizing Trusted AI Platforms
“Threat actors are no longer relying on suspicious servers or cheap lookalike domains,” the Cato Networks report states.
“Instead, they abuse the reputation and infrastructure of trusted AI platforms that employees already rely on, allowing them to bypass defenses and slip into organizations under the cover of legitimacy.”
The sophisticated attack began with emails impersonating executives from a global pharmaceutical distributor, complete with authentic company logos and executive names verified through LinkedIn.
The emails contained password-protected PDF attachments designed to evade automated security scanners that cannot inspect encrypted files.
The phishing campaign employed a multi-layered approach that exploited both social engineering and technical evasion tactics:
- Initial Contact: Victims received emails appearing to be from pharmaceutical company executives, with passwords for attached PDFs conveniently included in the message body.
- PDF Lure: The documents displayed legitimate company branding and contained links directing users to Simplified AI’s platform at app.simplified.com.
- Trusted Redirect: Users were taken to what appeared to be a legitimate Simplified AI page, displaying the impersonated company’s name alongside Microsoft 365 imagery.
- Credential Harvest: The final step redirected victims to a convincing fake Microsoft 365 login portal designed to steal enterprise credentials.
The attack highlights how cybercriminals are adapting to the rapid adoption of AI tools in corporate environments.
AI marketing platforms like Simplified AI have become commonplace in enterprises, with IT departments routinely whitelisting their domains and allowing employee access.
“For CISOs and IT leaders, approving such services often seems straightforward: allow access, whitelist the domain, and enable the marketing team to innovate,” the report notes.
“But what if the very same platform is leveraged by threat actors to steal from you?”
This incident reflects broader concerns about “shadow AI” usage in enterprises, where employees increasingly rely on AI tools without proper security oversight.
The attackers’ use of established platforms makes detection significantly more challenging for traditional security measures.
Mitigations
Security experts recommend several protective measures:
- Implementing multi-factor authentication on all critical services
- Training employees to carefully handle password-protected attachments
- Monitoring all AI platform usage, including unauthorized applications
- Maintaining continuous inspection of AI traffic rather than implicitly trusting it
- Deploying advanced threat detection capabilities that can identify suspicious behavior patterns
The attack serves as a wake-up call for organizations to reassess their approach to AI platform security, treating AI traffic with the same scrutiny applied to unknown domains while balancing security needs with business innovation requirements.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
