{ "type": "Domain", "indicator": "onlineapp.ooraikaoo.info", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/onlineapp.ooraikaoo.info", "alexa": "http://www.alexa.com/siteinfo/onlineapp.ooraikaoo.info", "indicator": "onlineapp.ooraikaoo.info", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": {}, "pulse_info": { "count": 0, "pulses": [], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69f25f08af8a4430bf75a39f", "name": "Kuse Web App Abused to Host Phishing Document", "description": "Bad actors exploited Kuse, a legitimate AI-based workplace application, to conduct a phishing campaign. Attackers leveraged a Vendor Email Compromise (VEC) to send malicious emails from a trusted vendor's compromised mailbox, establishing initial trust. The attack utilized Kuse's file-sharing features to host a fake blurred document with a Markdown file extension (.md) under the legitimate domain app[.]kuse[.]ai. Victims were presented with a fabricated document preview containing Spanish text prompting them to click a link. This redirected users to a fraudulent Microsoft login page designed to harvest credentials. The attack combined multiple social engineering techniques including domain trust exploitation, unusual file extensions to evade detection, and vendor relationship abuse to bypass security controls and user scrutiny.", "author_name": "AlienVault", "modified": "2026-05-29T19:04:23.918000", "created": "2026-04-29T19:42:00.852000", "revision": 2, "tlp": "white", "public": 1, "adversary": "", "indicators": [ { "id": 4334026142, "indicator": "https://app.kuse.ai/sharednote/", "type": "URL", "created": "2026-04-29T19:42:01", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4334026143, "indicator": "https://onlineapp.ooraikaoo.info/?auth2=8rf22euu-2nxkebabDjjILlzldhQq2Pz", "type": "URL", "created": "2026-04-29T19:42:01", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4334026145, "indicator": "onlineapp.ooraikaoo.info", "type": "hostname", "created": "2026-04-29T19:42:01", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null } ], "tags": [ "fake login page", "credential harvesting", "vendor email compromise", "supply chain", "ai platform abuse", "markdown file", "social engineering", "phishing" ], "targeted_countries": [], "malware_families": [], "attack_ids": [], "references": [ "https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html" ], "industries": [], "extract_source": [], "more_indicators": false, "indicator_count": 3 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "onlineapp.ooraikaoo.info", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "onlineapp.ooraikaoo.info", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780165389.604337 }