AI Stops Credential Harvesting Before Users Get Hooked

BlueDelta didn’t need zero-days to cause damage. It needed logins.

Recorded Future tracked a sustained credential-harvesting campaign against UKR.NET users running from June 2024 through April 2025, with 42 distinct credential-harvesting chains identified. The group behind it—BlueDelta (APT28 / Fancy Bear / Forest Blizzard)—used a disciplined, repeatable playbook: PDF lures, fake UKR.NET login portals, and free web infrastructure to capture usernames, passwords, and even two-factor authentication (2FA) codes.

Here’s the uncomfortable part: most organizations still try to stop campaigns like this with a mix of static blocklists, “don’t click links” training, and after-the-fact password resets. That approach loses because the attacker iterates faster than humans can update controls.

This post is part of our AI in Cybersecurity series, and I’m going to use BlueDelta’s UKR.NET operation as a practical case study: where traditional defenses break, what signals actually matter, and how AI-driven detection can catch credential theft earlier—often before a user ever types a password.

What BlueDelta’s UKR.NET campaign teaches us

BlueDelta’s campaign shows a modern truth about phishing and credential theft: the infrastructure is disposable, but the behavior is consistent.

The Insikt Group analysis documented a multi-step chain that stayed largely stable across months:

• Delivery: phishing messages that carried PDF attachments with embedded links (a smart choice for evading some email scanning and sandboxing).
• Redirection: link shorteners and free hosted domains to hide the true destination.
• Harvesting: UKR.NET-themed credential pages hosted on Mocky.
• Relay/proxy: traffic and captured credentials moved through ngrok or Serveo tunneling/port forwarding.
• Upstream servers: dedicated tier-four infrastructure receiving the data.

This wasn’t spray-and-pray. It was operationally persistent, with clear signs of adaptation—especially after Western-led infrastructure takedowns in early 2024 pushed actors away from compromised routers and toward tunneling services.

The “PDF lure” detail isn’t minor—it’s a strategy

PDF lures are having a moment again, and for a simple reason: they often pass through systems that are tuned to treat Office macros and executable attachments as the bigger threat.

In the observed lures, the PDFs posed as security notices (“suspicious activity” / “reset your password”) and pushed the user to click a link. That’s not novel. What’s effective is that the malicious link is one click deeper, which can reduce the probability that automated analysis detonates the full chain.

The practical takeaway: if your detection strategy treats PDFs as low-risk, you’re creating a blind spot.

Free web services make attribution hard—and blocking messy

BlueDelta leaned heavily on:

• Mocky (to host the fake login pages)
• DNS EXIT (free subdomains)
• Byet Internet Services domains like html-5[.]me and is-great[.]org (redirect infrastructure)
• ngrok / Serveo (to proxy and relay data)
• HTTPBin (to capture victim IP addresses)

Security teams struggle here because “block all of ngrok” may break legitimate developer workflows. But doing nothing is worse. The smarter move is conditional access + anomaly detection, which is where AI shines.

How the attack chain works (and where defenders usually lose)

BlueDelta’s chain is a good example of an attacker optimizing for one goal: get the user to complete the login flow without raising suspicion.

A simplified version looks like this:

1. User receives a PDF that claims urgent account activity.
2. User clicks a link that might go through a shortener.
3. User lands on a UKR.NET lookalike login page.
4. The page captures username + password, then prompts for 2FA code.
5. Behind the scenes, the actor uses reverse proxy/tunneling to relay content and collect inputs.

Two details from the report matter for defenders:

• BlueDelta used JavaScript to relay CAPTCHA and 2FA interactions, not just grab passwords.
• They added an HTTP header (ngrok-skip-browser-warning) specifically to suppress ngrok’s safety warning page, reducing user suspicion.

That’s the pattern: attackers aren’t only bypassing security controls; they’re bypassing user doubt.

Why “MFA everywhere” isn’t enough

MFA helps. Phishing-resistant MFA helps a lot more. But this campaign highlights a reality security leaders need to say out loud:

If your MFA can be typed into a webpage, an attacker can probably steal it.

Credential-harvesting kits increasingly support real-time theft of one-time codes. If the target service allows it, attackers can replay the stolen code quickly.

So the goal shifts from “MFA on” to:

• phishing-resistant MFA (FIDO2/WebAuthn, hardware keys, or device-bound passkeys)
• risk-based authentication (step-up challenges based on behavior)
• session and proxy detection

Where AI-driven detection catches what humans miss

AI doesn’t win by “knowing” a domain is bad. It wins by spotting relationships, sequences, and anomalies across email, web, identity, and network telemetry.

BlueDelta’s campaign is basically a neon sign for behavioral analytics because it repeats the same shapes:

• PDF → external link → redirect chain → hosted login page → proxy/tunnel → suspicious auth

No single event guarantees malice. The combination and timing is the tell.

1) AI for phishing lure detection (email + document signals)

Answer first: AI is effective here because it classifies intent and context, not just file type.

Email security that uses ML can flag UKR.NET-style lures by combining features such as:

• language patterns used in “security notice” scams
• sender reputation and authentication anomalies
• the presence of embedded URLs inside PDFs
• link patterns that match redirect infrastructure (shorteners, free hosts)

A practical approach I’ve found works: score the message and the attachment together. A benign PDF from a trusted sender looks different than a “reset password now” PDF from an unfamiliar sender domain, even if neither contains malware.

2) AI for web and DNS anomaly detection (redirect chains)

Answer first: AI is good at identifying suspicious browsing paths because it learns normal user click behavior.

Redirect chains used in credential-harvesting often have distinctive properties:

• multiple hops across unrelated domains
• short-lived domains and subdomains
• inconsistent URL entropy (random strings, UUID-like paths)
• transitions into “login” pages hosted on nonstandard platforms

An AI model monitoring secure web gateway or DNS logs can flag:

• first-time-seen domains accessed by many users in a short window
• unusual domain categories appearing immediately after opening a PDF
• chains that include tunneling services (ngrok/Serveo) where that’s atypical

This is especially relevant for end-of-year operations (like December 2025), when inbox volume and “account notice” messages spike due to travel, expiring access, and annual policy refreshes. Attackers time lures to match human distraction.

3) AI for identity threat detection (impossible journeys and proxy patterns)

Answer first: identity telemetry is where credential-harvesting becomes measurable, and AI can score risk in real time.

Once credentials are stolen, attackers typically produce detectable authentication signals:

• abnormal geography or ASN patterns
• suspicious user-agent and device mismatches
• rapid sequence of failed then successful logins
• access attempts from known proxy/tunneling infrastructure
• new forwarding rules, mailbox exports, or OAuth consent events (post-compromise)

AI-driven identity protection tools can correlate these events across time and assign a single credential compromise risk score that triggers step-up authentication, token revocation, or session kill.

4) AI to detect “reverse proxy” credential theft

Answer first: reverse proxy phishing has artifacts that can be detected when you look at headers, TLS, and traffic shapes—not page screenshots.

BlueDelta’s use of ngrok and custom headers highlights a detection opportunity: tunnels and relays often introduce consistent fingerprints:

• unusual HTTP headers or header ordering
• atypical TLS characteristics
• nonstandard ports associated with authentication flows
• traffic patterns where a user “logs in” to a domain that isn’t the service’s expected domain family

This is where classical signature-based tools tend to lag, because the attacker can swap domains daily. Behavioral detection doesn’t care about the exact domain; it cares about the fact that your login flow is happening somewhere weird.

A defensive playbook you can actually implement

Stopping credential-harvesting isn’t a single product problem. It’s a workflow problem across email, web, and identity. Here’s a practical checklist that maps directly to the tradecraft in this campaign.

Email and user-facing controls (reduce clicks)

1. Treat PDFs as active content: inspect embedded links, not just embedded scripts.
2. Quarantine “account security” themes that originate outside your known service domains.
3. Banner external emails and add just-in-time warnings on first-time sender + PDF link combos.
4. Run simulated phishing that uses PDF lures, not only fake login pages.

Web controls (break the chain)

• Create a policy for tunneling and free hosting services:
  • If your org doesn’t need them, block them.
  • If you do need them, restrict by group (developers only), require device posture, and monitor.
• Monitor for multi-hop redirects that end in login forms.
• Log and alert on newly seen domains accessed from PDF viewers or webmail sessions.

Identity controls (assume some credentials will leak)

• Move to phishing-resistant MFA wherever possible.
• Enforce conditional access with risk scoring (location, device, behavior).
• Alert on new device + new location + password login within a short time window.
• Automate response actions:
  • force password reset
  • revoke sessions/tokens
  • block the source network temporarily

Detection engineering tip: build “chains,” not single alerts

Most companies get this wrong by alerting on one event at a time.

A better detection is a compound rule or ML correlation like:

• PDF attachment with external link
• followed by access to a shortener or free hosting domain
• followed by a page containing a password field
• followed by an anomalous authentication attempt

That’s the exact shape of BlueDelta’s operation. And it’s exactly the kind of multi-signal correlation that AI can automate at scale.

What to do next if you suspect credential harvesting

If you think users interacted with a credential-harvesting page, speed matters. Don’t wait for “proof.”

• Contain: revoke sessions and invalidate tokens for the affected account(s).
• Reset: force password reset and rotate any reused passwords.
• Hunt: look for forwarding rules, suspicious logins, mailbox exports, and OAuth consent grants.
• Block: add the observed infrastructure to deny lists (domains, redirectors, tunneling endpoints).
• Learn: feed the indicators and behavioral pattern back into your AI detection pipeline.

A simple internal standard helps: “If the user typed a password into an untrusted page, treat the account as compromised.”

Where this fits in the AI in Cybersecurity story

BlueDelta’s UKR.NET campaign is a clean example of why AI belongs in modern cyber defense: the attacker’s advantage is iteration speed, and your advantage has to be automated correlation.

If your defenses are still mostly static (blocklists, periodic training, manual investigations), you’ll keep seeing the same movie: a new domain, a new PDF, the same stolen credentials.

AI-driven threat detection and identity analytics don’t replace fundamentals—they make them work under real-world pressure. The question worth asking for 2026 planning is straightforward: are you building defenses that learn, or defenses that only react?