Microsoft has documented three distinct campaigns using AI platform branding as phishing lures, with one exploiting a fake DeepSeek model release to deliver malware within 45 minutes of the announcement.

 

What happened

Microsoft Threat Intelligence has identified and documented multiple phishing and malvertising campaigns impersonating the brands of popular AI platforms, including ChatGPT, Anthropic's Claude, and DeepSeek, to steal credentials, financial data, and authentication tokens. According to the Microsoft Security Blog, these campaigns do not represent any compromise of the AI services themselves, they are pure social engineering operations that borrow trusted brand names to push users into clicking links, opening PDFs, or downloading files. On May 5, 2026, Microsoft detected a ChatGPT-themed campaign sending 4,500 emails warning that recipients' ChatGPT Plus subscriptions would be downgraded unless they updated payment details within seven days. Victims were bounced through a CRM service, an Amazon tracking domain, and a URL shortener before landing on a compromised website where a fake payment page collected personal information and full credit card data across two steps. A separate Claude-themed campaign ran from April 20 to 22, 2026, reaching more than 2,000 organizations across the US, UK, and India with emails claiming account policy violations, leading through fake verification screens to an adversary-in-the-middle page designed to steal Microsoft authentication tokens.

 

Going deeper

The DeepSeek campaign proves how quickly threat actors respond to AI news cycles. Within 45 minutes of DeepSeek previewing its V4 model, attackers had created a fake GitHub organization named DeepSeek-V4 loaded with stolen branding, real benchmark data, and search-optimized tags designed to rank in both traditional and AI-assisted search results. Users who downloaded archives from the fake repository received a loader that silently installed Vidar infostealer. A separate malvertising campaign pushed a fake product called "Awesome AI Windows Plugin" through free streaming websites. The download was a fraudulently code-signed executable tied to Fox Tempest, the malware-signing service Microsoft dismantled in May 2026 after linking it to multiple ransomware groups, including Rhysida, INC, Qilin, and Akira. Once users launched the file, a Python downloader quietly fetched Vidar from an attacker-controlled server. Across all three campaign types, attackers routed victims through legitimate platforms, CRM tools, URL shorteners, GitHub, and Amazon domains to avoid reputation-based email security detection at every hop before the final malicious destination.

 

What was said

Microsoft Threat Intelligence stated in the June 8 Security Blog post that "as threat actors operationalize AI to accelerate attacks, they are also leveraging the wider global interest around AI itself as a social engineering lure," and that the campaigns "span phishing, malvertising, and search engine optimization-driven attacks that ultimately lead to credential theft, financial fraud, or malware infection." Microsoft noted that the 45-minute window between the DeepSeek V4 preview and the appearance of the fake GitHub organization demonstrates how rapidly threat actors monitor and exploit high-profile AI announcements.

 

In the know

The Claude-themed campaign impersonated Anthropic's brand to redirect victims toward Microsoft authentication pages designed to steal session tokens, combining AI brand trust with adversary-in-the-middle credential harvesting in a single attack chain. Earlier in May 2026, Microsoft documented a separate campaign impersonating Paubox's brand in a fake code of conduct notification, falsely claiming emails were encrypted using Paubox to add HIPAA compliance credibility to the lure. According to the Microsoft Security Blog report, healthcare and life sciences were the most targeted sector at 19% of all recipients. The pattern across both campaigns is identical, trusted brand impersonation paired with multi-stage redirect chains that defeat reputation-based filtering.

 

The big picture

Healthcare organizations deploying AI tools for clinical documentation, administrative workflows, and patient communications are adding new brands to the list that their staff recognizes and trusts. Each AI platform an employee uses becomes a potential lure in future campaigns. A billing administrator who uses Claude for administrative drafting and receives an email claiming a Claude policy violation will apply less scrutiny than one who has never heard of the platform. The speed of the DeepSeek campaign operational within 45 minutes of a product announcement confirms that threat actors monitor AI news cycles as actively as any enterprise IT team. According to Paubox's Shadow AI report, 95% of healthcare organizations report staff using unapproved AI tools, meaning the attack surface of familiar AI brands extends well beyond officially sanctioned platforms into the full range of tools staff have adopted independently.

 

FAQs

Why do AI platform brands make particularly effective phishing lures?

AI platforms are new enough that many users are still learning what legitimate communications from these services look like, creating uncertainty that attackers exploit. Millions of people use these tools daily, making the potential pool of targets large, and the combination of urgency, subscription downgrade, and policy violation with a familiar brand name is a proven social engineering formula.

 

How does routing victims through trusted domains defeat email security tools?

Email security gateways assess the reputation of each domain a link points to. Legitimate CRM services, Amazon tracking domains, and URL shorteners all carry clean reputations. Attackers chain several trusted redirects before the malicious destination, ensuring every hop the gateway inspects returns a clean result while the actual phishing page remains out of reach until the victim clicks through.

 

What is Vidar infostealer, and what does it collect?

Vidar is a credential-stealing malware that harvests saved browser passwords, cookies, cryptocurrency wallets, and screenshots from infected devices. In the DeepSeek campaign, it was delivered silently after the victim launched what appeared to be a legitimate AI plugin, with the malware fetching its payload from an attacker-controlled server only after execution.

 

How did Fox Tempest's code-signing infrastructure enable the DeepSeek malvertising campaign?

Fox Tempest sold fraudulently obtained Microsoft code-signing certificates to criminal operators, making malicious executables appear legitimate to Windows and endpoint security tools. The fake AI plugin in the DeepSeek campaign used a Fox Tempest certificate to pass security checks at download and installation. Microsoft dismantled Fox Tempest in May 2026, though certificates already distributed to operators remain in circulation.

 

What verification habits reduce the risk from AI brand phishing?

Any email related to an AI subscription, account status, or policy violation should be verified by going directly to the platform's official website through a manually typed URL, not through a link in the email. AI platforms do not require users to call phone numbers or download PDF appeal forms to resolve account issues, and any communication making those requests should be treated as suspicious, regardless of how convincing the branding appears.