Attackers are using Claude as the bait

Microsoft's threat intelligence team published research in mid-June on a category of phishing it expects to be permanent. The lures use the names and visual identities of the popular AI tools: ChatGPT, Microsoft Copilot, DeepSeek, and Anthropic's Claude. The attackers are not pretending to be sophisticated. They are pretending to be the AI vendor your staff already use, or want to use, and they are catching people in the middle of the most-hyped technology of the decade.

This filing covers the campaigns Microsoft saw, why the lures work, and the four-line change in procurement that closes most of the route.

What Microsoft observed

Microsoft's report described four distinct campaigns running concurrently.

ChatGPT-themed phishing emails. A campaign that began in South Africa, scaled to 4,500 mailboxes there, then expanded to Switzerland and Austria. At peak it was sending 100,000 emails a day. The hook was a fake "please update your payment method" message that linked to a credential-harvesting page styled like OpenAI's login. Microsoft did not publish a recovered-credential count but flagged the campaign as actively succeeding.

Claude-themed phishing. A separate wave that reached more than 2,000 organisations across the United States, the United Kingdom, and India. Higher education and professional services were the named target sectors. The emails offered a "Claude Enterprise upgrade" or "Claude for Workspaces" with a link to a fake Anthropic login. As with the ChatGPT wave, the payload was credential harvesting.

DeepSeek-themed malicious installers. Fake GitHub repositories advertising "DeepSeek V4" delivered archives containing the Vidar Stealer malware. Vidar collects browser-saved credentials, session cookies, and crypto wallets. The lure was that DeepSeek's V4 release had not yet shipped at the time, so search-engine traffic for the term was largely unsatisfied; the attackers filled the gap.

Malvertising for fake AI tools. Google, Bing, and AI-search advertising for products with names like "Awesome AI Windows Plugin" and "Flux Pro AI". The installers were trojanised. The advertising spend was funded out of the attacker's first batch of stolen credentials.

Microsoft's overall assessment, in its own words: "AI-themed lures reflect a shift in social engineering that is likely to persist as a long-term tactic used by threat actors, from cyber criminal groups to nation states." Translation: this is not a fad and it is not going away. The brand will rotate as the popular tools change; the technique is stable.

Why these lures work

Three things make AI-themed phishing more effective than the average campaign.

The procurement process is broken. Most UK SMEs do not have a list of "AI tools we use". Staff sign up to ChatGPT or Claude on a corporate email, the receipts go to expenses, and IT finds out later. We covered the broader version of this in your staff are using AI, you're paying twice. The relevant point here is that, because the procurement is informal, an email saying "please update your Claude payment method" lands in a context where the staff member has no internal contact who can verify it. They click. The page looks right. They enter the credentials.

The brands are unfamiliar and the URLs are forgiving. The legitimate domains include anthropic.com, claude.ai, openai.com, chatgpt.com, deepseek.com, and a long tail. Most users could not tell you which one is the official one for which tool. A fake page on claude-enterprise.com or anthropic-billing.io is plausible to anyone who has not memorised the canonical domain.

The technology is genuinely changing fast. A real "Claude Enterprise upgrade" email could arrive at any time. Real product features change weekly. Real billing changes happen often. Staff are habituated to "AI tool X has a new thing" being a legitimate message. The space for the fake one to hide in is wide.

The result, on Microsoft's numbers, is a phishing landing rate notably higher than the same email styled as a generic Office 365 password reset would achieve. The targets are not stupid; the context is genuinely hard to read.

What the payload usually is

The four campaigns differ in delivery; the payloads are familiar.

Credential harvesting. Most of the email-based campaigns deliver a fake login page. The credentials harvested are often used directly: the attacker logs into the real OpenAI or Anthropic account, finds the corporate single-sign-on link, and pivots. If the real account uses the same password as the corporate Microsoft 365 account, the attacker is now in the corporate email.

Info-stealer malware. The DeepSeek and malvertising campaigns deliver Vidar Stealer or one of its close cousins (Raccoon, RedLine, LummaC2). These run for a few minutes and exfiltrate everything the browser has saved: passwords, cookies, autofill data, payment cards. The session cookies are the most valuable piece. A live Microsoft 365 session cookie lets the attacker bypass MFA entirely, because they are not logging in; they are resuming the existing session.

Lateral access via the AI tool itself. A less common but more dangerous variant. The attacker, having logged into the real Claude or ChatGPT account, finds the conversation history. That history often contains a lot of corporate context: code, contract drafts, customer data, internal strategy. Even where the AI account is not connected to anything else, the conversation log is itself a useful prize. We covered the underlying issue in prompt injection is not the new SQL injection.

The procurement change that closes most of the route

The technical defences against this attack are not new. MFA, password managers, browser-isolation tools, EDR catching info-stealers. All worth running. None of them are the main lever for an SME.

The main lever is procurement. Four lines of policy, on a single page that staff can read in a minute.

One sanctioned AI tool per category, paid by the firm. Not three. One. The firm pays. The account is provisioned through single sign-on with the corporate identity provider. Staff cannot sign up to it personally because they do not have to.

A named domain list for each sanctioned tool. "Claude is at claude.ai. Anthropic billing is at console.anthropic.com. Anything else is not us." Put the list on the same page. When the staff member sees a Claude-branded email from claude-enterprise.com, the policy says "not us".

A no-link-clicking rule for billing or upgrade messages. "If you see a real billing or upgrade message, log into the tool directly using your bookmark, do not click the link in the email." This is the rule that, applied universally, closes the credential-harvest route regardless of the brand.

A named internal contact for AI tool questions. Not "the helpdesk". One person, with their email address on the same page. When the staff member is unsure whether an email is real, they forward it to that person. Five minutes a week from the named contact, and the firm catches every wave of these campaigns at the entry point.

These four lines are not the whole answer. They are the answer for at least 80% of what Microsoft is seeing. The remaining 20% is the malware payload from the malvertising campaigns, which sit outside the email channel and need an endpoint-protection answer. That is a separate question, and one most SMEs have already partially answered with Microsoft Defender or a similar tool.

The deeper read

What makes this category permanent is not the AI hype. It is the gap between the speed of new product launches and the speed of internal procurement. The brand will not always be Claude. Next year it will be whichever model is having a moment. The attack will still work, because the procurement process is still informal, the URL list is still unwritten, and the staff member is still alone with an email they want to be real.

The bit that the cheap procurement page in the four lines above closes is the "staff member alone" half. The technology will keep moving. The page does not have to.

How Steelwise can help

Writing the four-line AI procurement page, drafting the canonical-domain list, and naming the internal contact who reviews unusual AI-vendor emails is the kind of practical work we do with clients. Get in touch.