{ "Event": { "analysis": "1", "date": "2026-04-29", "extends_uuid": "", "info": "[Threat Intel] Kuse Web App Abused to Host Phishing Document", "protected": false, "publish_timestamp": "1779545873", "published": true, "threat_level_id": "2", "timestamp": "1777769636", "uuid": "e265b918-ddde-4208-a881-427fc211fd37", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#717bc3", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777546818", "to_ids": false, "type": "link", "uuid": "86ae76d8-280b-49b1-a961-91bb10af64d7", "value": "https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777546818", "to_ids": false, "type": "text", "uuid": "211c01d9-9f53-4c6e-876d-432de93a93a0", "value": "Bad actors exploited Kuse, a legitimate AI-based workplace application, to conduct a phishing campaign. Attackers leveraged a Vendor Email Compromise (VEC) to send malicious emails from a trusted vendor's compromised mailbox, establishing initial trust. The attack utilized Kuse's file-sharing features to host a fake blurred document with a Markdown file extension (.md) under the legitimate domain app[.]kuse[.]ai. Victims were presented with a fabricated document preview containing Spanish text prompting them to click a link. This redirected users to a fraudulent Microsoft login page designed to harvest credentials. The attack combined multiple social engineering techniques including domain trust exploitation, unusual file extensions to evade detection, and vendor relationship abuse to bypass security controls and user scrutiny." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777546818", "to_ids": false, "type": "text", "uuid": "0e1ae809-3cbb-41fb-97f2-1b4182c94137", "value": "Name: Kuse Web App Abused to Host Phishing Document\nAuthor: AlienVault\nAdversary: \nTags: [\"fake login page\", \"credential harvesting\", \"vendor email compromise\", \"supply chain\", \"ai platform abuse\", \"markdown file\", \"social engineering\", \"phishing\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: []\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777766977", "to_ids": true, "type": "ip-dst", "uuid": "1b35dee6-5dec-4c8c-8cd2-d6f4a3b404a5", "value": "91.92.41.64", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777766999", "to_ids": true, "type": "url", "uuid": "80b821db-a4bb-48ad-9c99-0fa5fad3797b", "value": "https://app.kuse.ai/sharednote/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777767020", "to_ids": true, "type": "url", "uuid": "7135aa9d-03c5-45c5-86f8-c425b830a744", "value": "https://onlineapp.ooraikaoo.info/?auth2=8rf22euu-2nxkebabDjjILlzldhQq2Pz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777767041", "to_ids": true, "type": "hostname", "uuid": "dfa7dc39-2bca-4834-8a59-b86e91cbb62e", "value": "onlineapp.ooraikaoo.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }