AI vs. BlueDelta: Stop Credential-Harvesting Phishing

AI in Cybersecurity••By 3L3C

See how AI detects credential-harvesting phishing like BlueDelta’s—PDF lures, tunnels, and 2FA relay—and what to automate to stop it fast.

phishingcredential theftidentity securitythreat intelligenceSOC automationAPT28
Share:

Featured image for AI vs. BlueDelta: Stop Credential-Harvesting Phishing

AI vs. BlueDelta: Stop Credential-Harvesting Phishing

A single stolen mailbox login can be the quiet start of a major incident: password resets across other services, internal phishing from a trusted sender, and months of invisible intelligence collection. That’s exactly why credential-harvesting campaigns remain a favorite tool for state-backed operators—cheap to run, hard to eradicate, and often effective.

Recorded Future’s recent research on BlueDelta (also known as APT28/Fancy Bear/Forest Blizzard) details a sustained credential-theft operation aimed at UKR.NET users from June 2024 through April 2025, with analysis covering infrastructure changes through July 30, 2025. The story isn’t just “another phishing campaign.” The interesting part is how BlueDelta industrialized the workflow: PDF lures, free web services, and proxy tunneling to collect not only usernames and passwords, but also 2FA codes.

This post is part of our AI in Cybersecurity series, and I’m going to take a clear stance: you won’t out-block campaigns like this with static rules alone. You need AI-assisted detection that understands behavior across email, web, identity, and network telemetry—because the infrastructure is designed to change faster than blocklists can keep up.

What BlueDelta’s UKR.NET campaign tells us about modern phishing

BlueDelta’s campaign shows that phishing has matured into a multi-stage supply chain, not a single malicious link. The operator’s goal is to blend into normal internet “noise” while preserving reliability and scale.

The six-layer phishing chain: built to outlast takedowns

The reported infrastructure repeatedly used layered steps—redirection, hosting, tunneling, and upstream servers—to make investigation and disruption slower than operations.

Common building blocks observed in the campaign included:

  • PDF lures pushing “account security” or “suspicious activity” narratives
  • Embedded links (often shortened) to reduce email-scanner visibility
  • Credential-harvesting pages hosted on free services (notably Mocky)
  • Reverse proxy/tunneling services (ngrok, Serveo) to hide origin infrastructure
  • Dedicated servers upstream for collection/relay and operational control
  • Updates that added more tiers (new components observed in March–April 2025) indicating ongoing refinement

Here’s why this matters: when defenders block one layer, the operator swaps it. Free hosting, link shorteners, and proxy tunnels are intended to be disposable.

PDFs are doing the “dirty work” because they still slip through

BlueDelta’s use of PDF attachments with embedded URLs is a practical evasion technique. Many email defenses focus on:

  • visible URLs in the email body
  • classic “macro” patterns in Office files
  • sandbox detonations that don’t always follow PDF click paths

A PDF that looks like an official account notice, with one clean “Reset password” link, is often enough—especially when the sender appears plausible and the recipient is busy.

2FA isn’t a silver bullet when attackers proxy the login

One of the most important lessons from this case study: BlueDelta didn’t stop at passwords. Their pages were built to relay CAPTCHA and two-factor authentication codes.

In practice, this is how many modern credential-harvesting operations work:

  1. Victim enters username/password into a fake portal.
  2. The attacker relays those credentials to the real site in real time.
  3. The real site asks for 2FA.
  4. The phishing page prompts the victim for the code.
  5. The attacker uses the code immediately and gains access.

That doesn’t mean MFA is pointless. It means phishing-resistant MFA (FIDO2/WebAuthn or strong app-based approaches with device binding) needs to be prioritized, and impossible travel / proxy-based anomalies need to trigger fast controls.

Why AI is the right tool for persistent credential-harvesting campaigns

AI works here because the infrastructure is flexible, but the behavior is not. Even when BlueDelta rotates domains and services, certain patterns repeat across delivery, hosting, user interaction, and identity activity.

AI can spot phishing pages through structural similarity, not just URLs

Static blocklists fail when attackers switch from one free domain to another. A stronger approach is to detect phishing pages by page and script behavior.

BlueDelta’s operation repeatedly used themed login portals and bespoke JavaScript designed to:

  • capture username/password and additional fields
  • relay CAPTCHA/2FA values
  • call out to external services (for example, capturing victim IP via a public API)
  • interact with tunneling endpoints and nonstandard ports

Modern AI-based web defenses can model this as a classification problem:

  • DOM and form-field structure similarity to known login brands
  • script-level indicators (input capture patterns, suspicious exfiltration calls)
  • hosting and TLS patterns associated with disposable infrastructure
  • redirection chain characteristics (shorteners → free hosting → tunnel)

The point: you don’t need the exact URL to stop it if you can recognize the shape of the attack.

AI-driven anomaly detection catches the aftermath: identity signals don’t lie

Even if a user falls for the lure, the next phase creates identity signals that are hard to fake at scale.

What you should be detecting (and what ML models do well with) includes:

  • First-time logins from proxy/tunneling-associated networks
  • Authentication attempts from unusual geographies or ASNs for that user
  • Sudden spikes in failed logins followed by a successful login
  • Token refresh patterns that don’t match the user’s device history
  • Concurrent sessions (user “active” in two places at once)

This is where AI is especially useful in enterprise environments: it correlates weak signals across systems (SSO, VPN, email, EDR, CASB) and produces a single prioritized story.

Memorable rule: Infrastructure changes fast. User behavior changes slowly.

AI can correlate multi-month infrastructure evolution into one case

BlueDelta didn’t run a one-week campaign. Insikt Group identified 42 credential-harvesting chains across 2024–2025. That’s a workload problem for defenders.

AI-driven threat intelligence and security analytics help by:

  • clustering related indicators even when domains rotate
  • linking redirectors, hosting providers, and tunnels into a single campaign graph
  • flagging newly registered lookalike domains (typosquats) near a protected brand
  • generating detections from observed tradecraft (not just IOCs)

If you’ve ever tried to keep a manual spreadsheet of redirect domains, shorteners, and transient ngrok subdomains, you already know why this matters.

Practical defenses that work (and where AI fits)

The goal isn’t “buy AI.” The goal is reduce successful credential theft and shorten time-to-containment when it happens.

1) Treat PDF links as high-risk by default

Most orgs under-control macro risks but under-control PDF link risks.

Recommended controls:

  • Detonate PDFs in a sandbox that follows embedded links and records redirect chains
  • Use AI-assisted content inspection to score “security notice” language paired with outbound links
  • Add policy: external PDFs that request login/password resets go to a higher scrutiny lane

What AI adds: classification across language + document structure + link behavior, not just signature checks.

2) Build detections around redirect-chain behavior

BlueDelta repeatedly used combinations of:

  • link shorteners
  • free hosting domains/subdomains
  • tunneling services

Even if you allow some of these services for legitimate reasons, you can still detect suspicious sequences.

Concrete detection idea:

  • Alert when a user clicks a link that resolves through 2+ redirects and ends on a page containing credential input fields for a known brand.

What AI adds: scoring and grouping these events into likely-phishing clusters, reducing false positives.

3) Deny-list or heavily monitor tunneling services you don’t need

ngrok and similar tools are legitimate for developers—and that’s why attackers love them.

Operationally, you have options:

  • Block tunneling services at secure web gateways if your business doesn’t require them
  • Allow them only for specific teams/devices via policy
  • Monitor for browser sessions communicating with tunneling endpoints during authentication flows

What AI adds: anomaly detection for “tunnel-like” traffic patterns and risky combinations (tunnel + login + first-time device).

4) Upgrade MFA to reduce real-time relay attacks

If your MFA can be typed into a box, it can be phished.

Priorities I’d set:

  1. Phishing-resistant MFA for admins and high-risk users first
  2. Conditional access: require stronger methods when risk signals spike
  3. Session protections: re-auth for sensitive actions; token theft resistance where supported

What AI adds: risk-based access decisions driven by real behavior (impossible travel, unfamiliar device posture, unusual session concurrency).

5) Automate the “credential compromise” playbook

When credentials are harvested, speed matters more than perfect certainty.

A high-signal automated response should include:

  • force password reset + revoke tokens
  • invalidate active sessions
  • step-up authentication for subsequent attempts
  • review mail forwarding rules and OAuth app grants
  • search for internal phishing sent from the compromised mailbox

What AI adds: faster triage (which accounts are truly impacted), plus automated containment when confidence is high.

“People also ask” answers (so your team stops debating basics)

Can AI detect spearphishing links better than traditional email filtering?

Yes—when it uses behavioral and structural signals (document intent, redirect chains, page similarity, identity outcomes). Traditional filtering still helps, but it’s not enough against disposable infrastructure.

If attackers can proxy MFA, should we stop using MFA?

No. Use MFA, but prioritize phishing-resistant methods and back it with anomaly detection and session controls. MFA remains one of the highest ROI controls.

What’s the most reliable indicator that credentials were harvested?

A strong indicator is a successful login from a new environment immediately after a suspicious click, followed by abnormal mailbox actions (forwarding rules, new OAuth grants, or unusual message access patterns).

Where this fits in the “AI in Cybersecurity” series

This BlueDelta case study is a clean example of the broader theme we’ve been building in this series: AI is most valuable when threats are repetitive in behavior but fast-moving in infrastructure. That’s the modern phishing reality—especially for state-sponsored operations.

If you want to pressure-test your defenses against credential-harvesting campaigns, start with two questions: Can you detect the redirect chain before the user reaches the fake login page? And if not, can you detect and contain the identity anomaly within minutes of the login?

The next wave of phishing won’t look “new.” It’ll look familiar, delivered through different infrastructure, with the same goal: get a credential, get a session, stay quiet. Are your controls built to recognize the pattern—or just last month’s IOC list?