AI Phishing Defense: Lessons From APT28’s UKR.net Trap

Credential phishing doesn’t need fancy malware to cause real damage. It just needs one believable login page and one distracted user.

Recorded Future tracked a sustained credential-harvesting campaign attributed to APT28 (aka Fancy Bear / BlueDelta) that targeted UKR.net webmail users from June 2024 through April 2025. The tradecraft is familiar—PDF lures, shortened links, redirection chains—but the intent is painfully modern: steal credentials and capture one-time 2FA codes fast enough to use them.

For organizations that operate in defense, national security, government-adjacent supply chains, or support partners in Ukraine, this is more than “email security.” It’s an intelligence problem. And it’s exactly the kind of problem where AI-based threat detection and behavioral analytics outperform rules and blocklists—because the infrastructure is disposable, and the attacker’s playbook is designed to look normal.

What APT28’s UKR.net campaign tells us about modern phishing

This campaign is a clean example of why phishing keeps working: attackers optimize for trust, speed, and low-cost infrastructure.

APT28 reportedly used:

• UKR.net-themed login pages hosted on legitimate services (e.g., simple hosting/response services used for mock content)
• Phishing emails with PDF attachments, where the click target is embedded inside the document
• Link shorteners to conceal the destination
• Two-tier redirection chains (including subdomains on common blogging platforms) to complicate analysis
• Proxy tunneling services (notably ngrok and Serveo) to relay captured credentials and 2FA codes

The tactical shift worth underlining: moving from compromised routers to tunneling services. That’s a rational adaptation. Tunnels are easy to spin up, hard to attribute quickly, and they blend into developer/admin tooling. If your defenses still treat tunneling domains as “rare edge cases,” you’re behind.

Why PDF lures still win inside serious organizations

People expect PDFs. Procurement, policy memos, logistics documents, legal notices—PDF is the default in defense and government ecosystems.

Attackers like PDFs because:

• Many gateways allow them through with minimal friction
• Users open them reflexively
• The “link in a document” pattern bypasses some user skepticism trained around obvious email buttons

A practical stance: If your security program treats PDFs as low-risk attachments, you’re creating a blind spot on purpose.

The real objective: credential theft as intelligence access

The fastest way into an organization isn’t always exploiting a zero-day. For state-aligned operators, credential theft is access with plausible deniability—and it scales.

Once an attacker has a mailbox credential (and potentially an active session), they can:

• Read sensitive conversations and attachments
• Reset passwords for other services via email-based recovery
• Pivot into collaboration platforms and file stores
• Impersonate trusted accounts for internal phishing and partner compromise

In an AI in Defense & National Security context, email isn’t just a productivity tool—it’s a sensor and a command channel. Compromising it supports:

• Collection of operational details (movement, procurement, schedules)
• Identification of relationships and chains of command
• Target development for follow-on operations

This is why defenders should treat credential phishing as counterintelligence-adjacent work, not “security awareness training homework.”

Why traditional defenses struggle (and where AI actually helps)

Rule-based controls still matter, but phishing campaigns like this are built to erode them:

• Infrastructure is ephemeral: shorteners, free hosting, quick domain churn
• Legitimate platforms get abused: blocking them outright breaks business
• The content is localized and believable: language, branding, and context are tuned
• 2FA is targeted directly: attackers capture the code and replay it immediately

AI helps when it’s applied to the right layer: patterns, relationships, and behavior over time.

1) AI for phishing detection: pattern recognition beyond indicators

The first win is reducing reliance on static IOCs.

Well-tuned ML models can flag messages based on combinations of weak signals, such as:

• Document-based link delivery (PDF with embedded URL)
• Unusual link construction (shorteners + redirects + uncommon query patterns)
• Visual similarity of the landing page to known brands (logo/layout mimicry)
• Sender/recipient graph anomalies (who usually emails whom, in what language, with what attachment types)

A strong system doesn’t just say “this domain is bad.” It says: “This message behaves like credential theft.” That’s a better trigger for automated containment.

2) Behavioral analytics for credential use: catching the replay

If an attacker captures credentials and a 2FA code, the defensive window is short. That’s where identity threat detection and UEBA matter.

High-signal detections include:

• “Impossible travel” patterns (but tuned to VPN realities)
• First-time device + first-time location + first-time mailbox rule creation
• Sudden spikes in IMAP/POP access where it’s normally unused
• Unusual forwarding rules, deletion rules, or OAuth consent grants

This is also where I’ve found teams get the most ROI: treat mailbox rule creation as a near-real-time fraud signal, not a low-priority audit event.

3) AI-guided triage in the SOC: speed matters more than perfect certainty

APT-style phishing isn’t always high volume, but it is persistent. The SOC problem is fatigue: every alert looks “kind of suspicious.”

AI is useful when it:

• Clusters related messages into one incident (same lure family, same redirect infrastructure)
• Summarizes the behavior chain (PDF → short link → blog redirect → fake login)
• Recommends containment actions with confidence scoring

The point isn’t replacing analysts. It’s making the first 10 minutes decisive, because that’s when credential replay happens.

A practical defense playbook for campaigns that steal 2FA codes

If you want a plan that holds up against the exact tactics described in the APT28 reporting, focus on four controls: email, web, identity, and response automation.

Email controls: block the delivery patterns, not just the sender

Do these even if you already have “advanced email security.”

• Detonate PDFs or extract and rewrite URLs inside documents
• Enforce safe link rewriting and time-of-click analysis (redirect chains matter)
• Quarantine messages that use link shorteners and contain authentication-themed language
• Apply stricter policies for users with sensitive roles (executives, comms, procurement, IT admins)

Web controls: stop the redirect chain early

Because attackers abuse legitimate platforms, you need policy that’s conditional and context-aware.

• Inspect URL chains (final destination, not just initial domain)
• Flag first-seen domains and newly registered lookalikes
• Treat tunneling services as high-risk when used for login flows

A clear rule that works: “No authentication pages should be reachable through multi-hop consumer redirects.” If it takes three bounces to reach a login page, something’s off.

Identity controls: assume credentials will leak and limit blast radius

This is where many programs underinvest.

• Prefer phishing-resistant MFA (hardware-backed keys or platform passkeys) for high-risk users
• Turn on risk-based sign-in policies and require step-up authentication for anomalies
• Restrict legacy protocols (IMAP/POP) and enforce modern authentication
• Monitor and alert on:
  • New mailbox rules
  • New OAuth app consents
  • Suspicious token refresh behavior

If you can only do one thing: move privileged and high-risk users to phishing-resistant MFA. SMS and OTP are exactly what this campaign targets.

Response automation: contain first, debate later

When detections fire, automation should execute a small set of safe actions quickly:

1. Temporarily disable the account or revoke sessions
2. Block the sender and similar messages (cluster-based)
3. Remove the message from mailboxes (where your platform supports it)
4. Force password reset and re-registration of MFA if compromise is likely

Speed is the difference between “one user entered credentials” and “partner-wide lateral phishing.”

“Could AI have stopped it?” The honest answer

Yes—if AI is placed at the decision points attackers can’t avoid.

APT28 can rotate domains, hosting, and redirectors all day. What they can’t avoid is the behavior sequence:

• Deliver a lure to a user
• Get the user to a counterfeit login
• Capture credentials and a second factor
• Use those credentials in ways that differ from the real user

AI-driven detection is strongest on the last two steps: identity and session behavior. That’s where defenders have durable advantage, because it’s anchored to your environment’s norms.

If your organization is betting everything on training users not to click, you’re betting on the least reliable component in the system.

What to do next (especially before year-end access changes)

December is when org charts shift, contractors rotate, and access exceptions pile up. That makes credential phishing easier—not harder.

Here’s a tight next-step list you can execute without a six-month program:

• Identify your top 50 high-risk mailboxes (role + access + external communication volume)
• Enforce phishing-resistant MFA for that group first
• Add automated alerts for mailbox rule creation and OAuth consent grants
• Raise scrutiny for PDFs with embedded links and multi-hop redirects
• Create a one-click SOC playbook to revoke sessions and purge messages at scale

State-aligned phishing isn’t slowing down. The only sustainable posture is automated detection + fast containment, backed by identity telemetry that tells you what’s actually happening after the click.

If your security team had to answer one question this week, it should be this: When a valid user credential is used in an abnormal way, how fast do we notice—and how fast can we shut it down?