(trendmicro.com) Abuse of Kuse.ai: How Threat Actors Exploit AI Platforms for Phishing and Credential Theft
-
(trendmicro.com) Abuse of Kuse.ai: How Threat Actors Exploit AI Platforms for Phishing and Credential Theft
Threat actors are abusing Kuse.ai, a trusted AI workplace platform, to host phishing documents and harvest credentials via Vendor Email Compromise (VEC).
In brief - Cybercriminals exploited Kuse.ai’s legitimate file-sharing features to distribute malicious Markdown (.md) files, redirecting victims to a fake Microsoft login page. This attack highlights the risks of AI platforms being weaponized for social engineering and the need for phishing-resistant MFA and real-time URL inspection.
Technically - The attack chain involved a compromised vendor mailbox sending phishing emails with a Kuse.ai-hosted .md file (app[.]kuse[.]ai). The file used a blurred preview to lure clicks, redirecting to a credential-harvesting page (hxxps://onlineapp[.]ooraikaoo[.]info). The use of .md files evaded signature-based detection, while VEC and platform legitimacy increased deception. IoCs include the malicious domain and Kuse.ai URL. Mitigations require sandboxing, advanced email filtering, and phishing-resistant MFA.
Source: https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html
-
R relay@relay.infosec.exchange shared this topic
-
(trendmicro.com) Abuse of Kuse.ai: How Threat Actors Exploit AI Platforms for Phishing and Credential Theft
Threat actors are abusing Kuse.ai, a trusted AI workplace platform, to host phishing documents and harvest credentials via Vendor Email Compromise (VEC).
In brief - Cybercriminals exploited Kuse.ai’s legitimate file-sharing features to distribute malicious Markdown (.md) files, redirecting victims to a fake Microsoft login page. This attack highlights the risks of AI platforms being weaponized for social engineering and the need for phishing-resistant MFA and real-time URL inspection.
Technically - The attack chain involved a compromised vendor mailbox sending phishing emails with a Kuse.ai-hosted .md file (app[.]kuse[.]ai). The file used a blurred preview to lure clicks, redirecting to a credential-harvesting page (hxxps://onlineapp[.]ooraikaoo[.]info). The use of .md files evaded signature-based detection, while VEC and platform legitimacy increased deception. IoCs include the malicious domain and Kuse.ai URL. Mitigations require sandboxing, advanced email filtering, and phishing-resistant MFA.
Source: https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html
@orlysec @deepthoughts10 here’s a fun one.
