Phishing campaigns have long relied on social engineering to dupe unsuspecting users, but recent developments have elevated these attacks to a new level of sophistication.<\/p>\n
Attackers now harness advanced content-generation platforms to craft highly personalized emails and webpages, blending genuine corporate branding with contextually relevant messages.<\/p>\n
These platforms analyze public social media profiles, corporate press releases, and user activity to generate text that mirrors a victim\u2019s communication style, greatly increasing the likelihood of engagement.<\/p>\n
The resulting emails often bypass basic filters by avoiding known malicious keywords and employing dynamic content that changes with each delivery.<\/p>\n
At the same time, these platforms integrate real-time language models to refine phishing templates on the fly, adapting to evolving email defenses and user responses.<\/p>\n
This continuous learning loop allows campaigns to shift message templates within minutes, making static blocklists effectively obsolete.<\/p>\n
Trend Micro researchers identified<\/a> several clusters of these AI-enhanced phishing waves in August 2025, each targeting different industry verticals\u2014from financial services to healthcare\u2014demonstrating the breadth of the threat landscape.<\/p>\n As organizations scramble to deploy heuristic and behavior-based filters, attackers counter with polymorphic payloads that mutate both text and embedded URLs in real-time.<\/p>\n Beyond email, attackers leverage these platforms to generate convincing duplicate login portals hosted on cloud infrastructure, complete with valid SSL certificates and region-specific IP addresses.<\/p>\n The combination of genuine-looking domains, valid certificates, and personalized messaging leads many users to overlook subtle warning signs.<\/p>\n Trend Micro analysts noted that such campaigns often include a brief authentication step mimicking multi-factor prompts, further reducing suspicion by aligning with standard corporate login flows.<\/p>\n Once credentials are harvested, follow-on malware<\/a> delivers a lightweight loader that contacts a command-and-control server over HTTPS, blending in with normal web traffic.<\/p>\n In parallel with credential theft<\/a>, these campaigns deploy various evasion techniques within their code. Embedded scripts employ encryption and obfuscation routines to conceal their true purpose, only decrypting at runtime.<\/p>\n The loader, written in PowerShell, leverages native Windows API calls to disable monitoring services before deploying the final payload.<\/p>\n A representative snippet illustrates how the script resolves API functions dynamically:-<\/p>\n A critical aspect of these AI-driven campaigns lies in their ability to evade signature-based and behavioral detection systems.<\/p>\n The dynamically generated HTML payloads include randomized element IDs and inline style definitions that change with each interaction, rendering signature matching ineffective.<\/p>\n On the network side, attacker-controlled domains employ fast flux DNS<\/a> to rotate authoritative name servers, while the malicious loader establishes encrypted tunnels over standard ports, camouflaging traffic among legitimate SSL connections.<\/p>\n Endpoint sensors that rely on static heuristics are frequently bypassed as the loader disables Windows Event Logging for PowerShell<\/a> execution, then reinstates logging settings once the secondary payload activates.<\/p>\n This hit-and-run strategy leaves minimal forensic artifacts, complicating post-incident analysis and prolonging dwell time for threat actors.<\/p>\n Find this Story Interesting! Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post Phishing Attacks Using AI-Powered Platforms to Misleads Users and Evades Security Tools<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgpjgANmXHWr0jrT2U9i9GVo8KdsVm0yWaiT20AYNXFh6JzQCq71__03_cH8faVFpnqinj_MO7ByviPKGYT4wbTwfJSTMgElfcSselVfgek5QRPnusKDwcYj7XFcpDPfgKyUyH4ObxcVuJdqMq_nyRLDxh6MiCmbvMPnuIu2HIAnzBmA42b3-Wpxto-TAc\/s16000\/Fake%2520captcha%2520page%2520%28Source%2520-%2520Trend%2520Micro%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhhqmPxmfzuZuiBE5DpthYVoLwhtZEaObeYj7I_vyw2rCAbsSe4kh04w_yQs8dHhAN-5HI6oXjxr_6yddBE-xvvPz8nv0dmevp3z0bc9aF7hhubqI7sZ4B61CQPd9C8XIMysxfnCee7hxNWC7TSi_ihnMnnuM4EW7YJ0VydnjGf2AbPmwkuKwviTWS56ro\/s16000\/Captcha%2520page%2520does%2520not%2520redirect%2520to%2520the%2520phishing%2520page%2520if%2520the%2520answer%2520is%2520incorrect%2520%28Source%2520-%2520Trend%2520Micro%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhqhtQSgBqTDaaI-lb_ncjvj4NgZ043yAD0F0Kx8lte5Z-ys-IvFdIrJL6BCCoATBPMSmcrXLhP3xYLrJC3TxUkynkr_JQdq-pRilrLWkmGI8SsHNUQIencPEnw5OguMiJHGOZdlaU-RcZ3jqSXxMrQhamp3Okia0TkdAYqL2u6Hj1llO0fLrVrq6OBkPw\/s16000\/Phishing%2520page%2520after%2520the%2520captcha%2520is%2520solved%2520%28Source%2520-%2520Trend%2520Micro%29.webp?ssl=1\")
$kernel = Add-Type \u2013MemberDefinition @\"\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);\n\"@ \u2013Name \"Kernel\" \u2013Namespace \"Win32\"\n$hMod = [Kernel]::GetModuleHandle(\"ntdll.dll\")\n$addr = [Kernel]::GetProcAddress($hMod, \"NtOpenProcess\")<\/code><\/pre>\nEvasion Techniques and Detection Challenges<\/strong><\/h2>\n