Stop APT28-Style Phishing with AI Email Defense

Credential phishing isn’t “basic” anymore. APT28 (also known as Fancy Bear and several other names) has been running sustained, targeted campaigns that don’t rely on exotic malware—they rely on patients, believable lures, and infrastructure that blends into normal internet noise.

A recent example: a long-running credential-harvesting effort aimed at Ukrainian users of UKR.net (a popular webmail and news service). The operation used UKR.net-themed login pages, delivered via phishing emails with PDF attachments, and routed victims through link shorteners and redirection chains before landing on the fake login.

For organizations involved in defense, government, critical infrastructure, or anyone supporting those ecosystems, this is the uncomfortable truth: a “simple” phish can still be strategic, persistent, and devastating—especially when the goal is access, not immediate disruption. In the broader AI in Defense & National Security series, this is exactly the kind of case study that shows where AI in cybersecurity helps most: not by replacing analysts, but by catching the patterns humans can’t reliably see at scale.

What APT28’s UKR.net campaign tells us about modern credential phishing

This campaign is a clear demonstration of how state-aligned actors optimize for reliability. The tactics reported include:

• Brand-matched credential pages mimicking UKR.net
• PDF-based delivery, where links are embedded inside a document (a common way to dodge simple URL scanning)
• Shortened links (e.g., tinyurl-style) to obscure the final destination
• Two-step redirection using legitimate platforms (including blog subdomains) to add distance between the email and the phishing page
• Harvesting both passwords and 2FA codes, not just credentials
• Anonymized tunneling services (e.g., ngrok/Serveo-style tooling) to relay stolen data in real time

Here’s the stance I’ll take: this isn’t “email security” as a checkbox problem. It’s a long-horizon access operation. If you treat it like commodity spam, you’ll lose.

Why PDFs and legitimate platforms work so well

Attackers keep choosing PDFs and well-known hosting/redirection services because they exploit a gap between how defenders wish controls worked and how they work in practice.

• Many secure email gateways still apply lighter scrutiny to PDF content compared to raw URLs in the email body.
• Security teams often hesitate to block well-known platforms broadly because it breaks business workflows.
• Link shorteners create an extra step that can defeat simplistic “blocklist the bad domain” approaches.

The result: the message “looks normal,” the infrastructure “looks normal,” and the target is pushed to authenticate quickly—often from a mobile device, often while multitasking.

Why stealing 2FA codes changes the incident response playbook

The most operationally important detail here is the push to capture 2FA codes along with usernames and passwords.

Many organizations still behave as if “we have MFA” equals “credential phishing is solved.” It isn’t. Real-time phishing kits and relay infrastructure mean attackers can:

1. Collect the password
2. Prompt for the one-time code
3. Use the code immediately to log in
4. Establish persistence (tokens, app passwords, mailbox rules, OAuth grants) before the user realizes anything happened

What defenders should assume after a successful phish

If credentials and 2FA were entered into a fake page, assume compromise until proven otherwise. Practical next steps usually include:

• Reset password and revoke all active sessions
• Revoke OAuth tokens and review third-party app grants
• Search for mailbox rules/forwarding changes
• Review sign-in logs for impossible travel, new devices, and unusual client apps
• Consider conditional access hardening (device compliance, risk-based policies)

For national security-aligned environments, the risk isn’t just account takeover—it’s intelligence collection: contact graphs, sensitive attachments, internal discussions, policy drafts, and operational timelines.

The AI advantage: catching long-running campaigns humans miss

AI-driven security is most valuable when attackers behave “legitimately” on the surface. APT-style phishing often succeeds because each individual email can look plausible. What gives it away is the pattern across time, users, and infrastructure.

AI-based detection systems can correlate weak signals that are hard to operationalize manually, such as:

• Repeated use of PDFs with similar link structures across campaigns
• Redirection chain fingerprints (shortener → blog subdomain → hosted page)
• Lookalike page characteristics (layout similarity, form behavior, DOM patterns)
• Sender behavior anomalies (new sender → high-value recipient → attachment + urgency)
• User behavior anomalies (user rarely clicks PDFs, now clicks and submits credentials)

A solid rule of thumb: traditional filters look for known bad. AI looks for “does this look wrong for us?” That matters when the attacker is intentionally avoiding known-bad infrastructure.

Answer-first: How AI detects credential phishing in real time

AI detects APT28-style credential phishing by modeling normal communication and authentication behavior, then flagging deviations that match phishing tradecraft—even when the infrastructure is hosted on legitimate services.

In practice, that means:

• Content understanding: NLP models scoring the language, urgency cues, and impersonation patterns
• Link intelligence at click-time: automated detonation and chain following to reveal the final destination
• Page similarity detection: identifying fake login pages based on structure and behavior, not just domain reputation
• Behavior analytics: risk-scoring the user action sequence (open → click → credential submit → new login)

For defenders, the “win” isn’t just detection—it’s time. Stopping a phish before credentials are entered is ideal. Failing that, detecting the compromise quickly enough to revoke tokens and sessions can prevent follow-on access.

Practical controls that shut down this attack chain

You don’t need a miracle product to reduce exposure dramatically. You need layered controls that match the attacker’s chain.

1) Make link redirection someone else’s problem (automate it)

If your defenses treat shortened links as opaque, you’re giving attackers a free pass.

Implement click-time controls that:

• Expand shortened URLs automatically
• Follow redirects safely in a sandbox
• Score the final page (phish likelihood) before the user ever sees it

Actionable policy: treat “shortener + attachment link” as high risk by default—especially for privileged users and teams tied to defense and national security.

2) Move beyond OTP-based MFA for high-risk users

If your most sensitive users still rely on SMS or app-based one-time codes, that’s a gap attackers actively exploit.

Better options:

• FIDO2/WebAuthn security keys (phishing-resistant)
• Device-bound passkeys with strong attestation policies
• Conditional access requiring compliant devices for email access

Opinionated take: for executives, diplomats, defense contractors, and admins, OTP-based MFA is no longer a “strong control.” It’s a baseline—and it’s phishable.

3) Put guardrails around “legitimate” platforms

Attackers abused legitimate services because defenders often can’t block them broadly. But you can still add guardrails.

Examples:

• Restrict access to newly registered domains and newly created subdomains
• Apply higher scrutiny to authentication pages hosted on generic platforms
• Use browser isolation for unknown or high-risk links

4) Detect post-phish persistence, not just the phish

Modern credential theft is about what happens after the login.

Look for:

• New inbox rules, forwards, or suspicious filters
• New OAuth consent grants to unusual apps
• New device enrollments or token refresh patterns
• Logins from atypical ASN/geolocation combinations

If you’re using AI-based anomaly detection, this is where it shines: it can flag “quiet” abuse that doesn’t trip signature-based controls.

A defense and national security lens: why long-running phishing matters

Within the AI in Defense & National Security context, the significance isn’t just “another phishing campaign.” It’s the operating model.

State-aligned groups often prefer:

• Credential access over destructive malware (less noisy, more sustainable)
• Mailboxes over endpoints (email reveals relationships and intent)
• Persistence through tokens and rules (harder to notice than a dropped executable)

That’s why email security, identity security, and AI-driven threat detection are converging. If you treat them as separate silos, attackers get space to maneuver.

A memorable reality: Most APT campaigns don’t beat your strongest control. They slip through your messiest handoffs—email to browser to identity provider.

What to do next (if you want fewer “we got phished” days)

Most teams don’t need more dashboards. They need a tighter loop between detection and response.

A practical next-step checklist you can run in January planning (or right now):

1. Inventory your top 50 high-risk identities (admins, execs, sensitive project teams)
2. Require phishing-resistant MFA for those users
3. Turn on automated URL expansion and detonation for links in PDFs
4. Add playbooks that automatically:
   • revoke sessions
   • revoke OAuth tokens
   • alert on mailbox rule changes
5. Use AI-based anomaly detection to baseline normal email and sign-in behavior, then alert on deviations

If you’re evaluating AI in cybersecurity for lead-worthy outcomes, this is a clean test: measure how quickly you can detect and contain a targeted phish. Time-to-detect and time-to-revoke are metrics that executives and security teams both understand.

Credential phishing campaigns like APT28’s don’t stop because we publish reports about them. They stop when defenders make the economics ugly: low success rates, fast containment, and fewer paths to persistence. That’s where AI-powered email security and identity analytics earn their keep.

What would change in your risk profile if your organization could reliably catch the second step—the redirect chain and the fake login—before any credentials were entered?