Researchers have discovered that cybercriminals have orchestrated a sophisticated phishing campaign using Simplified AI, a legitimate AI marketing platform, to steal Microsoft 365 credentials from the U.S.-based organizations.
During the phishing campaign, threat actors hosted a phishing webpage under the legitimate Simplified AI domain, blending malicious activity into the daily noise of enterprise traffic. By impersonating an executive from a global pharmaceutical distributor, the threat actors delivered a password-protected PDF that appeared legitimate. Once opened, the file redirected the victim to Simplified AI’s website, but instead of generating content, the site became a launchpad to a fake Microsoft 365 login portal designed to harvest enterprise credentials.
This social engineering combined with phishing highlights a dangerous evolution: threat actors are merging impersonation with sophisticated phishing techniques while exploiting the era of AI adoption in enterprise organizations. They are no longer relying on suspicious servers or cheap lookalike domains. Instead, they abuse the reputation and infrastructure of trusted AI platforms. These are platforms your employees already rely on, or that your security team may implicitly trust, allowing threat actors to bypass defenses and slip into your organization under the cover of legitimacy.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, providing the following commentary:
“We’re seeing attackers piggyback our own shortcuts. If a link lands on a whitelisted AI platform everyone already uses, it feels safe. In a busy world, while many are multi-tasking, it’s easy to see branding, a familiar layout, and a PDF and lower their defenses. That’s precisely what this attack is seeking to do.”
“It’s why we need to treat AI platforms like any other third-party app. We should use them, but verify. Turn on phishing-resistant MFA so a stolen password doesn’t result in a breach. Be wary of password-protected attachments, reporting them to IT or Security teams to inspect if unsure. Keep an eye on which AI apps and OAuth consents your teams are actually using. And if an email nudges you to log in somewhere new, pause and verify before you type a single character.”
This is pretty scary as this would be pretty hard to detect. It just shows how threat actors are evolving to make their attacks more effective. And it means that in response we need to find and implement new and stronger defenses to ensure that threat actors don’t win.
Like this:
Like Loading...
Related
This entry was posted on September 5, 2025 at 4:41 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Researchers have discovered that cybercriminals have orchestrated a sophisticated phishing campaign using Simplified AI, a legitimate AI marketing platform, to steal Microsoft 365 credentials from the U.S.-based organizations.
During the phishing campaign, threat actors hosted a phishing webpage under the legitimate Simplified AI domain, blending malicious activity into the daily noise of enterprise traffic. By impersonating an executive from a global pharmaceutical distributor, the threat actors delivered a password-protected PDF that appeared legitimate. Once opened, the file redirected the victim to Simplified AI’s website, but instead of generating content, the site became a launchpad to a fake Microsoft 365 login portal designed to harvest enterprise credentials.
This social engineering combined with phishing highlights a dangerous evolution: threat actors are merging impersonation with sophisticated phishing techniques while exploiting the era of AI adoption in enterprise organizations. They are no longer relying on suspicious servers or cheap lookalike domains. Instead, they abuse the reputation and infrastructure of trusted AI platforms. These are platforms your employees already rely on, or that your security team may implicitly trust, allowing threat actors to bypass defenses and slip into your organization under the cover of legitimacy.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, providing the following commentary:
“We’re seeing attackers piggyback our own shortcuts. If a link lands on a whitelisted AI platform everyone already uses, it feels safe. In a busy world, while many are multi-tasking, it’s easy to see branding, a familiar layout, and a PDF and lower their defenses. That’s precisely what this attack is seeking to do.”
“It’s why we need to treat AI platforms like any other third-party app. We should use them, but verify. Turn on phishing-resistant MFA so a stolen password doesn’t result in a breach. Be wary of password-protected attachments, reporting them to IT or Security teams to inspect if unsure. Keep an eye on which AI apps and OAuth consents your teams are actually using. And if an email nudges you to log in somewhere new, pause and verify before you type a single character.”
This is pretty scary as this would be pretty hard to detect. It just shows how threat actors are evolving to make their attacks more effective. And it means that in response we need to find and implement new and stronger defenses to ensure that threat actors don’t win.
Share this:
Like this:
Related
This entry was posted on September 5, 2025 at 4:41 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.