Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

LLM-obfuscated SVG phishing campaign targeting U.S.-based organizations

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The new phishing campaign targeted U.S.-based organizations and used LLM-obfuscated SVG files to hide malicious content and steal credentials. Detected on August 28, 2025, the operation matters because it combined a compromised email account, BCC-hidden targets, and a fake login flow to evade security defenses. Microsoft said the campaign was limited in scope and was effectively blocked.

Related Happenings

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

Open Happening

Microsoft civil action against Fox Tempest infrastructure takedown

Regulatory/Legal Action
First: 19.05.2026 18:00 Last: 19.05.2026 18:00 Sources 1

About this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

FBI-led takedown of W3LL phishing network

Law Enforcement
First: 13.04.2026 13:35 Last: 13.04.2026 13:35 Sources 1

About this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Timeline

  1. 29.09.2025 11:52 2 articles · 8mo ago

    Phishing campaign detected against U.S.-based organizations

    Exploitation Observed

    Microsoft detected a phishing campaign aimed at U.S.-based organizations on August 28, 2025 that used a compromised business email account and an SVG lure disguised as a PDF to push recipients toward a CAPTCHA step and a fake login page for credential theft. The activity also used a self-addressed sending pattern with targets hidden in BCC, and Microsoft said its systems flagged and neutralized the threat.

    Show sources
    Open in new tab
  2. 29.09.2025 11:52 1 articles · 8mo ago

    Microsoft details AI-style SVG obfuscation in phishing analysis

    Initial Disclosure

    Microsoft's analysis described the same phishing campaign as likely aided by an LLM, citing an SVG file that used business terminology and a synthetic dashboard-like structure to disguise malicious behavior. The analysis said Security Copilot found the code unusually complex, verbose, and lacking practical utility, consistent with AI-assisted obfuscation.

    Show sources
    Open in new tab