AI Brand Fraud: How Threat Actors Turned ChatGPT, Claude and DeepSeek Into Phishing Bait

Threat actors have found a more effective lure than an unpaid invoice. On June 8, 2026, Microsoft Threat Intelligence published findings documenting a series of phishing, malvertising, and search engine manipulation campaigns that impersonate the branding of ChatGPT, Microsoft Copilot, Anthropic's Claude, and DeepSeek. None of the attacks represent a compromise of those platforms. What they represent is something more instructive: the trust these AI brands have accumulated has become an attack asset in its own right.

The report covers four distinct campaigns observed between March and May 2026. Each uses different delivery mechanisms, targets different victim profiles, and deploys different final payloads — but all begin with the same social engineering logic. A brand people associate with intelligence, capability, and institutional credibility is used to lower a target's suspicion at precisely the moment they are being deceived.

What the attacks actually do

The ChatGPT-themed campaign, detected on May 5, 2026, sent 4,500 phishing emails to targets in South Africa, impersonating a ChatGPT Plus subscription renewal request. A broader version of the same campaign sent up to 100,000 emails in a single day to targets in Switzerland, Austria, and South Africa, affecting higher education and professional services organisations.

Victims who clicked the payment update button were routed through a chain of legitimate but abused services — a CRM platform, an Amazon tracking domain, a URL shortener — before landing on a compromised e-commerce site where both personal information and full credit card details were collected across sequential pages.

The Claude-themed campaign ran from April 20 to 22, 2026, targeting users at more than 2,000 organisations, with 62% in the United States, 18% in the United Kingdom, and 9% in India. Financial services accounted for 8% of targets. The attack used enforcement-themed messaging — claiming the recipient's account had violated acceptable use policies — delivered via a PDF attachment named "Fill and Sign Claude Appeal Form.pdf".

The PDF directed users to an attacker-controlled domain where a Cloudflare verification prompt, an intermediate landing page carrying Claude branding, and a one-time access code were used to route victims toward what Microsoft assessed as a Microsoft sign-in page designed to intercept authentication tokens. This technique is known as adversary-in-the-middle, or AiTM.

The malvertising campaign, attributed to an initial access broker Microsoft tracks as Storm-3075, used fictitious product names including "Awesome AI Windows Plugin" and "Flux Pro AI" in malicious popups and malware executable names. On March 13, 2026 alone, a single campaign run targeted over 66,000 devices.

The malware was code-signed through a service Microsoft attributes to Fox Tempest, which operates malware-signing as a service — meaning the signed binary appeared legitimate to both the operating system and the user. On May 19, 2026, Microsoft unsealed a legal case in the US District Court for the Southern District of New York against Fox Tempest, seizing its website, taking offline hundreds of virtual machines running the operation, and blocking access to a site hosting the underlying code.

The DeepSeek campaign, launched on April 24, 2026 within hours of DeepSeek officially previewing its V4 model, used a fraudulent GitHub repository decorated with stolen DeepSeek branding, real benchmark data, and search-engine-optimised topic tags. Within four days the repository had accumulated 91 stars and ranked first on Bing and in the top results on Google for queries including "DeepSeek v4 weights github."

The archives hosted on GitHub's release infrastructure contained a loader delivering Vidar infostealer. The same shared loader hash appeared under file names impersonating GPT-5.5, Claude Code, Kimi, Manus AI, and others — each lure recycling whichever AI tool had entered public attention most recently.

Why this matters for fintech

The financial services sector appeared explicitly in Microsoft's data: 8% of the Claude campaign's targets were in financial services. The pattern is consistent with what the NSO contempt filing established earlier today about surveillance infrastructure and financial communications — the people most targeted by sophisticated attacks are those whose credentials carry the highest downstream value. An authentication token stolen from a financial services employee via an AiTM attack means access.

The DeepSeek campaign is worth examining separately. It demonstrates that the attack surface is not limited to consumer users clicking on subscription renewal emails. The repository was designed to be discovered by developers and researchers looking for model weights — a technically literate audience. The fact that it ranked above legitimate sources on major search engines for four days, accumulating stars and forks, describes a supply chain risk that sits upstream of the fintech applications built on top of these models. As AI enters professional financial workflows, the attack surface expands with the adoption curve.

The structural point

Microsoft's report notes that traditional lures — invoices, payment notifications, delivery alerts — remain effective and continue to be widely used. AI-themed lures are not replacing them. They are adding a second attack vector that exploits a specific cultural moment: the period in which AI brands have accumulated significant public trust but security infrastructure has not yet fully adapted to treat them as high-value impersonation targets. Even if that window will not remain open indefinitely, for now, it is being used at scale.

Editor's note

Every piece published on The Bright Minded goes through careful verification, but mistakes can happen. If you spot an error, have additional information, or want to flag anything, write to rosalia@thebrightminded.com.