Phishing Campaign Exploits Kuse.ai for Credential Harvesting
Severity: Medium (Score: 58.5)
Sources: Letsdatascience, Blog.Knowbe4
Published: · Updated:
Keywords: kuse, phishing, attackers, host, abusing, trend, micro
Summary
On April 9, 2026, Trend Micro reported a phishing campaign leveraging Kuse.ai, an AI workplace app, to host malicious Markdown documents. Attackers utilized a Vendor Email Compromise (VEC) to send crafted emails that redirected users to a fake Microsoft login page. The phishing links appeared legitimate due to Kuse.ai's domain, which reduced suspicion among recipients. The campaign's tactics included using a blurred document preview and the uncommon .md file extension to evade detection. This incident highlights the risk of reputable platforms being exploited for phishing. Trend Micro's report did not include a statement from Kuse.ai regarding the incident. The attack primarily targets corporate users who may trust communications from known vendors. Key Points: • Attackers exploited Kuse.ai's features to host phishing content. • The phishing method involved Vendor Email Compromise (VEC) tactics. • Use of a blurred preview and .md extension helped bypass security filters.
Detailed Analysis
**Impact** Corporate users targeted through Vendor Email Compromise (VEC) involving compromised vendor mailboxes. The campaign affected organizations relying on Microsoft login credentials, with no specific sectors or geographies detailed. Credential theft risk is high due to redirection to fake Microsoft login pages, potentially enabling unauthorized access to corporate environments. No quantified scope or reported data loss figures are provided. **Technical Details** Attackers used compromised vendor mailboxes to send phishing emails containing links to malicious Markdown (.md) documents hosted on the legitimate app.kuse.ai domain. The .md files displayed blurred previews with calls-to-action, redirecting victims to credential-harvesting fake Microsoft login pages. No malware or CVEs were reported; the campaign leveraged social engineering, evasion via uncommon file types, and trusted domain hosting. Indicators of compromise (IOCs) are partially redacted due to VEC context and not publicly disclosed. **Recommended Response** Monitor email and web proxy handling of Markdown (.md) files and rendered document previews, adjusting filtering rules to detect unusual file types and suspicious link redirections. Implement user awareness training focused on vendor email compromise and phishing via trusted platforms. Watch for vendor advisories from Kuse.ai and updated IOCs from Trend Micro. No patches or CVEs apply; focus on detection tuning and monitoring for malicious use of legitimate collaboration tools.
Source articles (2)
- Attackers Abuse Kuse.ai to Host Phishing Pages | Let's Data Science — Letsdatascience · 2026-05-19
On April 9, 2026, Trend Micro's TrendAI Managed Services Team identified a phishing campaign that abused the storage and sharing features of Kuse.ai , a workplace AI web app, to host a malicious Markd… - Warning: Phishing Attacks Are Abusing the Kuse AI App — Blog.Knowbe4 · 2026-05-19
Attackers are abusing the storage and sharing features of Kuse, a free AI app, to assist in phishing campaigns, according to researchers at Trend Micro. Kuse is a legitimate agentic AI platform used b…
Timeline
- 2026-04-09 — Phishing campaign identified: Trend Micro reported a phishing campaign using Kuse.ai to host malicious Markdown documents, targeting corporate credentials.
- 2026-04-09 — Vendor Email Compromise initiated: Attackers compromised a vendor mailbox to send crafted emails leading to phishing links on Kuse.ai.
- 2026-05-19 — Public warning issued: KnowBe4 and other sources reported on the phishing campaign, raising awareness about the abuse of Kuse.ai.
Related entities
- Phishing (Attack Type)
- app.kuse.ai (Domain)
- kuse.ai (Domain)
- T1566.002 - Spearphishing Link (Mitre Attack)
- Microsoft (Company)
- Kuse (Tool)