AI vs APT28 Phishing: Stop Credential Theft Fast

A single well-crafted phishing email can now steal a password, a valid 2FA code, and your user’s trust in one shot. That’s what makes the recently reported APT28 credential-harvesting campaign against UKR[.]net users so instructive: it’s not “spray and pray” spam. It’s a patient, state-backed operation designed to blend in, iterate quickly, and keep working even after infrastructure is taken down.

For security leaders in defense, government-adjacent organizations, and critical infrastructure, this isn’t just a Ukraine-specific story. It’s a preview of how state-sponsored phishing keeps evolving—and why AI in cybersecurity is becoming table stakes for detecting credential theft before it becomes an intelligence win for an adversary.

This post is part of our “AI in Defense & National Security” series, where the goal isn’t hype. It’s practical clarity: what happened, why it worked, and what an AI-powered defense looks like when the attacker is disciplined and well-resourced.

What the APT28 UKR[.]net campaign teaches us

APT28’s campaign shows a simple truth: phishing succeeds when defenders rely on static rules and users are forced to be perfect every time. The operation (observed over months) used legitimate platforms and familiar formats to lower suspicion, then focused on capturing the exact ingredients needed for account takeover.

APT28 (also known by many tracking names across vendors) is widely assessed as a Russian state-sponsored actor. Their history is heavy on credential theft for intelligence collection—not quick cash-outs. That changes the risk profile. A compromised mailbox isn’t just “one user.” It’s access to contacts, sensitive threads, internal file-sharing links, and authentication reset paths.

The mechanics: trust stacking and small moves

From the reporting, the playbook is recognizable—and effective:

• UKR[.]net-themed fake login pages hosted on legitimate services (a classic “looks normal” technique)
• Phishing emails with PDF attachments containing the malicious link (PDFs often pass basic email heuristics)
• Link shorteners to hide destination and complicate triage
• Multi-step redirection chains (including subdomains on mainstream platforms) to evade simple blocklists
• Real-time theft of 2FA codes (not just passwords), enabling immediate session hijacking

The operational detail that should make defenders pause is the focus on capturing both credentials and 2FA codes. That signals the attacker is trying to beat “we have MFA” defenses, not avoid them.

What changed: infrastructure adapts faster than blocklists

One notable shift in the campaign was moving away from certain proxy methods (like compromised routers) toward tunneling and relay services commonly used by developers and IT teams.

This matters because traditional controls—static allow/deny lists, domain reputation checks, and manual SOC triage—struggle when attackers:

• rotate infrastructure quickly,
• hide behind legitimate platforms,
• and use redirect chains that only resolve at click time.

If your phishing defense mostly depends on yesterday’s indicators, you’re playing catch-up.

Why AI is essential against state-sponsored phishing

AI helps because the key signals in sophisticated phishing are often behavioral and contextual, not obvious. APT-level campaigns win by staying “normal enough” at each step.

Here’s the stance I’ll take: security teams shouldn’t try to out-manually-investigate state-backed phishing at scale. It’s a losing economics problem. AI changes the economics by automating what humans can’t do fast enough.

AI detection works best when it watches the whole chain

The most useful AI-powered cybersecurity systems don’t just score an email subject line. They correlate signals across:

• email content and structure,
• attachment behavior (like PDFs containing obfuscated links),
• URL and redirect behavior,
• web page similarity to real login portals,
• identity activity after the click,
• and session anomalies after authentication.

In other words: AI is strongest when it connects events across tools (email security, browser, DNS, identity, and endpoint) into a single story.

What AI can spot that rules miss

Rules are great for known bad patterns. APT28-style phishing often avoids those patterns.

AI models (especially those trained on enterprise telemetry) can flag things like:

• Brand impersonation at the layout level (page structure and visual similarity), even when the domain looks “clean”
• Unusual redirect depth (legitimate business flows rarely require multiple hops through mixed hosting providers)
• Time-to-login behavior (phishing victims often go from click → credential entry unusually fast)
• MFA fatigue patterns vs MFA interception patterns (two different attacker workflows)
• Impossible-travel and session anomalies immediately after successful credential use

A memorable way to put it:

Attackers can fake a domain. They can’t easily fake normal user behavior across the entire authentication lifecycle.

A practical AI defense blueprint for credential phishing

If you’re trying to reduce account takeovers in a high-risk environment, you need controls that assume users will occasionally click. The goal is to prevent a click from becoming a compromise.

1) Use AI to prioritize “credential theft intent,” not just “maliciousness”

Answer first: Your detection should focus on whether the flow is trying to capture credentials and 2FA, not whether the sender looks shady.

What to implement:

• AI-based email classification that weighs attachment type + link behavior + impersonation cues
• Automated detonation or safe-link rewriting that evaluates final landing pages, not just initial URLs
• Computer vision or DOM-similarity checks for lookalike login portals

Why it matters: APT28 used legitimate services and link shorteners. Sender reputation alone won’t save you.

2) Put AI where attackers can’t avoid it: identity and session telemetry

Answer first: Identity is the choke point. Even perfect email security won’t catch everything, so your identity layer must detect abnormal post-auth behavior.

What to implement:

• Risk-based conditional access: step-up challenges when risk spikes
• AI-driven anomaly detection for:
  • new device + new geo combinations
  • unusual IMAP/POP access patterns
  • suspicious OAuth consent events
  • token replay or abnormal session lifetimes

If you’ve found yourself saying “We had MFA, but they still got in,” this is where to invest. MFA isn’t a finish line anymore.

3) Automate response so phishing doesn’t outpace humans

Answer first: The fastest wins come from automated containment that triggers within minutes, not after a ticket is opened.

Automations worth deploying:

• Quarantine similar emails across mailboxes when one is confirmed
• Disable suspicious sessions and revoke tokens automatically
• Force password reset and re-enroll MFA for high-confidence incidents
• Block redirect infrastructure patterns (not just single domains)

A useful operational metric: mean time to revoke session tokens. If it’s measured in hours, state-backed operators have plenty of time to collect mail, pivot, and exfiltrate.

What security teams should do this week (not next quarter)

The reality? Most organizations don’t need a brand-new stack to improve phishing resilience. They need tighter integration and better automation.

Here’s a straightforward checklist you can act on quickly:

1. Audit how PDFs are handled in email security.

   • Are embedded links extracted and analyzed?
   • Do you inspect final redirect destinations?

2. Turn on (or tighten) conditional access policies for mailbox and webmail access.

   • Require step-up auth for new devices.
   • Reduce session persistence where feasible.

3. Deploy an AI-assisted phishing triage workflow in the SOC.

   • Auto-cluster related messages.
   • Auto-enrich with redirect chain results.

4. Instrument token revocation playbooks.

   • Practice revoking sessions at scale.
   • Validate that revocation actually logs the user out.

5. Run a targeted simulation that mimics modern credential theft.

   • Include a PDF lure.
   • Include a shortened link.
   • Measure time-to-detect and time-to-contain.

If you do nothing else, do #2 and #4. They directly reduce the blast radius when credentials and 2FA codes are stolen.

Common questions leaders ask about AI phishing defense

“If we already have MFA, are we safe from credential phishing?”

No. MFA reduces risk, but it doesn’t stop real-time phishing that captures passwords and one-time codes or steals session tokens. You need session and identity anomaly detection to close the gap.

“Is this only a concern for Ukraine or government targets?”

No. Campaigns like this tend to start with high-value regional targets, then tactics spread broadly. The same infrastructure and kits often reappear in commercial espionage and supply chain targeting.

“What’s the fastest way AI helps us reduce risk?”

Two places: (1) correlating signals across email + web + identity, and (2) automating containment (quarantine, token revocation, forced reauth) before analysts finish manual review.

Where this fits in AI for Defense & National Security

Credential phishing looks “small” compared to drones, satellites, or zero-days. But for national security and defense-adjacent organizations, it’s often the cleanest path to intelligence: compromise inboxes, map relationships, read schedules, monitor decisions, and quietly persist.

AI’s role here is direct and practical: reduce the time between attacker action and defender containment. When adversaries iterate for months, the winning strategy isn’t hoping users never click. It’s building systems that recognize the pattern quickly—even when each individual component looks legitimate.

If you’re evaluating AI in cybersecurity for phishing and credential theft, focus your questions on outcomes:

• Can it detect multi-step redirect chains reliably?
• Can it score login-page impersonation beyond domain reputation?
• Can it trigger identity controls and revoke sessions automatically?
• Can it cluster campaigns and hunt across mailboxes in minutes?

Those capabilities don’t just stop one APT28-style lure. They change the attacker’s cost structure.

Where do you see the bigger gap in your organization right now—detection (finding the phish) or containment (stopping account takeover after the click)?