Phishing has always relied on tricking people, but this latest campaign goes a step further. Instead of only targeting users, attackers are now attempting to manipulate AI-powered defenses as well.
This operation builds on the Gmail phishing chain reported last week. That earlier campaign used urgency and link redirects, while this one introduces a new element: hidden AI prompts embedded within the email code to confuse automated analysis tools.
Expiry Notice Email Trap
According to Anurag’s analysis, the phishing email arrived with the subject line: Login Expiry Notice 8/20/2025 4:56:21 p.m.
The message warned the recipient that their Gmail password was about to expire and urged them to confirm their login details.
For users, this was standard social engineering, exploiting urgency and fake Gmail branding to push them into clicking without thinking.
Prompt Injection Against AI
The real innovation, however, was hidden from the user. Inside the email’s source code, attackers placed instructions written in the style of prompts for large language models such as ChatGPT and Gemini.
This prompt injection aimed to hijack AI-based security tools used by Security Operations Centers (SOCs). Instead of focusing on malicious links, the AI could be forced into unnecessary reasoning loops or irrelevant responses.
If effective, this tactic could cause automated defenses to misclassify the phishing attempt, delay alerts, or even let the malicious email bypass security checks.
Attack Delivery Chain
The delivery process showed a layered and sophisticated design:
- Email Delivery: Sent via SendGrid. Passed SPF and DKIM, but failed DMARC, allowing inbox delivery.
- Staging Redirect: Used Microsoft Dynamics for a legitimate-looking redirect.
hxxps://assets-eur.mkt.dynamics.com/d052a1c0-a37b-f011-8589-000d3ad8807d/digitalassets/standaloneforms/0cecd167-e07d-f011-b4cc-7ced8d4a4762
Attacker Domain with Captcha: Redirected to a page containing a CAPTCHA, blocking automated crawlers.
hxxps://bwdpp.horkyrown.com/M6TJL@V6oUn07/Main Phishing Site: A Gmail-themed login page with obfuscated JavaScript.
hxxps://bwdpp.horkyrown.com/yj3xbcqasiwzh2?id=[long_id_string]
GeoIP Request: Collected IP, ASN, and location data to profile victims.
hxxps://get.geojs.io/v1/ip/geo.json
Beacon Call: Telemetry tracker to distinguish real users from bots.
GET hxxps://6fwwke.glatrcisfx.ru/tamatar@1068ey
This multi-stage approach allowed attackers to bypass filters, appear legitimate through Microsoft Dynamics, and shield the final phishing site with CAPTCHAs and obfuscated code.
Possible Attribution
WHOIS records for the attacker’s domain (bwdpp.horkyrown.com) point to contact information in Pakistan. In addition, beacon paths like tamatar@1068ey contain Hindi/Urdu words, hinting at possible South Asian involvement.
Although not conclusive, these indicators suggest the threat may originate from actors in the region.
Conclusion
This campaign shows a major shift in phishing strategies. By blending social engineering with AI prompt injection, attackers are now targeting both human psychology and automated defenses.
Organizations must adapt by not only training employees against phishing but also strengthening their AI tools against manipulation attempts.
