Next-Gen Phishing: Targeting AI/ML Teams

2025.10.26.
AI Security Blog
Next-Gen Phishing: Targeting AI/ML Teams

Dissecting a Multi-Stage Credential Harvesting Attack with Implications for AI/ML Environments

A recently identified phishing campaign demonstrates a sophisticated, multi-stage approach to credential harvesting that holds significant implications for organizations developing or deploying AI and Large Language Models (LLMs). The attack chain cleverly weaponizes user trust in ubiquitous collaboration platforms like Zoom to bypass conventional security filters and deceive technically proficient users, including the AI/ML engineers and data scientists who hold the keys to sensitive intellectual property and high-value cloud infrastructure.

From an AI red teaming perspective, this campaign serves as a powerful blueprint for testing an organization’s resilience against threat actors targeting the human element of the AI development lifecycle. Let’s deconstruct the tactics, techniques, and procedures (TTPs) involved.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

The Attack Chain Deconstructed

This is not a rudimentary “spray and pray” phishing attempt. It is a carefully orchestrated operation that leverages psychological manipulation and modern web technologies to achieve its objectives with high fidelity.

Stage 1: Initial Vector via Trusted SaaS Platform

The attack initiates by abusing Zoom’s legitimate document sharing functionality. This is a critical first step for several reasons:

  • Trust Exploitation: The initial lure arrives from a trusted domain (zoom.us), significantly increasing the likelihood of bypassing automated email security gateways that scrutinize sender reputation and domain authenticity. For the end-user, the notification appears legitimate, reducing initial suspicion.
  • Bypassing Domain-based Blocking: It is operationally infeasible for most organizations to block domains of major SaaS providers like Zoom. This technique ensures high deliverability of the initial payload link.

The use of a trusted platform as the initial trust vector is a hallmark of advanced adversaries aiming to compromise high-value targets who are otherwise conditioned to spot suspicious domains.

Stage 2: Evasion and Psychological Priming via “Bot Protection”

Upon clicking the shared document link, the victim is not immediately presented with a credential harvesting form. Instead, they are redirected to a landing page featuring a fake “bot protection” or CAPTCHA-like mechanism. This intermediate step is a brilliant piece of social engineering and technical evasion:

  • Evasion of Automated Analysis: Many security sandbox environments that automatically “click” links to analyze their content may be stymied by this interactive gate. They may fail to execute the necessary JavaScript or solve the challenge, thus never reaching and flagging the final malicious payload.
  • Psychological Priming: Forcing the user to complete a simple task (like clicking a checkbox) psychologically reinforces the legitimacy of the workflow. Users are accustomed to these checks on legitimate sites, which lowers their guard for the next, critical stage of the attack.

Stage 3: High-Fidelity Credential Harvesting

After passing the fake security check, the user is presented with a pixel-perfect replica of a common identity provider’s login page, such as a Gmail or Microsoft 365 prompt. The seamless transition and high-quality design are intended to prevent the user from questioning the context shift—from a document view to a login request.

Stage 4: Covert Exfiltration via WebSockets

This is the most technically significant aspect of the campaign. Instead of using a standard HTTP POST request to send the captured credentials to an attacker-controlled server—a method that is easily logged and often inspected—this attack utilizes a WebSocket connection.

  • Stealth and Persistence: WebSockets establish a persistent, full-duplex communication channel between the victim’s browser and the attacker’s server. This is often less scrutinized by traditional network security appliances than standard HTTP traffic.
  • Real-time Validation: The persistent connection allows the attacker’s backend to receive the credentials keystroke-by-keystroke or immediately upon form submission and attempt a real-time login against the actual service (e.g., Google). This immediate feedback loop enables the attacker to instantly verify the credentials’ validity and even potentially capture and forward Multi-Factor Authentication (MFA) tokens if the user is prompted for one.

The AI Security & Red Teaming Nexus

While this is a credential harvesting attack, its true danger lies in the potential targets and the assets they control within an AI/ML ecosystem. A successful compromise of an AI engineer, MLOps professional, or data scientist using this method can be catastrophic.

High-Value Targets, High-Impact Consequences

Stolen credentials from AI personnel provide direct access to the crown jewels of the modern enterprise:

  • Proprietary Models & Source Code: Access to internal Git repositories (GitHub, GitLab) could lead to the theft of pre-trained models, proprietary algorithms, and training loop source code.
  • Sensitive Training Data: Compromised accounts can grant access to cloud storage buckets (S3, GCS) or databases containing sensitive, PII-laden, or commercially valuable training data, leading to massive data breaches.
  • Infrastructure Hijacking: Access to cloud consoles (AWS, GCP, Azure) allows an attacker to control high-performance GPU compute clusters, which can be used for malicious model training, cryptocurrency mining, or launching further attacks.

Implications for AI Red Teams

This campaign’s TTPs are a valuable addition to any AI-focused red team’s playbook. Emulating this attack allows for a robust assessment of an organization’s security posture at multiple layers:

  1. Test the Human Firewall: Can AI developers, who are often focused on performance and innovation, spot a sophisticated, contextually relevant lure that abuses the very collaboration tools they use daily?
  2. Evaluate Technical Controls: Does the organization’s network security stack effectively monitor and flag suspicious WebSocket establishment and traffic? Are egress controls sufficient to block this non-standard exfiltration channel?
  3. Assess Identity & Access Management (IAM): A core principle of AI security is least-privilege access. This test can reveal if a single compromised credential provides overly broad access to the entire MLOps pipeline, from data ingestion to model deployment. Is MFA enforced universally?

Furthermore, red teams can enhance this attack using generative AI to create highly personalized lures at scale, making the initial Zoom document share appear to be from a trusted colleague and relevant to an ongoing project, dramatically increasing the probability of success.

Beyond the Model: Securing AI Containers

2025.10.26.

OWASP TOP 10 – 2025: The new foundations of AI security

2025.10.26.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist