Attackers Abuse Kuse.ai to Host Phishing Pages

On April 9, 2026, Trend Micro's TrendAI Managed Services Team identified a phishing campaign that used the storage and sharing features of Kuse.ai to host a malicious Markdown note, according to the Trend Micro report by Jed Valderama and Kenneth Polagñe. The campaign began with a Vendor Email Compromise (VEC), where a compromised vendor mailbox sent a crafted message that led internal users to a link on app.kuse.ai. The hosted .md page presented a blurred document preview and a call-to-action such as "HAZ CLIC AQUÍ PARA VER EL DOCUMENTO," and clicking the link redirected victims to a fake Microsoft login page that captured credentials, per Trend Micro. The report redacts some IOCs because of the VEC context. SecurityOnline and KnowBe4 coverage summarize and amplify the same findings from Trend Micro.

Editorial analysis - technical context: Trend Micro documents multiple evasion techniques used in the campaign. Reported tactics include hosting content on a legitimate domain, using a Markdown (.md) note rather than more common file types, and delivering a blurred preview that encourages click-through. Reported effects are twofold: (1) the .md extension and the platform-hosted preview can bypass heuristics and signature-based filters that focus on PDFs or Office attachments, and (2) the use of a known vendor contact and a trusted application domain reduces suspicion from recipients and some automated allowlist checks, according to the Trend Micro writeup and SecurityOnline's summary.

Public reporting places this incident in a pattern where attackers weaponize reputable platforms (for example, code hosting, cloud storage, or collaboration tools) to host phishing content because those domains are often treated as lower risk by automated defenders and by users. Trend Micro explicitly notes the broader risk that AI workplace apps can be abused as storage-and-sharing vectors. For practitioners, the notable element is the use of an uncommon file type (.md) plus rendered previews and social engineering via vendor trust, rather than a new technical exploit.

For practitioners: monitor the following observable indicators and defensive levers without attributing internal intent to any party:

• •Unusual inbound messages referencing vendor-hosted links, especially to collaboration or agentic-AI app domains;
• •Links ending in .md or other nonstandard document extensions in contexts where PDFs or Office files are expected;
• •Host-based rendering of blurred previews with a call-to-action that redirects to external login pages;
• •Signs of Vendor Email Compromise, including unexpected forwarding chains or mailbox anomalies.

Additionally, Trend Micro's report does not include a quoted statement from Kuse.ai, so observers may watch for vendor communications or security advisories from platform providers and for any updated IOCs from Trend Micro.

Editorial analysis: This incident reinforces a persistent operational challenge for detection tooling: distinguishing malicious uses of legitimately hosted content from benign collaboration traffic. Teams should assess how their email and web proxies handle rendered previews and nonstandard document types and consider those behaviors when tuning rules or user prompts.