Threat actors are abusing Kuse.ai, a trusted AI workplace platform, to host phishing documents and harvest credentials via Vendor Email Compromise (VEC).

In brief - Cybercriminals exploited Kuse.ai’s legitimate file-sharing features to distribute malicious Markdown (.md) files, redirecting victims to a fake Microsoft login page. This attack highlights the risks of AI platforms being weaponized for social engineering and the need for phishing-resistant MFA and real-time URL inspection.

Technically - The attack chain involved a compromised vendor mailbox sending phishing emails with a Kuse.ai-hosted .md file (app[.]kuse[.]ai). The file used a blurred preview to lure clicks, redirecting to a credential-harvesting page (hxxps://onlineapp[.]ooraikaoo[.]info). The use of .md files evaded signature-based detection, while VEC and platform legitimacy increased deception. IoCs include the malicious domain and Kuse.ai URL. Mitigations require sandboxing, advanced email filtering, and phishing-resistant MFA.

Source: https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html

#Cybersecurity #ThreatIntel