Microsoft Threat Intelligence has documented a wave of campaigns that wrap well-known AI platform branding, including ChatGPT, Microsoft Copilot, Anthropic’s Claude, and DeepSeek, around credential theft, fraud, and malware.
Microsoft was clear that the activity is brand impersonation, not a compromise of any of the named services.
Behind the AI-themed lures sit longstanding tactics, refined with some genuinely clever evasion.
The Lure Is AI, the Substance Is Evasion
The most interesting technique surfaced in malvertising that pushed a fake “Awesome AI Windows Plugin.” Once a victim ran the installer, it displayed a “Continue” checkbox and did nothing until clicked.
Because an automated sandbox cannot make that click itself, the malware stayed dormant during analysis and only detonated for a genuine user, a malware-side echo of the CAPTCHAs commonly used to screen out phishing-page scanners.
That same anti-analysis instinct ran through the phishing campaigns. A ChatGPT-themed operation, which Microsoft saw send up to 100,000 emails in a single day, posed as a billing notice about ChatGPT Plus payment details, then bounced victims through a chain of legitimate services, including an Amazon tracking domain, to slip past email filters before landing them on a compromised site that harvested card data.
A separate Claude-themed campaign impersonated Anthropic with a fake account-policy “appeal” PDF, gated its landing pages behind a verification prompt to block sandboxes, and showed signs of an adversary-in-the-middle (AiTM) setup built to steal authentication tokens.
Weaponizing Search and Trust
The DeepSeek campaign, on the other hand, showed how fast attackers move on a launch. Within about 45 minutes of DeepSeek previewing its V4 model, a threat actor stood up a fake GitHub repository dressed in the company’s real logo and genuine benchmarks, then tuned to rank for download searches and even appear in AI-assisted search results.
The result, per Microsoft, was that the fraudulent repository outranked official sources on GitHub, Bing, and Google for natural queries, delivering Vidar infostealer to anyone who grabbed the fake installer.
Microsoft attributed much of the malvertising to an initial access broker it tracks as Storm-3075, distributing payloads for multiple downstream actors, and noted that some of the malware was signed using a malware-signing-as-a-service operation it calls Fox Tempest, lending fraudulent binaries added credibility that lowers early detection.
The tech giant said AI-themed lures represent a durable shift in social engineering, and urged defenders to require phishing-resistant multifactor authentication (MFA), to recheck links at time of click, and rely on browser protections that block known-malicious sites.
