(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

New Gmail Phishing Attack Uses AI Prompt Injection to Evade Detection

Phishing has always been about deceiving people. But in this campaign, the attackers weren’t only targeting users; they also attempted to manipulate AI-based defenses.This is an evolution of the [Gmail phishing](https://cybersecuritynews.com/gmail-phishing-attack/) chain I documented last week. That campaign relied on urgency and redirects, but this one introduces hidden AI prompts designed to confuse automated analysis.According to Anurag’s analysis, the phishing email arrived with the subject: Login Expiry Notice 8/20/2025 4:56:21 p.m. The body warned the recipient that their password would expire, urging them to confirm their credentials. ![Expiry notice](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP4TNM8_cujLmZquRNcifHigqlgcwTbY5JiKpuQCO3fwFGUcJLZK_eXoeF_iBY36jjKRTsNiiQ7PyqpoWshXB7Jf3X4LSLbIfisTfdxobqwK_oOs_DxxP7_XWszCwciCgdJP92gGDbhe7IAJgZzJ0t7bX1RgngEmpjxmjgeBHP1KYm5FkY5y7DbDwRN0Qa/s16000/gmailblg21.webp) Expiry noticeFor the user, this is standard [social engineering](https://cybersecuritynews.com/social-engineering-tactics/) that leverages urgency and impersonates official Gmail branding to provoke a quick, unthinking click.**Prompt Injection Against AI**——————————-The real innovation lies hidden from the user. Buried within the email’s source code is text deliberately written in the style of prompts for large language models like ChatGPT or Gemini.This ‘prompt injection’ is designed to hijack the AI-powered security tools that Security Operations Centers (SOCs) increasingly use for triage and threat classification. ![Gmail Phishing With Prompt Injection](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPsopIOTzcCMJ1bCmgvy4AHeblkhDwh4BXEyOjDA8-yQm3dBv34fa36BPIVv_MKrd-iOz7l-EhNwcII7krrDwegJcQsEWDg9qAnjMn7rsX_2aXi4x_pNr9Vo9GQ7ZLyPhRFNdsQ99xtDp1xh0UTX-I4frA82j0_LXxEKMCL8O-1pDdUyJ-8K3FQcEJderW/s16000/gmailblg28-1.webp) prompt InjectionInstead of identifying the malicious links and flagging the email, an AI model might be distracted by the injected instructions, which command it to engage in long reasoning loops or generate irrelevant perspectives. This dual-track attack targets human psychology and machine intelligence simultaneously, Anurag [said](https://malwr-analysis.com/2025/08/24/phishing-emails-are-now-aimed-at-users-and-ai-defenses/).If successful, it could cause automated systems to misclassify the threat, delay critical alerts, or allow the phish to slip through defenses entirely.The delivery chain shows further sophistication.1. **Email Delivery:** The email originated from SendGrid. It successfully passed SPF and DKIM checks but failed DMARC, which allowed it to land in the user’s inbox.2. **Staging Redirect:** The initial link in the email used Microsoft Dynamics to create a trustworthy-looking first hop. * `hxxps://assets-eur.mkt.dynamics.com/d052a1c0-a37b-f011-8589-000d3ad8807d/digitalassets/standaloneforms/0cecd167-e07d-f011-b4cc-7ced8d4a4762`3. **Attacker Domain with Captcha:** The redirect led to a page with a captcha designed to block automated crawlers and sandboxes from accessing the final phishing site. * `hxxps://bwdpp.horkyrown.com/M6TJL@V6oUn07/`4. **Main Phishing Site:** After the captcha, the user was directed to a Gmail-themed login page containing obfuscated JavaScript. * `hxxps://bwdpp.horkyrown.com/yj3xbcqasiwzh2?id=[long_id_string]`5. **GeoIP Request:** The phishing site made a request to collect the victim’s IP address, ASN, and geolocation data to profile the user and filter out analysis environments. * `hxxps://get.geojs.io/v1/ip/geo.json`6. **Beacon Call:** A telemetry beacon or session tracker was used to distinguish real users from bots. * `GET hxxps://6fwwke.glatrcisfx.ru/tamatar@1068ey`Emails sent via SendGrid bypass initial filters, and a redirect through a legitimate Microsoft Dynamics URL makes the first hop seem trustworthy.A CAPTCHA protects the attacker’s domain to block automated scanners, and the final phishing page uses multi-layered, obfuscated JavaScript to steal credentials.While definitive attribution is challenging, WHOIS records for the attacker’s domain (`bwdpp.horkyrown.com`) list contact information in Pakistan, and URL paths for telemetry beacons (`6fwwke.glatrcisfx.ru/tamatar@1068ey`) contain Hindi/Urdu words.These clues, though not conclusive, suggest a possible link to threat actors in South Asia.This campaign highlights a clear evolution in phishing tactics. Attackers are now building AI-aware threats, attempting to poison the very tools meant to defend against them.This forces a shift in defensive strategy, requiring organizations to protect not only their users from social engineering but also their AI tools from prompt manipulation.**Find this Story Interesting! Follow us on [LinkedIn](https://www.linkedin.com/company/cybersecurity-news/) and [X](https://x.com/cyber_press_org) to Get More Instant Updates**.The post [New Gmail Phishing Attack Uses AI Prompt Injection to Evade Detection](https://cybersecuritynews.com/gmail-phishing-with-prompt-injection/) appeared first on [Cyber Security News](https://cybersecuritynews.com).

Related Tags:
NAICS: 519 – Web Search Portals

Libraries

Archives

Other Information Services

NAICS: 517 – Telecommunications

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Blog: Cybersecurity News

Phishing

Associated Indicators:
https://6fwwke.glatrcisfx.ru/tamatar@1068ey

https://bwdpp.horkyrown.com/yj3xbcqasiwzh2?id=

https://get.geojs.io/v1/ip/geo.json

get.geojs.io

https://assets-eur.mkt.dynamics.com/d052a1c0-a37b-f011-8589-000d3ad8807d/digitalassets/standaloneforms/0cecd167-e07d-f011-b4cc-7ced8d4a4762

bwdpp.horkyrown.com

6fwwke.glatrcisfx.ru

assets-eur.mkt.dynamics.com

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us