{"id":60557,"date":"2026-04-29T00:00:00","date_gmt":"2026-04-29T00:00:00","guid":{"rendered":"urn:uuid:a65a6ea8-7e34-dafe-a93a-d8d2c3b9831c"},"modified":"2026-04-29T00:00:00","modified_gmt":"2026-04-29T00:00:00","slug":"kuse-web-app-abused-to-host-phishing-document","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/","title":{"rendered":"Kuse Web App Abused to Host Phishing Document"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"description\" content=\"Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users\u2019 trust in Kuse to carry out a phishing attack.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"web,research,phishing,articles, news, reports,artificial intelligence (ai)\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2026-04-29\"> <meta property=\"article:tag\" content=\"cyber threats\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/d\/kuse-web-app-abused-to-host-phishing-document.html\"> <title>Kuse Web App Abused to Host Phishing Document | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.cc255fd374a145c2653503eb2da45983.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.47ce60d92d94610907e7a2cbd6fbca69.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/d\/kuse-web-app-abused-to-host-phishing-document.html\"><br \/>\n<meta property=\"og:title\" content=\"Kuse Web App Abused to Host Phishing Document\"><br \/>\n<meta property=\"og:description\" content=\"Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users\u2019 trust in Kuse to carry out a phishing attack.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/d\/kuse-web-app-abused-to-host-phishing-document.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Kuse Web App Abused to Host Phishing Document\"><br \/>\n<meta name=\"twitter:description\" content=\"Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users\u2019 trust in Kuse to carry out a phishing attack.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/d\/kuse-web-app-abused-to-host-phishing-document.jpg\"> <meta name=\"user-country-code\" content=\"HK\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.869268292683\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"510093818\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.5\">\n<div class=\"article-details\" role=\"heading\" readability=\"39\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users\u2019 trust in Kuse to carry out a phishing attack.<\/p>\n<p class=\"article-details__author-by\">By: Jed Valderama, Kenneth Polag\u00f1e <time class=\"article-details__date\">Apr 29, 2026<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div>\n<div class=\"richText\">\n<div>\n<p><b><span class=\"body-subhead-title\">Key takeaways<\/span><\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The growing dependence on AI has caused a rapid emergence of AI-based tools. Unfortunately, these applications have also become vectors for malicious actions, as in this case with Kuse.ai.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Ordinarily, Kuse is a trusted workplace platform. However, threat actors are always finding new methods of social engineering.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">In this case, threat actors executed a phishing attack that utilized a fake URL and image manipulation.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Organizations therefore have to strengthen their security training and keep reminding employees that an application\u2019s good reputation does not guarantee the trustworthiness of its content.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.106202209006\">\n<div readability=\"31.193712829227\">\n<p>As AI increases its role in work and daily life, AI apps are also increasing in number. Along with this emergence are expanding attack vectors that threat actors are actively exploring<a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/threat-landscape\/fault-lines-in-the-ai-ecosystem-trendai-state-of-ai-security-report\" target=\"_self\">. AI is reshaping the cybersecurity landscape, introducing both unprecedented opportunities and complex risks<\/a>.<\/p>\n<p>On April 9, 2026, the TrendAI Managed Services Team encountered a phishing attack that revealed another vulnerability that enabled attackers to store phishing chains, breach trust, and eventually expose credentials. In this case, attackers abused the storage and sharing features of Kuse, a free AI web app.<\/p>\n<p>This breach involved a <a href=\"https:\/\/www.trendmicro.com\/en\/what-is\/cyber-attack\/supply-chain-attack.html\" target=\"_self\">Supply Chain Attack<\/a>, particularly a Vendor Email Compromise (VEC), wherein a compromised mailbox from a trusted vendor was used to send a specifically crafted phishing email that leveraged the existing relationship level between the two organizations. Because of this, some IOCs are partly redacted in this article due to the usage of specific organization names.<i><\/i><\/p>\n<p>Due to the breach of trust, a malicious email was forwarded to relevant users for processing, leading to a user clicking on a phishing link and providing credentials to a fake login page.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/d\/kuse-phishing\/fig1.png\" alt=\"Figure 1. Attack diagram\"> <\/p>\n<p><figcaption>Figure 1. Attack diagram<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><b><span class=\"body-subhead-title\">Kuse.ai<\/span><\/b><\/p>\n<p>According to its website,<b> <\/b>Kuse.ai&nbsp;is an agentic&nbsp;AI&nbsp;coworker that uses one\u2019s work context to improve decision-making and execute end-to-end, multi-step workflows.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/d\/kuse-phishing\/fig2.png\" alt=\"Figure 2. Web UI of Kuse.ai\"> <\/p>\n<p><figcaption>Figure 2. Web UI of Kuse.ai<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Upon logging in, users can upload documents or create a markdown note on their folders. They can then ask an AI chatbot to perform tasks using the uploaded files.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/d\/kuse-phishing\/fig3.png\" alt=\"Figure 3. Example AI prompt listing files on the account\"> <\/p>\n<p><figcaption>Figure 3. Example AI prompt listing files on the account<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Each file on the account can be shared via a share button, which generates a link hosted under Kuse\u2019s domain, <i>app[.]kuse[.]ai<\/i>.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/d\/kuse-phishing\/fig4.png\" alt=\"Figure 4. Generating a shareable link through the web app UI.\"> <\/p>\n<p><figcaption>Figure 4. Generating a shareable link through the web app UI.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"45\">\n<div readability=\"35\">\n<p>Attackers abused this mechanism to host a fake blurred document that contained a link to a fake login page.<\/p>\n<p><b><span class=\"body-subhead-title\">URL Analysis<\/span><\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">hxxps:\/\/app[.]kuse[.]ai\/sharednote\/{vendor company}%20S.L..md\/shared_3049184.md<\/span><\/li>\n<\/ul>\n<p>The URL used the legitimate domain <i>app[.]kuse[.]ai <\/i>and contained spaces, commas, and periods. Moreover, the URL mimicked a legitimate document using the compromised vendor\u2019s company name. These links were presumably put in emails sent from mailboxes belonging to the compromised vendor, aimed at the target organization. This tactic was meant to confuse users and automated scanners.<\/p>\n<p>Because the Markdown file extension (<i>.md<\/i>) is less commonly used in phishing attempts than document (e.g., <i>.pdf, .docx<\/i>) and webpage (e.g., <i>.html, .aspx<\/i>) file extensions, it can bypass filter signatures and heuristic rules that focus on more typical malicious file extensions.<\/p>\n<h4><b>User Experience and Redirection<\/b><\/h4>\n<p>After clicking the phishing URL, the user was redirected to the legitimate AI workspace <i>app[.]kuse[.]ai<\/i>. The user then opened the <i>.md <\/i>page, which was displayed as a blurred document preview. This falsified document preview lured the user into clicking the malicious link below it, thinking it would reveal its full content. The link stated in Spanish \u201c<b>HAZ CLIC AQU\u00cd PARA VER EL DOCUMENTO<\/b>\u201d, which translates into English as \u201c<b>CLICK HERE TO VIEW THE DOCUMENT<\/b>\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/d\/kuse-phishing\/fig5.png\" alt=\"Figure 5. Blurred fake document with link hosted on Kuse.ai\"> <\/p>\n<p><figcaption>Figure 5. Blurred fake document with link hosted on Kuse.ai<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Instead, the hyperlink redirected the user to a fake Microsoft login page to collect user credentials:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">hxxps:\/\/onlineapp[.]ooraikaoo[.]info\/?auth2=8rf22euu-2nxkebabDjjILlzldhQq2Pz<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/26\/d\/kuse-phishing\/fig6.png\" alt=\"Figure 6. Fake login page\"> <\/p>\n<p><figcaption>Figure 6. Fake login page<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"39.16840161182\">\n<div readability=\"23.798522498321\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Threat actors are always looking for new vectors to exploit the inherent trust placed in legitimate platforms. They abuse the storage and sharing capabilities of free services, as well as the growing interest in AI-powered web applications. Using the Markdown (<i>.md<\/i>) file extension as the delivery format, combined with a VEC to establish trust at the point of delivery, demonstrates a multi-layered social engineering approach designed to evade both automated defenses and human scrutiny, which in turn highlights the need for layered protection and heightened user awareness.<\/p>\n<p>As AI tools become more embedded in business workflows, their sharing and collaboration features present new surfaces for abuse. Similar to how threat actors have previously leveraged file-sharing services, such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/k\/threat-actors-leverage-file-sharing-service-and-reverse-proxies.html\" target=\"_self\">Dracoon<\/a>, to host intermediary phishing documents and GitHub&#8217;s trusted reputation to <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/ai-assisted-fake-github-repositories.html\" target=\"_blank\">distribute malware<\/a>, the abuse of Kuse.ai follows an established pattern: weaponizing platform legitimacy to circumvent security controls. Therefore, organizations must recognize that even highly reputable platforms can host untrustworthy content.<\/p>\n<p><span class=\"body-subhead-title\">Recommendations<\/span><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Conduct regular user awareness training.<span> Training should go beyond generic phishing awareness and include real-world scenarios involving AI platform abuse, VEC, and blurred document lures. Users should be educated on recognizing social engineering cues regardless of the hosting platform&#8217;s reputation.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Verify links beyond the domain.<span> A legitimate domain (e.g., <i>app[.]kuse[.]ai<\/i>) does not guarantee safe content. Users should scrutinize the full URL path, especially when documents are shared unexpectedly or contain urgency-driven calls to action.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Treat VEC as a persistent threat.<span> Emails from trusted vendors should not be exempt from security scrutiny. Organizations should implement policies that require secondary verification (e.g., a phone call or separate messaging channel) before acting on requests that involve clicking links or providing credentials, particularly when the email context is unusual.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Enforce Multi-Factor Authentication (MFA) with phishing-resistant methods. <span>Traditional MFA can be bypassed by reverse proxy toolkits. Organizations should adopt phishing-resistant authentication methods, such as FIDO2\/WebAuthn hardware keys, to mitigate credential harvesting from fake login pages.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Monitor and restrict AI platform sharing features.<span> Security teams should assess which AI tools are in use within the organization and evaluate whether their sharing and external link generation features introduce unmanaged risks. Where possible, outbound access to AI platform sharing URLs that are not business-critical should be restricted or monitored.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Implement advanced email and URL filtering.<span> Deploy email security solutions capable of inspecting URLs at time-of-click rather than only-at-delivery. URL sandboxing and real-time reputation checks can help detect phishing pages hosted on otherwise trusted domains.<\/span><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IoCs)<\/span><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">91.92.41[.]64<\/span><\/li>\n<li><span class=\"rte-red-bullet\">hxxps:\/\/onlineapp[.]ooraikaoo[.]info\/?auth2=8rf22euu-2nxkebabDjjILlzldhQq2Pz<\/span><\/li>\n<li><span class=\"rte-red-bullet\">hxxps:\/\/app[.]kuse[.]ai\/sharednote\/&lt;victimcompany&gt;%20S.L..md\/shared_3049184.md<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/d\/kuse-web-app-abused-to-host-phishing-document.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users\u2019 trust in Kuse to carry out a phishing attack. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9577,9509,9535],"class_list":["post-60557","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-phishing","tag-trend-micro-research-research","tag-trend-micro-research-web"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Kuse Web App Abused to Host Phishing Document 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kuse Web App Abused to Host Phishing Document 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-29T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Kuse Web App Abused to Host Phishing Document\",\"datePublished\":\"2026-04-29T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/\"},\"wordCount\":1158,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Phishing\",\"Trend Micro Research : Research\",\"Trend Micro Research : Web\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/\",\"name\":\"Kuse Web App Abused to Host Phishing Document 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80\",\"datePublished\":\"2026-04-29T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kuse-web-app-abused-to-host-phishing-document\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Kuse Web App Abused to Host Phishing Document\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kuse Web App Abused to Host Phishing Document 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/","og_locale":"en_US","og_type":"article","og_title":"Kuse Web App Abused to Host Phishing Document 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-29T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Kuse Web App Abused to Host Phishing Document","datePublished":"2026-04-29T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/"},"wordCount":1158,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Phishing","Trend Micro Research : Research","Trend Micro Research : Web"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/","url":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/","name":"Kuse Web App Abused to Host Phishing Document 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80","datePublished":"2026-04-29T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/kuse-web-app-abused-to-host-phishing-document:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/kuse-web-app-abused-to-host-phishing-document\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Kuse Web App Abused to Host Phishing Document"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60557","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60557"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60557\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}