Polymorphic attacks: the shape-shifting threat

Picture of Cofense

Cofense

Commercial Partner

Malicious email threats were once a numbers game, reliant on repetition and scale. AI-powered polymorphic phishing has rewritten that model, replacing volume with relentless variation as every message, link and attachment is uniquely generated in near real time. Here, Cofense examines how this machine-speed evolution is outpacing traditional email defences and sets out five practical measures organisations can take to strengthen detection, accelerate response and reduce exposure

For years, security teams relied on spotting repetition: identical subject lines, reused domains, recognisable patterns. Polymorphic phishing shatters that model. Instead of sending the same lure at scale, attackers continuously alter emails, tweaking sender names, wording and links so no two messages look alike.

Cofense’s latest report shows these changes can occur every 15–20 seconds, enabling attackers to test defences in real time and adapt faster than traditional controls can respond.

Artificial intelligence now sits at the core of the attacker workflow. Generative models allow threat actors to instantly produce thousands of unique yet convincing variations of a campaign, refine language, personalise content using public data, and test what bypasses security controls, all at machine speed.

Cofense research shows that in 2025, 76 per cent of initial infection URLs were unique and 82 per cent of malicious files had unique hashes, even when delivering the same payload or sharing IP addresses. This level of variance reflects AI-driven automation.

The speed of evolution makes polymorphic phishing especially dangerous. Attackers iterate in minutes, not days. By the time security teams update rules or blocklists, campaigns have morphed. Many attacks also specifically evade analysis by displaying different content depending on device, browser, or perceived security tooling. Traditional perimeter defences may block known threats, but polymorphic campaigns are built to slip through, leaving a narrow response window.

To counter this reality, organisations must rethink defence strategies. Five tactics stand out:

The first is to prioritise post-delivery detection and response. Polymorphic attacks are designed to bypass static, rule-based controls by constantly changing. Relying solely on these perimeters creates blind spots once messages reach the inbox, making it vital to have the visibility and resources to act quickly against evasive threats.

The second is to strengthen employee reporting. Cofense research consistently shows the most dangerous emails are those identified by employees reporting from their inbox. Organisations should make threat reporting fast, simple, and encouraged. Well-trained employees act as distributed sensors, spotting subtle anomalies that machines miss, especially in highly variable, AI-generated attacks.



The third is to ensure training reflects real-world polymorphic threats. Generic or randomised phishing simulations do not prepare users for campaigns that continuously evolve. Training should reflect current and active threats seen within the organisation’s industry, conditioning users to recognise how genuine polymorphic attacks look and behave. When employees understand the tactics, pace and variability of these campaigns, they are far more likely to identify and report suspicious activity quickly.

The fourth is to reduce response time through automation. Users often engage with emails within seconds of delivery, leaving little margin for manual investigation. Organisations should combine user-reported intelligence with automated analysis to identify related variants, search inboxes and quarantine malicious messages at scale before damage spreads.

The fifth and final tactic is to focus on behaviour and infrastructure rather than surface indicators. When every URL and file appears new, detection must centre on how attacks operate. AI-assisted analysis, supported by human validation, will help uncover shared tactics, reused infrastructure, and evolving behaviour beneath polymorphic surface changes.

Polymorphic phishing is not a future risk but the current state of email-born threats. Organisations that fail to evolve beyond perimeter-only defences will remain one step behind.

Further information

Produced with support from Cofense. To find out more about its enterprise-grade threat-intelligence and phishing-response services, visit www.cofense.com




READ MORE: ‘AI-driven phishing surges 204% as firms face a malicious email every 19 seconds‘. Cyber criminals are using artificial intelligence to flood inboxes with near-undetectable phishing emails, recycling the same hidden infrastructure while making every attack look brand new.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.

RECENT ARTICLES