COMMENTARY: Phishing is one of the most well-worn topics in cybersecurity. It has been analyzed, warned about and trained against for years, to the point where it can feel fully understood. However, familiarity and ubiquity haven’t made it any less dangerous.
In fact, phishing remains one of the
most common entry points for adversaries today because it is created at a scale and realism that users, and organizations, too often fail to catch. Phishing attacks set the stage for most breaches. In the year to August 2024,
85% of businesses that suffered a breach reported phishing activity, underlining its role as an opening move in complex, multi-stage attacks.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
What’s changed is that adversaries are now harnessing AI to enhance the production and sophistication of phishing techniques. The core challenge for organizations now is how to adapt to this evolution. To keep pace, defenders must fight fire with fire, integrating AI across every stage of the phishing attack chain.
The industrialization of phishing
Modern phishing no longer relies on clunky emails and robotic voicemails to deceive victims. The widespread availability of AI tools, like general purpose and open source LLMs, have enabled adversaries to generate high-volume lures that convincingly mirror legitimate workflows and trusted brands.
The creation and distribution of phishing has been bolstered by the increasing popularity of phishing-as-a-service (PhaaS) offerings. Initial access brokers are using generative AI to mass-produce convincing ‘clones’ of legitimate websites and lures with less effort than ever before.
Traditional techniques are also being refined by adversaries. Groups such as NOBELIUM have created and deployed near-perfect replicas of Microsoft login pages that bypass visual scrutiny entirely. At the same time, spearphishing remains popular, focusing on executives and privileged users where a single breach delivers broad access.
Phishing has also expanded well beyond email. Voice phishing is accelerating as AI-driven impersonation is eroding trust in voice-based authentication. Sam Altman, CEO of Open AI, recently
warned the U.S. Federal Reserve about the risk of widespread fraud driven by these capabilities.
As adversaries use AI to augment phishing attacks, defending against them requires a shift in tactics. Instead of individual lures, organizations should embed AI into the entire intrusion chain to secure their attack surface end-to-end.
Mapping defense to the adversary’s playbook
Phishing is rarely the attack itself; it is the gateway. That means effective defense must span the entire attack chain, from initial delivery through authentication abuse and into post-compromise activity. AI plays a critical role at each stage.
The opening move in phishing can’t always be stopped. Messages, calls, and alerts will reach employees, and attempting to block every one is unrealistic. At the same time, pre-delivery controls remain useful. They can’t catch every attack, but domain analysis, sender reputation scoring, and content inspection reduce noise, highlight the most obvious threats, and prepare the organization to respond more effectively further down the chain.
Regular phishing simulations can also train staff to spot suspicious messages, helping teams focus on genuine threats. Simulation exercises can be particularly effective as in Red Canary’s own study,
only 16% of user-reported phishing emails were actually malicious. Without adequate training on how to spot phishing attempts, employees can flood security teams with false positives, obscuring genuine threats.
Once credentials are entered or a user engages with a lure, adversaries start probing systems. AI-driven behavioral analysis is critical at this stage. By learning what “normal” looks like across geolocation, login timing, and device usage, defenders can identify subtle deviations. These anomalies act as early warning signs before any overtly malicious activity occurs.
If adversaries gain access, the real contest begins. Preventing their ability to move laterally, escalate privileges, and hunt for sensitive data becomes the primary focus. At this point, layered detection can monitor endpoints, identities, and networks. AI then correlates these signals into a unified view, revealing the broader intrusion path. By observing the chain of compromise, defenders can disrupt attacks before operational or financial damage occurs.
Finally, the strength of layered detection against phishing lies in connecting activity across the intrusion chain. AI links signals from pre-delivery, authentication, and post-compromise stages to build a coherent picture of an attack in progress. It also transforms phishing from an unpredictable series of strikes into a trackable, observable process. Defenders can respond faster than adversaries can adapt.
From awareness to resilience
Phishing persists because it has adapted to how organizations communicate and authenticate. Successfully defending against it requires layered, AI-driven detection that follows adversary behavior end-to-end. In a threat landscape defined by scale and sophistication, resilience comes from detecting phishing as a process, not a single event.
