Kuse Web App Abused to Host Phishing Document
Threat actors are leveraging Vendor Email Compromise (VEC) to distribute phishing links hosted on the legitimate AI platform Kuse.ai. By utilizing Markdown (.md) files containing blurred document lures, attackers successfully bypass traditional email filtering to redirect victims to credential harvesting pages masquerading as Microsoft logins.
Authors: Jed Valderama, Kenneth Polagñe
Source:
Trend Micro
- domainonline-app[.]giaodienweb[.]infoMalicious domain hosting fake Microsoft login (extracted from image)
- domainonlineapp[.]ooraikaoo[.]infoMalicious domain hosting fake Microsoft login
- ip91[.]92[.]41[.]64Malicious IP address associated with the phishing campaign.
- urlhxxps://online-app[.]giaodienweb[.]info/?auth2=51X7L2rZzAHNNFWSEYhCPdWVh7pMJFake Microsoft login page observed in the provided screenshot.
- urlhxxps://onlineapp[.]ooraikaoo[.]info/?auth2=8rf22euu-2nxkebabDjjILlzldhQq2PzFake Microsoft login page used for credential harvesting.
Detection / Hunter
What Happened
Cybercriminals are using compromised email accounts from trusted vendors to send fake messages to target organizations. These emails contain links to a legitimate AI tool called Kuse.ai, where the attackers have hidden a fake, blurred document. When a user clicks to view the document, they are taken to a fake Microsoft login page designed to steal their passwords. To stay safe, employees should always double-check links, even if they come from known contacts or trusted websites, and organizations should use strong, phishing-resistant multi-factor authentication.
Key Takeaways
- Threat actors are abusing the legitimate AI web app Kuse.ai to host phishing documents.
- The attack leverages Vendor Email Compromise (VEC) to establish trust and deliver the initial phishing link.
- Attackers use Markdown (.md) files to bypass traditional email filters that look for common malicious extensions like .pdf or .docx.
- The hosted document displays a blurred image lure, tricking users into clicking a link that redirects to a fake Microsoft login page.
Affected Systems
- Microsoft 365 users
- Corporate email systems
Attack Chain
The attack begins with a Vendor Email Compromise (VEC), where a compromised trusted vendor emails a target with a link to a file hosted on Kuse.ai. The link points to a Markdown (.md) file on the legitimate app.kuse.ai domain, bypassing email filters. When opened, the Markdown file displays a blurred document image and a hyperlink prompting the user to click to view the document. Clicking the link redirects the victim to an external, fake Microsoft login page designed to harvest their credentials.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but lists raw IOCs for sweeping.
Detection Engineering Assessment
EDR Visibility: Low — The attack is primarily web-based and relies on social engineering and credential harvesting via external sites, generating minimal endpoint execution telemetry. Network Visibility: Medium — Network logs can capture the DNS requests and HTTP traffic to the malicious credential harvesting domains, though the initial payload is hosted on a legitimate, encrypted platform (Kuse.ai). Detection Difficulty: Moderate — The use of a legitimate domain (app.kuse.ai) and a non-standard file extension (.md) makes initial delivery hard to detect. Detection relies on identifying the secondary redirect to the credential harvesting domain.
Required Log Sources
- Web Proxy Logs
- DNS Logs
- Email Gateway Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unusual email traffic containing links to app.kuse.ai, especially those referencing .md files. | Email Gateway Logs | Initial Access | Medium |
| Search for web traffic originating from app.kuse.ai redirecting to unknown or newly registered domains. | Web Proxy Logs | Credential Access | Low |
Control Gaps
- Standard Email Filtering (bypassed by .md and legitimate domain)
- Traditional MFA (bypassed by reverse proxy toolkits)
Key Behavioral Indicators
- Emails from known vendors containing links to app.kuse.ai with .md extensions
- HTTP referer app.kuse.ai leading to login portals
False Positive Assessment
- Medium
Recommendations
Immediate Mitigation
- Block the identified malicious IPs and domains in web proxies and firewalls.
- Sweep email environments for messages containing the malicious Kuse.ai URL patterns.
Infrastructure Hardening
- Implement advanced email and URL filtering capable of time-of-click inspection.
- Enforce phishing-resistant MFA (e.g., FIDO2/WebAuthn) to prevent credential harvesting via reverse proxies.
User Protection
- Monitor and restrict outbound access to non-business-critical AI platform sharing URLs.
Security Awareness
- Train users to verify links beyond the domain name and recognize social engineering cues like blurred document lures.
- Implement policies requiring secondary verification for unusual requests from trusted vendors to defend against VEC.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1586.002 - Compromise Accounts: Email Accounts
- T1102 - Web Service
- T1056.002 - Input Capture: GUI Input Capture
Additional IOCs
- Domains:
onlineapp[[.]]ooraikaoo[[.]]info- Malicious domain hosting fake Microsoft loginonline-app[.]giaodienweb[.]info- Malicious domain hosting fake Microsoft login (extracted from image)
Related
- Steal Smarter, Not Harder: Malicious use of Vercel for Credential Phishing·2
- Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities·2
- Interactive Brokers Phishing Scam: Fake IRS W-8BEN Renewal Alert·2