AI/ML, Phishing

Your phishing defense was built for 2016, but attackers are operating in 2026

Robot hand interacts with digital interface showing email alert. AI monitors for threats, blocking phishing and harmful messages. Protects digital communication safety.

COMMENTARY: Most enterprise phishing defense still follows the same playbook: Detect, investigate, classify, and take down. That workflow was built for an era when phishing sites were relatively static and attackers operated on a much smaller scale. Today's phishing kits have changed the economics of the attack faster than many organizations have changed the economics of the defense.

This is a nightmare for Fortune 500 CISOs because the more recognized the brand, the more likely scammers are to impersonate it. Bad actors are using phishing kits to industrialize attacks on a consumers, partners, and employees and exploit brand equity and trust, but many organizations still rely on a manual takedown process to eliminate threats.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The traditional detection-to-takedown workflow keeps victims exposed

Traditional phishing defense relied on a straightforward, manual workflow:

  • Detect a suspicious URL
  • Visit it in a controlled environment
  • Capture what it shows and classify it
  • Take it down

This approach presents three big problems. First, it assumes a scanner sees what the victim sees. Second, it assumes malicious URLs are static vs. dynamic. Third, it assumes the threat is eliminated once a URL is taken down.

But today’s phishing kits feature dashboards that customize attacks and track victim activity, architectures that operate even if URLs are shut down, and anti-analysis defenses that make attacks harder to identify, track, and take down. 

Attackers now have infrastructure, not websites

Security teams often think of phishing as a collection of malicious URLs. Modern phishing operators increasingly think of it as infrastructure. Domains can be replaced. Hosting can move. Redirect chains can change. Credential collection endpoints can persist. Kits can be redeployed in minutes. The phishing page is no longer the attack. It's one component of a larger system designed to generate, test, deploy, and replace fraudulent assets at scale. This distinction matters because most enterprise workflows are still optimized to find and remove individual URLs. Attackers are increasingly optimized to replace them.

Phishing kits create enterprise grade scam infrastructure and bypass defenses

Today’s phishing kits allow scam operations to operate more like small, efficient businesses versus traditional ad hoc attackers. And they create scams at scale that look, sound, and feel legitimate.

For example, threat actor GS7 targeted Fortune 500 financial services, technology, healthcare, and telecom firms worldwide to harvest credentials. It used sophisticated phishing kits to construct login portals mimicking brands with “unprecedented accuracy” and automate batch domain registration. The campaign created more than 150 phishing sites. 

Starkiller operators impersonate a brand’s real website — Google, Microsoft, Facebook, Apple, Amazon, Netflix, PayPal, various banks — and the tool generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker's infrastructure.

There are no template files for vendors to blocklist because it proxies the brand’s real website. And because the end user authenticates with the real site through the proxy, the attacker can capture any one-time codes or authentication tokens the victim submits so they have authenticated access to the account. MFA protections are bypassed even though they’re operating as designed.

Bluekit one of the newest AI-powered phishing kits, combines automated infrastructure deployment, evasion capabilities, and AI-assisted campaign creation into a single platform. While early versions still rely on templates and operator input, the pace of development illustrates how quickly phishing tooling is evolving.

The specific kit matters less than the trend it represents.

Each new generation of phishing tooling lowers the skill required to launch sophisticated attacks while increasing the speed at which attackers can deploy, test, and replace infrastructure. The result is a widening gap between how quickly attackers can create new campaigns and how quickly defenders can identify and disrupt them.

The time-to-detect versus time-to-damage race

Fortune 500 CISOs are in a time-to-detect versus time-to-damage race. Well-resourced CISOs and their security teams manage the detection-to-takedown process in 24 to 72 hours. 

But in the time it takes to manage the traditional takedown process — manual review, ticket queues, and multi-day registrar negotiations — AI-based phishing kits are letting attackers harvest credentials, rotate to backup infrastructure, and launch new attacks.

If detection-to-takedown takes days while attackers use phishing kits to set up new phishing sites in minutes, security teams will constantly be behind. 

The challenge for CISOs is no longer whether they can identify a phishing site. The challenge is whether they can identify, understand, and disrupt the infrastructure behind it before attackers redeploy elsewhere. As phishing kits continue to lower the cost of launching campaigns, the organizations that win won't be the ones that take down the most URLs. They'll be the ones that reduce attacker dwell time across the entire campaign.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Rod Schultz

Rod Schultz is a seasoned technology executive and cybersecurity leader with more than 25 years of experience driving product innovation, secure technology development, and executive leadership at companies including Cisco, Apple, Adobe, and Zoom. Now as CEO of Bolster AI, he applies that deep expertise to protecting brands, customers, and digital identities at scale: leading the company’s mission to detect and disrupt phishing, impersonation, and other digital-threat actors with a mindset grounded in innovation, trust, and speed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds