A newly observed phishing campaign discovered by Fortra’s Intelligence and Research Experts (FIRE) team is leveraging thousands of AI‑generated websites, via legitimate AI/Automation provider ActiveCampaign. In the campaign, attackers are impersonating the U.S. Small Business Administration (SBA)’s pre-selected “new line of credit” programs, promising $4-10m in funding within 48h.
Unlike traditional phishing that seeks immediate action, this operation focuses on harvesting detailed business and financial information, likely to enable highly targeted spear‑phishing in future attacks. The campaign’s sophistication and uniqueness lies in the ability to mass‑produce convincing, tailored websites that adapt to different illegitimate or impersonated domains. Theat actors are able to scale sophisticated phishing by using ActiveCampaign’s AI-powered marketing automation features to vary the design, content, and flow, ultimately creating more convincing phishing campaigns, quicker.
I. Background
Phishing remains one of the most effective entry points for cybercriminals, but the rise of generative AI capability has transformed the threat landscape.
Threat actors can now create polished, personalized, and highly believable lures at scale and reduce the tell‑tale signs that once gave phishing sites away.
The SBA’s “new line of credit” programs are a focus now, as they appeal to small and medium‑sized businesses seeking funding and the promise of financial relief, which can override normal caution. Since smaller businesses often operate with limited budgets for defensive cybersecurity infrastructure, it increases the likelihood of a successful attack, which is why threat actors tend to view them as a prime target of exploitation.
II. Campaign Overview
1. Discovery
A wave of anomalous emails with similar subject formats and rotating sending domains raised the flag of a high‑volume phishing campaign. The initial batch of messages carried URLs with suspicious indicators; the later batches appeared clean due to being hosted on legitimate providers.
During the FIRE team’s analysis, one email batch leaked part of the code of the email generation automation, revealing the use of a “%company%” parameter to dynamically insert different target names into the phishing email content, indicating a broader campaign aimed at multiple companies.
2. Key Characteristics
Tailored Content: Each email is personalized to the recipient’s company and can include recipient’s details.
Rotating URLs: 45 unique URL domains observed across 12 sending domains, with each email containing at least one unique link which is likely used to track the specific user’s click
Hosting/Creation Infrastructure: URL sites are hosted on reputable vendors, such as Cloudflare, which lends credibility to the phishing pages and decreases the likelihood of dynamic detection.
3. Website Analysis
The examination of the URLs and associated domains determined that they were AI‑generated web assets, engineered to convincingly replicate the intended use case. The websites reproduced both the structural framework and visual patterns of the supplied template, indicating an AI content‑generation tool was leveraged to scale the phishing variations. This new technique enables detailed tailoring of the malicious site to match the impersonated domain, thereby evading part of dynamic detection mechanisms and increasing the likelihood that the target will trust the page and submit the required sensitive information.
3.1 Design & Structure
The designs include clean and professional layouts with subtle variations between instances, mainly branding or subtle text, UI shift or pictures modifications. Some websites present all questions at once, others use a “Next” button to progress through separate windows. There was consistent branding style across the campaign but with enough variation to evade detection, which is a hallmark of AI‑assisted generation.
3.2 Functionality
Only the questionnaire elements are active; navigation and other buttons are non‑functional or redirect to the questionnaire, which puts the clicker’s focus to the requirement.
The questionnaires prompt the user to input the following information:
Company's gross revenue
Loan amount
Personal credit score
Role in the company
Tenure within the business
Business contact details (Business name, your first/last name, email address)
Stock images and faces change between versions, further suggesting AI generation.
4. Targeting & Objectives
Primary Targets: Small and medium‑sized businesses,
Secondary Targets: Larger enterprises
An objective shift has been observed from traditional phishing, such as immediate credential or financial theft, to this campaign which incorporates data harvesting to enable future, highly personalized spear‑phishing attacks.
The detailed questionnaires indicate attempts of reconnaissance, gathering intelligence that can be leveraged to craft convincing follow‑up attacks or build trust with the user so that the information can be shared freely.
5. Post-action analysis
You clicked on the link, what happens next?
Indicators identified no active attempts to infect the host upon clicking, as this attack is focused on reconnaissance. After the information is provided, a pop-up appears letting the user know that the company will be in touch soon. Additionally, the pop-up prompts the user to call a number for a quicker response, for what we can assume will be an attempted vishing attack, a form of social engineering conducted via phone.
6. AI’s Role in the Campaign
AI plays a distinct role in modern phishing by enabling rapid scaling of attack variations. A core template is created; the AI generates convincing variations of the content, reviews, and filler material around the central objective, which is capturing user information. This approach allows attackers to quickly register new domains, adapt website content to match them, and distribute large batches of phishing emails.
Unlike traditional phishing, which relies on manual and time-consuming customization or simpler and less convincing designs, AI streamlines the entire process for faster and more efficient deployment.
Some Key points:
Email Content Generation - AI-driven creation of phishing emails, dynamically tailored to the target organization’s name and context to increase credibility and engagement.
Website Variation - Automated provisioning of distinct phishing site instances per campaign batch, incorporating custom design and content modifications per domain impersonated, while preserving the original template visual identity.
Scalability - AI integration with hosting and domain management platforms enables rapid, parallel deployment of multiple high-fidelity phishing sites across registered domains, improving evasion against static detection and blocklists.
III. Indicator of Compromise (IOCs)
Here are the IOCs to look out for, use for Threat Hunts, or to proactively block this threat. This is the confirmed URL/Domain and pattern list at the time of publishing; with some being taken down already.
| Type | Indicator |
| Sending Email Domains | capitalguardianboost[.]com directfundingloc[.]com uproarfundingsolutions[.]com directcapitaltree[.]com directlendingharbor[.]com usa-funding[.]co digitalfundingrush[.]com growthpillarcapital[.]com advancefundingrush[.]com directfundingboost[.]com digitalfundingloc[.]com digitalfundingonline[.]com |
| URL Domains | directloanonline15362[.]activehosted[.]com directloanonline15362[.]acemlnd[.]com directfundingcenter[.]acemlnd[.]com directfundingcenter[.]activehosted[.]com digitalfundingloc[.]com businessfundingexpress[.]acemlnd[.]com businessfundingexpress[.]activehosted[.]com directfinancialloan84293[.]acemlnd[.]com directfinancialloan84293[.]activehosted[.]com directfundingloc[.]com directfundingloc[.]acemlnd[.]com directfundingloc[.]activehosted[.]com capitalharborsolutions[.]activehosted[.]com capitalharborsolutions[.]acemlnb[.]com digitalfundingrush[.]com growthpillarfunding[.]activehosted[.]com growthpillarfunding[.]acemlnb[.]com growthpillarcapital[.]com pulsefundingnetwork[.]acemlnb[.]com pulsefundingnetwork[.]activehosted[.]com usa-funding[.]co guardiancapitalsolutions[.]acemlnb[.]com guardiancapitalsolutions[.]activehosted[.]com pulsefundingnetwork[.]com directpersonalfinance[.]acemlnd[.]com directlendingharbor[.]com directpersonalfinance[.]activehosted[.]com directcapitaltree[.]com digitalfundingonline[.]acemlnd[.]com digitalfundingonline[.]com digitalfundingonline[.]activehosted[.]com guardiancapitalsolutions[.]acemlnd[.]com pulsefundingnetwork[.]acemlnd[.]com capitalguardianboost[.]com fundingharbornow[.]emlnk9[.]com fundingharbornow[.]activehosted[.]com advancefundingchoice[.]emlnk9[.]com advancefundingchoice[.]activehosted[.]com advancefundingrush[.]com |
| Email Subjects Pattern | “Good News, <Company Name> - SBA Rates are Down!”,
“New Update <Company Name>: Continue to E-Sign",
“<Recipient’s Fist Name>, Review New SBA Terms.”,
“Time-Sensitive: <Company Name> Can Benefit from New SBA Options”,
“Unlock Savings with Updated SBA Programs for <Company Name>”,
“Limited Window: Lower SBA Rates for <Company Name>”,
“Big Changes in SBA Funding – See If <Company Name> is Eligible”,
“<Company Name>, Updated SBA Rate Drop Available”, “Act Fast: New SBA Rate Drop Just Delivered for <Company Name>” |
| HTML Snippet | “%Company%” - in Subject or Body of the email “SBA”, “Time-Sensitive”, “Act Fast”, Limited Window” - text-based pattern in the Subject or Body of the email |
Fortra has integrated these IOCs into Fortra Threat Brain to facilitate global threat reporting and will continue to do so as necessary.
IV. Mitigation & Recommendations
Awareness Training: Educate employees on AI‑enhanced phishing tactics, how to spot them and be comfortable to reach out to the internal security team for any suspicion.
Technical Controls: Implement URL filtering on the common format observed and sandboxing for suspicious links. Static blocks can stop imminent attacks, but it won’t reliably action on the future similar attempts.
Verification Protocols: Independently confirm any SBA‑related offers via official channels.
Threat Hunting: Monitor for unusual requests for sensitive business or financial details, unusual batches of emails or abnormal email volumes. Utilize the IOCs from above to create pattern detection for the email's content/sender/subject or URLs.
V. Conclusion
This campaign demonstrates how AI is reshaping phishing attacks, creating high-volume fraudulent websites to not only be more convincing but also adaptive. By shifting from immediate theft to intelligence gathering, threat actors are laying the groundwork for more damaging, targeted and personalised attacks.
Defenders must adapt just as quickly to these new techniques, by combining user education, technical safeguards, and proactive threat hunting to counter the next generation of phishing threats.
Images
Website
Prompts
Reviews
Steps highlighted
Post submission of data
Email regular
Email with leaked parameter
