Introduction
The cybersecurity landscape shifted this week with Google’s announcement of legal action against a Chinese cybercrime network responsible for the "Outsider" Phishing-as-a-Service (PhaaS) kit. Unlike traditional spray-and-pray campaigns, this operation weaponized Google’s own Gemini AI agent to generate highly persuasive, context-aware social engineering text messages targeting U.S. citizens.
For defenders, this represents a critical inflection point. The barrier to entry for grammatically correct, convincing smishing has effectively collapsed. We are no longer defending against poorly worded scams; we are facing AI-optimized narratives designed to bypass human skepticism. This post analyzes the "Outsider" infrastructure and provides the necessary detection logic and remediation steps to protect your enterprise from this next generation of social engineering.
Technical Analysis
The Threat Actor and Tooling The threat group utilizes a PhaaS kit designated as "Outsider." This software-as-a-service model lowers the technical barrier for other criminals, providing a dashboard to manage smishing campaigns. The critical innovation reported here is the integration of Generative AI (Gemini) to craft the lures.
Attack Chain
- Target Selection: The network targets individuals, likely leveraging previously leaked data bases or public profiles to add context.
- Lure Generation (AI): Instead of static templates, the operation uses Gemini AI to generate unique, urgent text messages (e.g., package delivery failures, bank alerts) tailored to the victim.
- Delivery (Smishing): The "Outsider" kit orchestrates the delivery of these SMS messages via compromised infrastructure or bulk SMS gateways.
- Harvesting: The messages direct users to credential harvesting pages. While the specific landing page templates vary in PhaaS, they typically mimic legitimate login portals (Microsoft 365, banks) to capture credentials and MFA tokens.
Exploitation Status This is an active, in-the-wild campaign. The utilization of AI implies a high volume of unique payloads, making static hash-based detection of the message content nearly impossible. The focus must shift to detecting the infrastructure (the PhaaS panels) and the behavior (unsolicited SMS interactions).
Detection & Response
Defending against AI-driven smishing requires a two-pronged approach: identifying compromised hosts acting as PhaaS infrastructure and detecting users interacting with smishing links. Below are detection rules for SOC deployment.
Sigma Rules
---
title: Potential PhaaS Admin Panel Access - Outsider Kit
id: 9c8f7a12-3456-7890-abcd-ef1234567890
status: experimental
description: Detects potential access to Phishing-as-a-Service (PhaaS) admin panels, such as 'Outsider', based on common URI paths found in these kits.
references:
- https://thehackernews.com/2026/06/google-sues-chinese-smishing-network.html
author: Security Arsenal
date: 2026/06/15
tags:
- attack.initial_access
- attack.credential_access
logsource:
category: webserver
product: apache
detection:
selection:
cs-uri-stem|contains:
- '/client/login'
- '/panel/admin'
- '/outsider/dashboard'
- '/sms/api/send'
condition: selection
falsepositives:
- Legitimate administrative access to internal panels
level: high
---
title: Suspicious Bulk SMS Gateway Scripting
id: b1d2e3f4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects command-line execution typical of scripts interacting with SMS gateways (Twilio, SNS, etc.) which may indicate abuse of internal resources for smishing.
references:
- https://thehackernews.com/2026/06/google-sues-chinese-smishing-network.html
author: Security Arsenal
date: 2026/06/15
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/python'
- '/python3'
- '/node'
selection_cli:
CommandLine|contains:
- 'twilio.com'
- 'api.twilio.com'
- 'sns.us-east-1.amazonaws.com'
- 'api.msg91.com'
condition: all of selection_*
falsepositives:
- Authorized IT automation scripts sending legitimate alerts
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for interactions with known URL shorteners frequently used in smishing campaigns
// This queries DeviceNetworkEvents for endpoints connecting to high-risk shorteners
let ShortenerDomains = dynamic(['bit.ly', 'tinyurl.com', 'goo.gl', 't.co', 'rb.gy', 'buff.ly', 'ow.ly']);
DeviceNetworkEvents
| where RemoteUrl has_any (ShortenerDomains)
| where InitiatingProcessFileName !in ('chrome.exe', 'firefox.exe', 'msedge.exe', 'safari.exe')
or ActionType == 'ConnectionSuccess' // Focus on successful connections, even from browser, to analyze later
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| order by Timestamp desc
Velociraptor VQL
-- Hunt for generic PhaaS kit artifacts on Linux web servers
-- Looks for common configuration files and PHP scripts associated with smishing panels
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/var/www/html/**/*.php')
WHERE Name =~ 'config'
OR Name =~ 'sms'
OR Name =~ 'send_bulk'
OR Name =~ 'api_key'
-- Limit to recently modified files (last 30 days) to reduce noise in active environments
AND Mtime > now() - 30 * 86400
Remediation Script (Bash)
#!/bin/bash
# Remediation script to scan and quarantine common PhaaS indicators on Linux web servers
# Note: Review paths and indicators before running in production.
WEB_ROOT="/var/www/html"
LOG_FILE="/var/log/phaas_remediation.log"
echo "Starting PhaaS remediation scan on $(date)" >> $LOG_FILE
# Search for common PhaaS file patterns (e.g., outsider, sms-blast, bulk-sms)
echo "Scanning for suspicious PhaaS directories..." >> $LOG_FILE
find $WEB_ROOT -type d -iname "*outsider*" -o -iname "*sms*blast*" -o -iname "*bulk*mailer*" 2>/dev/null | while read DIR; do
echo "[!] Suspicious directory found: $DIR" >> $LOG_FILE
# Quarantine by changing permissions (requires root)
chmod 000 "$DIR"
echo "Quarantined: $DIR" >> $LOG_FILE
done
# Check for PHP files containing SMS API keys (basic heuristic)
echo "Scanning for exposed API keys in PHP files..." >> $LOG_FILE
grep -r -l --include="*.php" -E "(twilio_account_sid|msg91_authkey|nexmo_api_key)" $WEB_ROOT 2>/dev/null | while read FILE; do
echo "[!] Potential API Key exposure found in: $FILE" >> $LOG_FILE
done
echo "Remediation scan complete." >> $LOG_FILE
Remediation
1. Infrastructure Hardening
If your organization manages web servers, ensure that unnecessary PHP modules and directory listings are disabled. The "Outsider" kit relies on standard LAMP/LEMP stacks; restricting execution permissions to writeable directories (e.g., /uploads, /images) prevents many PhaaS kits from persisting.
2. User Awareness and Reporting Since AI-generated messages are harder to spot visually, update your security awareness training to focus on context rather than grammar.
- Actionable Advice: Instruct users to never click links in unsolicited text messages, even if they appear to be from known package carriers or banks. They should navigate to the official app or website manually.
3. Mobile Device Management (MDM) Configure MDM solutions to block access to known smishing hosting infrastructure and high-risk URL shorteners. While attackers rotate domains rapidly, blocking the major shorteners (unless business-justified) significantly reduces the attack surface.
4. Incident Response Plan Update
Update your IR playbooks to account for AI-generated social engineering. Analysts should treat highly personalized, grammatically perfect SMS phishing as a high-fidelity threat, assuming the attacker possesses valid PII about the target.
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.