Phishing emails are now aimed at users and AI defenses

MITRE Techniques

• [T1071] Application Layer Protocol – Phishing delivery via email and web redirects using SendGrid and Dynamics staging redirect (“…originated via SendGrid…abused Microsoft Dynamics to make the first hop appear trustworthy…”).
• [T1566.001] Phishing: Spearphishing Attachment/Link – Credential-harvesting site with Gmail-themed login pages and social-engineering subject/body (“Login Expiry Notice…urging the recipient to update or confirm their credentials”).
• [T1176] Browser Extensions (or T1204?) – Use of obfuscated JavaScript and multi-stage loaders (AES-CBC encrypted payload then eval(atob(…))) to execute in the victim’s browser (“AES-CBC encrypted payload, decrypted via CryptoJS…Output wrapped in eval(atob(…)).”).
• [T1078] Valid Accounts (Credential Harvesting) – Fake login pages designed to collect credentials and 2FA inputs (“Gmail-themed login page…Validated password and 2FA inputs, showing fake errors to prolong interaction.”).
• [T1562] Impair Defenses (Sub-technique: Disable or Modify Tools) – Prompt-injection block targeted at AI-based defenses to cause long reasoning loops and misclassification (“…hidden AI prompts inside the email designed to confuse automated analysis…If an AI model ingests this raw email, it may get distracted into long reasoning loops instead of labelling it as phishing.”).
• [T1070.004] Indicator Removal on Host – CAPTCHA gating and geo/fingerprint checks to evade automated analysis/sandboxes (“Captcha blocks automated crawlers and sandboxes…GeoIP Request collects victim IP, ASN, and geolocation useful for profiling users and filtering out analysis environments.”).
• [T1588] Obtain Capabilities (Phishing Kit / Infrastructure) – Use of attacker-controlled domains, obfuscation, captcha gating and telemetry (bwdpp.horkyrown.com, glatrcisfx.ru) to host and operate the phishing kit (“phishing front-end + captcha…telemetry / beacon”).