As artificial intelligence platforms reshape the enterprise productivity landscape, threat actors are aggressively operationalizing public enthusiasm and corporate dependency on these systems to build highly effective social engineering campaigns. Microsoft Threat Intelligence has documented a surge in sophisticated cyber operations that systematically abuse the brand names, logos, and service frameworks of prominent AI providers—including OpenAI’s ChatGPT, Anthropic’s Claude, DeepSeek, and Microsoft Copilot. These attacks do not exploit technical vulnerabilities within the AI services themselves; rather, they weaponize the trusted infrastructure of these emerging tech giants as initial access bait. By blending the psychological pressure of account suspension with intricate technical redirection pipelines, adversaries are successfully circumventing legacy perimeter controls to deploy information stealers, harvest financial credentials, and intercept active authentication sessions.

Traditional bait mechanisms like standard shipping notifications or generic billing invoices are increasingly supplemented, and in some cases replaced, by high-utility tech lures. Because modern enterprises are rushing to integrate AI tools into daily operations, notifications regarding account compliance or subscription expirations trigger immediate user reactions. Cybercriminal syndicates and initial access brokers (IABs) capitalize on this sense of urgency to execute multi-stage infection routines. These campaigns exploit the security industry’s inherent delay in classifying newly registered or compromised domains, relying heavily on trusted third-party services to act as behavioral buffers against automated security scanners and email defense gateways.

Deconstructing the ChatGPT Credit Card Harvesting Attack Vector

In a targeted operation observed on May 5, 2026, threat actors launched a highly coordinated phishing campaign engineered to harvest corporate credit cards and personally identifiable information (PII). The initial wave dispatched approximately 4,500 highly targeted emails primarily focused on organizations in South Africa, which accounted for 97% of the localized telemetry. However, the broader operational infrastructure exhibited far greater velocity, scaling up to 100,000 malicious emails per day directed at targets across Switzerland, Austria, and various professional and higher education sectors globally. The emails leveraged the display name “ChatGPT” alongside a high-fidelity rendering of OpenAI’s corporate iconography, using the urgent subject line: “To ensure your ChatGPT Plus continues to work – please update your payment method.” The narrative warned users that failure to update billing data within seven days would result in immediate account degradation to the limited free tier, heavily leveraging loss aversion to drive rapid user compliance.

The underlying technical mechanics of this campaign highlight a sophisticated multi-stage redirection matrix designed to evade automated link-detonation sandboxes. When a user interacted with the “Update payment method” button, the request did not instantly route to the attacker’s final infrastructure. Instead, the victim’s browser was routed through an elaborate chain of trusted, reputation-backed hops. The traffic first hit a legitimate customer relationship management (CRM) service hosted at grupoconstat[.]bitrix24[.]com[.]br, which performed a server-side redirect to awstrack[.]me—a trusted Amazon domain utilized for tracking engagement analytics. From there, the traffic was funneled through a Rebrandly URL shortener before finally landing on a compromised, legitimate e-commerce platform hosted at legendarytrendsbay[.]shop within a hidden /ChatGPT/ subdirectory.

To further frustrate security analysis and security orchestration, automation, and response (SOAR) workflows, the landing page implemented a custom CAPTCHA mechanism masquerading as a secondary validation button. Security crawlers parsing the page statically would fail to trigger the subsequent forms, whereas an interactive user clicking through would activate the malicious script. Once cleared, the victim was subjected to a two-stage data harvesting form: the first layout collected identity parameters including full legal names and physical addresses, while the secondary, final phase extracted the complete financial payload—including credit card numbers, expiration thresholds, and card verification values (CVV/CVC).

Anatomy of the Anthropic Claude Adversary-in-the-Middle (AiTM) Campaign

Simultaneously, a distinct and technologically aggressive campaign emerged between April 20 and April 22, 2026, targeting more than 2,000 distinct enterprise organizations. This offensive campaign systematically impersonated Anthropic’s Claude AI ecosystem, focusing heavily on the Information Technology sector (56%), broad business enterprises (21%), and financial institutions (8%). Geographically, the blast radius was concentrated across the United States (62%), the United Kingdom (18%), and India (9%). Utilizing display names such as “Anthropic Teams” and “Anthropic PBC,” the actors distributed regulatory compliance lures with subject variations structured as “Claude Appeal Request” appended with localized date stamps. The attack relied on an aggressive enforcement narrative, informing corporate users that their accounts had repeatedly violated the platform’s acceptable use policies (AUP) and that an immediate appeal workflow was required to lift severe functionality restrictions.

The delivery mechanism substituted standard hyperlinks for an HTML-wrapped payload embedding a highly official PDF document titled Fill and Sign Claude Appeal Form.pdf. By forcing the user to open a document locally or within a browser-based PDF reader, the threat actors successfully stripped the initial email body of suspicious outbound hyperlinks, facilitating clean delivery past Secure Email Gateways (SEGs). The PDF instructed the victim to copy a specific “Appeal ID” and click an embedded link to initialize the remediation procedure. This link routed the victim to an attacker-controlled infrastructure at dash.awaydouble[.]org, which was fronted by an authentic Cloudflare verification checkpoint. This gating technique acted as an anti-analysis mechanism, ensuring that automated sandbox environments could not complete the interactive token handshake required to view the next phase of the exploitation chain.

Upon verification, the target was redirected to an intermediate web server at servicing.pureplantcravings[.]com, presenting a highly polished “Account Security & Compliance” notice complete with a temporary access token. The underlying source code of this landing page revealed highly advanced conditional routing logic designed to differentiate between mobile operating systems and desktop operating systems. Depending on the device fingerprint, the server served tailored layouts optimization profiles. Although the final endpoint infrastructure was deactivated prior to complete architectural breakdown, forensic analysis of the overlapping infrastructure and script behaviors confirmed a classic Adversary-in-the-Middle (AiTM) proxy deployment. The setup was engineered to proxy legitimate authentication requests directly to corporate identity providers (such as Microsoft Entra ID), allowing the threat actors to actively intercept session cookies, bypass multi-factor authentication (MFA) prompts in real time, and gain persistent, unauthorized access to enterprise cloud environments.

Storm-3075 and the Rise of AI-Themed Malvertising Pipelines

Beyond traditional email-driven phishing channels, threat actors are heavily exploiting search engine optimization (SEO) manipulation and malvertising networks to distribute potent information-stealing payloads. Microsoft Threat Intelligence has been tracking an initial access broker designated as Storm-3075, an entity specializing in rapid-deployment malvertising operations that scale from conception to hundreds of thousands of infected endpoints within a matter of hours. This specific threat group actively capitalizes on viral open-source developments and regional AI rollouts by purchasing sponsored search engine placements for highly searched tech keywords. Recent operations utilized high-converting baits such as “Awesome AI Windows Plugin” and “Flux Pro AI” built into malicious browser popups, compromised GitHub repositories, and weaponized software installer packages.

The technical execution of Storm-3075’s distribution pipeline relies on establishing artificial trust layers. On March 13, 2026, a single operational run conducted by this group successfully targeted and interacted with over 66,000 corporate and consumer endpoints simultaneously. The files downloaded by unsuspecting users typically consisted of compressed archives containing code-signed executables. To achieve validation from the local operating system’s kernel and endpoint security solutions, Storm-3075 utilized a known Malware-Signing-as-a-Service (MSaaS) provider managed by a financially motivated threat actor tracked as Fox Tempest. By packaging their droppers with valid, cryptographically signed digital certificates, the adversaries bypassed Microsoft SmartScreen and standard heuristic detection mechanisms.

Once executed on an endpoint, the primary binary initiates an intricate unpacking routine, frequently using intermediate execution layers such as Hijack Loader or Oyster. These loaders perform extensive environmental checks, querying local registries and system parameters to ensure they are not running within a malware analysis sandbox or virtualized debugging environment. If the system passes verification, the loaders inject the final payload directly into the memory space of legitimate system processes (process hollowing). While Vidar Stealer—a highly effective modular information stealer capable of extracting browser session tokens, localized cryptocurrency wallets, and saved credentials—was heavily featured in this campaign, telemetry indicates Storm-3075 acts as a polymorphic service broker. The group routinely rotates downstream payloads, distributing Lumma Stealer and various remote access trojans (RATs) to maximize monetization strategies for their downstream cybercriminal affiliates.

Analysis & Opinion: The Psychological Shift in Initial Access Vectors

The strategic transition from legacy social engineering lures to high-utility AI brand impersonation marks a critical turning point in modern corporate threat landscapes. In our view, adversaries are brilliantly exploiting an institutional blind spot: the intersection of extreme corporate pressure to adopt artificial intelligence tools quickly and the fear of missing out (FOMO) among enterprise users. When an employee receives an urgent notice stating that their access to an essential productivity engine like ChatGPT Plus or Claude Teams is facing immediate termination or policy restriction, their psychological threshold for skepticism drops dramatically. The perceived urgency to maintain access to their day-to-day workflow drivers overrides traditional corporate security awareness training.

What makes this tactical pivot exceptionally dangerous is not the deployment of entirely new malware families, but the industrialization of the underlying delivery systems. By routing malicious payloads through legitimate CRMs, Amazon tracking links, and trusted URL shorteners, threat actors are rendering traditional static signature-based email defense grids highly ineffective.

Furthermore, the widespread integration of Adversary-in-the-Middle (AiTM) proxy kits means that standard multi-factor authentication (MFA) implementations no longer guarantee corporate network isolation. Security perimeters can no longer defend themselves simply by instructing users to watch out for broken English or unrecognized attachments. Corporate cyber defense architectures must rapidly adapt by enforcing strict device-compliance verification policies, implementing continuous session token binding, and deploying behavior-based endpoint detection and response (EDR) agents capable of identifying anomalous authentication token movement in real time.