AI-driven phishing surges 204% as firms face a malicious email every 19 seconds

Cyber criminals are using artificial intelligence to flood inboxes with near-undetectable phishing emails, recycling the same hidden infrastructure while making every attack look brand new

Malware-carrying phishing campaigns rose 204 per cent last year, with a malicious email being stopped by Cofense every 19 seconds, worrying new research has found.

A study by Cofense found that artificial intelligence is now embedded in how phishing campaigns are generated, refined and deployed at scale, enabling attackers to produce highly adaptive and personalised messages that evade traditional email defences. Sector data showed malicious emails bypassing perimeter controls across all industries including heavily regulated finance and healthcare.

The report found that in 2025 76 per cent of initial infection URLs were unique even though 94 per cent shared IP addresses. It describes this tactic as “polymorphic” phishing: attacks that appear new and unique on the surface indicators, but the same at their core. According to these findings, the approach indicates a clear gap in detection systems built on known indicators, signatures and pattern matching.

Enforcing this trend, it found at file level, 82 per cent of malicious attachments carried unique hashes while delivering identical payloads, limiting the effectiveness of filters that rely on repeated patterns.

Attackers are also consolidating their attention on established strategies. Overall malware family diversity fell by 27 per cent, the report found, suggesting focus on payloads that reliably bypass controls while variation is introduced at delivery stage.

Nearly one-in-five malicious emails took the form of conversational phishing or Business Email Compromise, according to the data. These messages contain no links or attachments and mimic routine exchanges between colleagues. Generative AI has removed many of the grammatical and stylistic inconsistencies that once signalled fraud.

“Phishing has moved from bulk distribution to adaptive deployment,” a Cofense spokesperson said. “AI allows attackers to vary content and structure simultaneously, making each attempt appear new while preserving scale behind the scenes.”

Malware delivery methods are becoming increasingly targeted, the report found. It documents operating system-specific execution aimed at Windows and macOS environments, alongside growth in Android application distribution.

AI-driven evasion tactics, including automated redirection to legitimate websites, CAPTCHA logic and environment checks, are also being used to avoid security analysis, according to the findings.

Legitimate Remote Access Tool abuse also rose sharply by 57 per cent with a 900% increase in volume, and a 114 per cent increase in the number of tool families, the report found. In addition, the use of legitimate files to deliver malicious content increased sixfold compared with the previous year, according to the data.

Payloads were frequently hosted on reputable cloud platforms including Dropbox, Amazon S3 and OneDrive, often supported by valid digital certificates or free software trials to maintain legitimacy, the report said.

Other findings included a 372 per cent increase in campaigns spoofing the US Social Security Administration.

“These tactics highlight the importance of contextual analysis that only a human layer of security can provide,” the Cofense spokesperson said, “and this will become critical in reliably determining whether tools and files are legitimate”.

Infrastructure trends shifted markedly. Credential phishing campaigns using the “.es” top-level domain increased 19-fold quarter on quarter and 51-fold year on year, moving from 56th to the third most abused domain within a year, the report found. It also noted automated subdomain generation and multi-stage credential harvesting.

For senior leadership, the findings indicate a widening imbalance. Artificial intelligence lowers the barrier to entry for attackers and accelerates campaign deployment faster than perimeter-based security can adapt, the report concluded.

Cofense said organisations should reassess how they measure email security, arguing that resilience depends on understanding what reaches employees rather than focusing solely on what is blocked at the gateway. The company said its approach centres on what it describes as ‘controlled automation‘, combining automated detection with human validation.

“Success can no longer be defined purely by what is stopped at the perimeter,” the spokesperson said. “Organisations need visibility into what is delivered, how employees interact with it, and how quickly it can be contained.”

The company added that staff should be viewed as part of the defence architecture rather than as the weakest link.

“Employees generate valuable threat intelligence when they report suspicious messages,” the spokesperson said. “Businesses should enable and encourage that reporting, and integrate it into real-time detection and response.”

Cofense also urged closer governance of legitimate tools that may be abused by attackers and warned that AI-driven personalisation should now be treated as a baseline assumption.

“Security leaders should plan on the basis that every phishing attempt may be tailored and technically varied,” the spokesperson added. “Static controls alone will not keep pace with that level of adaptation.

“Human trust is now the primary attack surface. When AI eliminates the obvious warning signs, organisations cannot depend on language errors or static rules to identify malicious intent.”

Further Information

Produced with support from Cofense. To find out more about Cofense’s Controlled Automation solutions and its phishing defence services, visit www.Cofense.com

READ MORE: ‘Deepfake celebrity ads drive new wave of investment scams‘. Fabricated news stories, deepfake videos and convincing trading dashboards are being deployed in increasingly sophisticated investment scams that experts warn are now difficult for ordinary investors to distinguish from genuine platforms.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.