Stop Credential Phishing With AI-Driven Detection

AI in Cybersecurity••By 3L3C

AI-driven phishing detection catches credential theft by correlating PDF lures, redirect chains, tunnels, and identity anomalies before accounts are lost.

AI in cybersecurityphishing detectioncredential theftSOC operationsidentity securitythreat intelligence
Share:

Featured image for Stop Credential Phishing With AI-Driven Detection

Stop Credential Phishing With AI-Driven Detection

A sustained credential-harvesting campaign can run for months in plain sight—even when the attacker isn’t doing anything “fancy.” Recorded Future tracked one such campaign targeting UKR.NET users from June 2024 through April 2025, attributed to BlueDelta (APT28 / Fancy Bear / Forest Blizzard). The interesting part isn’t just who did it. It’s how predictable the mechanics are once you know what to look for.

Here’s the uncomfortable truth: most organizations still treat phishing as a “user problem.” Train people, run simulations, hope for the best. BlueDelta’s UKR.NET operation shows why that mindset fails. The campaign blended PDF lures, free hosting, link shorteners, and proxy tunneling (ngrok/Serveo) to keep credential theft running even as infrastructure got disrupted.

This post is part of our AI in Cybersecurity series, and I’m going to take a stance: AI belongs in phishing defense because modern credential harvesting is a pattern-recognition problem at scale. Humans can spot a bad email. Security teams can spot a handful of indicators. AI-driven cybersecurity systems can spot the campaign shape—the repeated infrastructure choices, the redirect chains, the odd authentication telemetry, and the “same-but-slightly-different” lure content—fast enough to matter.

What BlueDelta’s UKR.NET campaign tells us about modern phishing

Answer first: BlueDelta’s approach shows that credential phishing succeeds by chaining small, low-cost tactics into a reliable pipeline—and defenders lose when they only look for one “smoking gun.”

BlueDelta repeatedly deployed UKR.NET-themed fake login portals and then iterated on the plumbing behind them. The report describes an operation that didn’t need malware delivery or exploit chains to be effective. The goal was straightforward: steal usernames, passwords, and even 2FA codes, then reuse them for intelligence collection.

Three aspects should change how you think about phishing defense:

1) PDF lures are doing the dirty work

PDF attachments with embedded links are a practical way to bypass simplistic controls. Many defenses still prioritize detonating executables, scrutinizing Office macros, or flagging “obvious” phishing URLs. A PDF that says “suspicious activity detected—reset your password” blends into the noise, especially when it points to a redirector first.

For defenders, this matters because the malicious payload isn’t the file. It’s the click path.

2) “Free” infrastructure is a feature, not a shortcut

The campaign used a stack of services that are inexpensive, widely available, and constantly changing:

  • Mocky to host credential-harvesting pages
  • DNS EXIT free subdomains
  • Byet Internet Services domains (for redirection)
  • Link shorteners (multiple)
  • ngrok and Serveo for tunneling / reverse proxy behavior

That mix creates a hard-to-block reality: blocking one domain is rarely enough, and blocking entire platforms can break legitimate developer workflows unless you do it carefully.

3) Attackers are actively optimizing for user trust

BlueDelta even added a request header (ngrok-skip-browser-warning) to suppress ngrok’s interstitial warning page. That’s not “advanced hacking.” That’s conversion-rate optimization for credential theft.

If you work in security operations, you’ve seen this same playbook: reduce friction for the victim, increase reliability for the attacker.

The six-step credential-harvesting chain (and where AI helps)

Answer first: BlueDelta’s multi-tier chain is exactly the kind of repeating structure AI can learn—because it’s consistent, measurable, and shows up across email, DNS, web, and authentication logs.

Recorded Future described a layered infrastructure that commonly included multiple redirections before the victim reached the fake login page, and then proxy tunneling to relay captured credentials and bypass protections like CAPTCHA or 2FA.

From a defender’s perspective, that chain creates multiple detection opportunities—if you can correlate them quickly:

  1. Email delivered (often with a PDF lure)
  2. Victim clicks a link (often shortened)
  3. Redirect hop(s) via free domains/blog platforms
  4. Credential-harvesting page hosted on a free web service
  5. Reverse proxy / tunnel (ngrok/Serveo) relays traffic
  6. Captured credentials + 2FA sent to an upstream server

Traditional tools often see these as separate events. AI-driven detection can treat them as one story.

AI detection wins when it correlates across telemetry

Here’s what works in practice: combine weak signals into a strong verdict.

  • A PDF attachment by itself isn’t proof.
  • A link shortener by itself isn’t proof.
  • A new domain by itself isn’t proof.
  • A login from an unusual ASN by itself isn’t proof.

But when your systems connect these events—same user, same time window, same click path, followed by anomalous authentication behavior—you get an alert your SOC can trust.

A useful way to frame this is: AI makes phishing defense less about URL blocklists and more about behavior graphs.

Detection engineering: concrete signals you can implement now

Answer first: You can detect campaigns like this by focusing on redirect chains, tunneling fingerprints, and post-click authentication anomalies—and AI helps prioritize what matters.

If you want immediate value (not a multi-quarter overhaul), start with these detection patterns.

Email and web signals (pre-compromise)

Focus on the click path, not just the initial email.

  • PDF attachments with security-themed language: “account verification,” “password reset,” “suspicious activity,” “login issues.”
  • Shortened URLs embedded in PDFs (treat “PDF + shortener” as higher risk than either alone).
  • Newly seen domains that forward to known hosting/tunneling platforms.
  • Multiple redirects within a short time window (for example, 2–5 hops within seconds).

AI can help here with:

  • NLP classification of lure text (flagging “security urgent” patterns at scale)
  • Graph-based scoring of redirect chains (who redirects to whom, how often, with what timing)

Network and proxy signals (during credential capture)

BlueDelta’s abuse of tunneling platforms is a gift to defenders—because tunnels behave differently.

Monitor for:

  • Connections to tunneling services that your business doesn’t require
  • Nonstandard ports associated with unusual web flows
  • Repeated access to free-hosted pages followed by immediate POST requests to a different domain

AI can help by:

  • Building a baseline of “normal” developer tooling usage vs. suspicious, user-driven webmail flows
  • Flagging tunnel-like traffic patterns that don’t match known SaaS apps

Identity signals (post-compromise)

This is where credential-harvesting campaigns get caught—if your identity telemetry is wired correctly.

Look for:

  • Impossible travel or abrupt geolocation shifts
  • First-time device + first-time location combinations
  • 2FA prompts that happen right after a suspicious click path
  • Repeated failed logins followed by a success from an unusual proxy provider

AI-driven identity threat detection is effective here because it can model behavior per user and per role. A finance lead’s “normal” looks different from a DevOps engineer’s “normal,” and static rules struggle with that nuance.

Snippet-worthy rule of thumb: If a user clicks a PDF-embedded short link and triggers a new-device login within minutes, treat it like an incident—not a warning.

Prevention that doesn’t break the business

Answer first: The safest posture is “phishing-resistant authentication + controlled exposure to free web/tunnel services + fast credential containment.”

Most teams try to “block phishing.” The more durable goal is to make stolen credentials less useful and detect misuse quickly.

Use phishing-resistant MFA where it counts

If you’re still relying heavily on SMS-based codes, you’re accepting avoidable risk. Hardware security keys and strong authenticator methods make real-time credential replay harder.

Practical approach:

  1. Start with admins, executives, finance, and anyone with access to sensitive mailboxes.
  2. Expand to roles likely to be targeted (public affairs, policy, IT, legal).

Treat tunneling and free-hosting platforms as “conditionally allowed”

Blanket blocking ngrok/Serveo-like services can break legitimate engineering work. But allowing them everywhere invites abuse.

What I’ve found works:

  • Allow from known developer subnets or managed endpoints
  • Require business justification and inventory for approved tunnels
  • Alert on new usage of tunneling domains by non-technical user groups

Build a credential-compromise runbook that’s actually fast

Credential phishing is a speed game. Your runbook should include:

  • Immediate session revocation
  • Forced password reset
  • Token invalidation where possible
  • Checks for mailbox rules / forwarding (attackers love persistence via inbox rules)
  • Targeted hunting for the same lure across the org

AI helps here by auto-clustering “similar” messages, attachments, and redirect chains so you can contain the full blast radius without manually triaging hundreds of near-duplicates.

“Could we detect this?” A practical self-assessment

Answer first: If you can’t reconstruct a user’s click-to-login story across email, web, DNS, and identity logs within 15 minutes, you’ll struggle to catch campaigns like BlueDelta’s early.

Use these questions as a quick maturity check:

  1. Can we extract URLs from PDFs at the email gateway and log them?
  2. Do we record redirect chains (not just the final destination) in web proxy logs?
  3. Do we have identity telemetry that links user, device, location, and MFA prompts?
  4. Can we correlate these data sources into a single incident view?
  5. Do we automatically score anomalies based on user role and historical behavior?

If you answered “no” to two or more, your detection is probably too fragmented. That’s exactly where AI in cybersecurity earns its keep: connecting the dots at machine speed, then handing humans a coherent narrative.

Where this is heading in 2026: more layering, more impersonation, more automation

BlueDelta’s campaign is expected to continue because it’s cheap, scalable, and resilient. The more defenders push takedowns, the more attackers will diversify infrastructure and rotate services. And as generative AI becomes routine in offensive operations, expect:

  • Higher-volume lure production in multiple languages
  • Better personalization (real org names, real workflows)
  • Faster iteration on what gets clicks

The defense response has to match that tempo. AI-driven cybersecurity systems aren’t optional when the attacker is running experiments every day.

If you want to pressure-test your phishing defenses against credential-harvesting chains like BlueDelta’s, start with a single exercise: pick a real phishing simulation, build the full click path (PDF → short link → redirect → hosted page), and see whether your tools connect it to identity anomalies. If they don’t, you’ve got a clear, fixable gap.

What would your SOC see first: the email, the click, or the suspicious login?