Phishing has always been about deceiving people. But in this campaign, the attackers weren’t only targeting users; they also attempted to manipulate AI-based defenses.
This is an evolution of the Gmail phishing chain I documented last week. That campaign relied on urgency and redirects, but this one introduces hidden AI prompts designed to confuse automated analysis.
According to Anurag’s analysis, the phishing email arrived with the subject: Login Expiry Notice 8/20/2025 4:56:21 p.m. The body warned the recipient that their password would expire, urging them to confirm their credentials.
For the user, this is standard social engineering that leverages urgency and impersonates official Gmail branding to provoke a quick, unthinking click.
Prompt Injection Against AI
The real innovation lies hidden from the user. Buried within the email’s source code is text deliberately written in the style of prompts for large language models like ChatGPT or Gemini.
This “prompt injection” is designed to hijack the AI-powered security tools that Security Operations Centers (SOCs) increasingly use for triage and threat classification.
Instead of identifying the malicious links and flagging the email, an AI model might be distracted by the injected instructions, which command it to engage in long reasoning loops or generate irrelevant perspectives. This dual-track attack targets human psychology and machine intelligence simultaneously, Anurag said.
If successful, it could cause automated systems to misclassify the threat, delay critical alerts, or allow the phish to slip through defenses entirely.
The delivery chain shows further sophistication.
- Email Delivery: The email originated from SendGrid. It successfully passed SPF and DKIM checks but failed DMARC, which allowed it to land in the user’s inbox.
- Staging Redirect: The initial link in the email used Microsoft Dynamics to create a trustworthy-looking first hop.
hxxps://assets-eur.mkt.dynamics.com/d052a1c0-a37b-f011-8589-000d3ad8807d/digitalassets/standaloneforms/0cecd167-e07d-f011-b4cc-7ced8d4a4762
- Attacker Domain with Captcha: The redirect led to a page with a captcha designed to block automated crawlers and sandboxes from accessing the final phishing site.
hxxps://bwdpp.horkyrown.com/M6TJL@V6oUn07/
- Main Phishing Site: After the captcha, the user was directed to a Gmail-themed login page containing obfuscated JavaScript.
hxxps://bwdpp.horkyrown.com/yj3xbcqasiwzh2?id=[long_id_string]
- GeoIP Request: The phishing site made a request to collect the victim’s IP address, ASN, and geolocation data to profile the user and filter out analysis environments.
hxxps://get.geojs.io/v1/ip/geo.json
- Beacon Call: A telemetry beacon or session tracker was used to distinguish real users from bots.
GET hxxps://6fwwke.glatrcisfx.ru/tamatar@1068ey
Emails sent via SendGrid bypass initial filters, and a redirect through a legitimate Microsoft Dynamics URL makes the first hop seem trustworthy.
A CAPTCHA protects the attacker’s domain to block automated scanners, and the final phishing page uses multi-layered, obfuscated JavaScript to steal credentials.
While definitive attribution is challenging, WHOIS records for the attacker’s domain (bwdpp.horkyrown.com) list contact information in Pakistan, and URL paths for telemetry beacons (6fwwke.glatrcisfx.ru/tamatar@1068ey) contain Hindi/Urdu words.
These clues, though not conclusive, suggest a possible link to threat actors in South Asia.
This campaign highlights a clear evolution in phishing tactics. Attackers are now building AI-aware threats, attempting to poison the very tools meant to defend against them.
This forces a shift in defensive strategy, requiring organizations to protect not only their users from social engineering but also their AI tools from prompt manipulation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
