Last year saw a malicious email attack every 19 seconds a more than doubling of 2024’s pace of one every 42 seconds according to the latest report from Cofense that reveals how AI technologies are now central to how threat actors operate, fundamentally transforming the speed, scale, and sophistication of modern phishing attacks.
“AI has fundamentally changed the economics and effectiveness of phishing,” says Josh Bartolomie, chief security officer at Cofense. “Threat actors are now using AI as core infrastructure, not just to craft highly personalized emails, but to dynamically adapt phishing pages based on the victim’s device, generate thousands of unique variants of the same attack, and manage infected systems at scale. Traditional perimeter defenses can’t keep pace with threats that shape-shift after delivery. Organizations need post-delivery visibility, human intelligence, and context-aware detection to identify and remediate what gets through.”
Polymorphic attacks become the default delivery model, 76 percent of initial infection URLs identified in phishing attacks were unique and had not appeared in any other campaigns across the customer base, and 82 percent of malicious files had unique hashes, which traditional pattern-matching fails to detect. Attackers are leveraging publicly available data, home addresses, organizational charts, and social media activity to personalize each message, making every phishing email appear distinct and credible.
Threat actors now deploy dynamic websites that deliver different payloads based on the victim’s browser, operating system, and device characteristics. The same phishing site delivers Windows executables to PC users and macOS packages to Mac users, while mobile visitors receive optimized credential harvesting pages. Advanced kits detect security tools and redirect analysts to legitimate websites, evading investigation.
Business email compromise (BEC) has also surged as AI eliminates traditional warning signs. Conversational attacks now comprise 18 percent of all malicious emails, featuring grammatically perfect, contextually accurate messages that closely mimic legitimate internal communications. These text-only attacks bypass most security controls and exploit trust at the organizational level.
Legitimate tools are being weaponized at an unprecedented scale too. Abuse of legitimate remote access tools exploded 900 percent by volume, with attackers leveraging ConnectWise ScreenConnect, GoTo Remote Desktop, and similar IT management software as remote access trojans. Files are hosted on trusted platforms like Dropbox and AWS, signed with valid certificates, and communicate through established domains, making every stage appear legitimate to endpoint detection systems.
The full report is available from the Cofense site.
Image credit: djbagaha/depositphotos.com
