Watch out - hackers are using AI to make phishing emails even more convincing (www.techradar.com)

Microsoft researchers uncovered a phishing campaign that used AI-generated obfuscation to hide malicious JavaScript inside SVG image files disguised as PDFs. Attackers sent emails from a compromised business account (often BCC’ing targets) containing seemingly innocuous SVG “charts” that were actually invisible graphics with embedded scripts. Rather than standard cryptographic obfuscation, the payload was encoded as a long string of business terms (e.g., “revenue,” “shares”); a hidden script decoded those words at runtime to redirect victims to phishing pages, collect browser info, and harvest credentials. Microsoft’s Security Copilot flagged the code as unlikely to be hand-written due to its complexity and verbosity, implicating generative AI in creating the novel encoding and evasion technique. For the AI/ML and security community this is a wake-up call: generative models are being used not only to craft more convincing phishing prose but to invent new, machine-produced obfuscation patterns that defeat traditional signature-based filters. Technical implications include the need to treat SVGs and other script-capable assets as high-risk, improve behavioral and static analysis to catch semantic-odd encodings, and develop model-aware detectors that recognize AI-style verbosity and unconventional encoding schemes. Detection and defense should combine attachment sanitization, content disarm/rewrapping, robust MFA, and ML models trained on AI-generated malware patterns.