EXECUTIVE SUMMARY
Threat actors have exploited the legitimate name and services of Kuse, a popular AI-based app designed for workplaces, to carry out a phishing attack. This attack vector leverages the trust placed in Kuse by its users, taking advantage of the growing dependence on AI in work and daily life. The attackers' goal is to breach trust and eventually expose credentials, using the compromised vendor's company name to confuse users and automated scanners. This phishing attack is significant for organisations, as it demonstrates a multi-layered social engineering approach designed to evade both automated defenses and human scrutiny.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors have exploited the legitimate name and services of Kuse, a popular AI-based app designed for workplaces, to carry out a phishing attack. This attack vector leverages the trust placed in Kuse by its users, taking advantage of the growing dependence on AI in work and daily life. The attackers' goal is to breach trust and eventually expose credentials, using the compromised vendor's company name to confuse users and automated scanners. This phishing attack is significant for organisations, as it demonstrates a multi-layered social engineering approach designed to evade both automated defenses and human scrutiny.[emaillocker id="1283"]
The attack works by using a fake URL and image manipulation to lure users into clicking on a phishing link. Once clicked, the user is redirected to a legitimate AI workspace, where they are presented with a blurred document preview. The link below the preview, which appears to reveal the document's full content, actually redirects the user to a fake Microsoft login page to collect user credentials. The attackers have abused the storage and sharing features of Kuse, using the Markdown (.md) file extension as the delivery format to bypass filter signatures and heuristic rules. This tactic highlights the need for layered protection and heightened user awareness, particularly in organisations that use AI-powered web applications.
Organisations must strengthen their security training and remind employees that an application's good reputation does not guarantee the trustworthiness of its content. Conducting regular user awareness training that includes real-world scenarios involving AI platform abuse, Vendor Email Compromise (VEC), and blurred document lures is crucial. Users should be educated on recognising social engineering cues regardless of the hosting platform's reputation. Additionally, organisations should implement policies that require secondary verification before acting on requests that involve clicking links or providing credentials, particularly when the email context is unusual. Enforcing Multi-Factor Authentication with phishing-resistant methods and monitoring and restricting AI platform sharing features can also help mitigate the risk of this type of attack.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1592 | Open-Source Intelligence | — |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204 | User Execution | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1564 | Hide Artifacts | — |
| Credential Access | T1003 | OS Credential Dumping | — |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
The following reports contain further technical details:
https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html
[/emaillocker]