AI Phishing Is No. 1 With a Bullet for Cyberattackers

CYBER RISK CYBERSECURITY OPERATIONS INSIDER THREATS VULNERABILITIES & THREATS NEWS AI Phishing Is No. 1 With a Bullet for Cyberattackers In the past six months, companies have seen a significant influx of AI-powered phishing, as cyberattackers progress from small campaigns to 1-to-1 personalized attacks. Robert Lemos,Contributing Writer April 24, 2026 4 Min Read SLEEPYELLOW VIA ALAMY Powered by attackers' AI usage, phishing attacks have surged back to become the top vector for initial access in incident-response engagements during the first quarter of the year, overtaking exploitation of external vulnerabilities as the top method of compromise. That's according to Cisco Talos' "IR Trends Q1 2026" report, published this week, which found that, overall, more than a third of compromises (35%) the team investigated last quarter started as successful phishing attacks. Attackers used valid accounts in 24% of cases and exploited public-facing applications in another 18%, according to data from the report. The data highlights the effectiveness of email lures written, and usually personalized, by AI systems, says Nick Biasini, senior technical leader at Cisco Talos. "We gave everyone the ability to write very convincing phishing emails all of a sudden, and not just very convincing emails, but very convincing emails in a wide variety of languages," he explains. "That is really starting to show up in a lot of our data." Related:China-Backed Hackers Are Industrializing Botnets Cisco is not the only company to see the surge in AI-powered phishing attacks. In December 2025, human-risk management platform Hoxhunt saw the AI-generated share of phishing attacks jump from 4% to 56% during the holiday season, dropping only slightly, to 40%, in January, according to a report published by the firm. AI has resulted in more native sounding email lures, greater personalization, and cleaner formatting, making both filtering and human detection more difficult, says Mika Aalto, co-founder and CEO at the Helsinki-based firm. "No question, the threat landscape has shifted," he says. More Signs of AI Tooling in Cyberattack Infection Flows Incident responders have also seen more diversity in phishing lures. A year ago, cyberattackers would send the same email to 10 different people before switching it up and changing the content of the email — and usually, those changes were only slight. Now, that number is down to 1.8 emails per campaign, according to Erich Kron, chief information security officer (CISO) adviser at human-risk management firm KnowBe4. Rapidly changing emails, known as polymorphic phishing, has become turbo-charged as attackers increasingly adopt AI tools, he says. "We're attributing this absolutely to AI," he says. "Nobody's sitting back at their keyboard [manually] changing payloads on every single message they're sending out."   Microsoft data meanwhile also shows that AI has led to more convincing phishing attacks. The company has seen clickthrough rates for AI-assisted phishing reach 54%, up from an average of 12%. Related:'Zealot' Shows What AI's Capable of in Staged Cloud Attack Often, the targets of a phishing attack are the legitimate credentials of privileged users: both Cisco Talos and KnowBe4 have seen an increase in phishing messages that specifically target privileged users, such as system administrators, executives, and accounting teams. "Identity is a huge, huge target," Biasini says. "As an adversary, I don't want to use an exploit. I would much rather compromise your email account or compromise your credentials, get into your environment and be able to operate in a much more covert manner, to hopefully inflict some financial gain." Google Mandiant's investigations, for example, found that 83% of initial-access vectors exploited identity in some way, including a third of attacks using phishing techniques. Cyberattacker Crosshairs on Vulnerable Infrastructure The abuse of legitimate services — from Gmail accounts to Docusign, from Outlook to Salesforce — has also made phishing harder to discern from legitimate email. Usually, phishing emails come from domains that have implemented email authentication technology, such as Domain-based Message Authentication, Reporting and Conformance (DMARC), giving the message a veneer of legitimacy. Thus, attackers bypass the initial defenses, says Hoxhunt's Aalto. Related:Electricity Is a Growing Area of Cyber Risk "Hiding malicious links and messages in notifications from legitimate platforms is getting increasingly popular because it's effective and harder to detect," he says. "When phishing links lead to trusted cloud tools, collaboration platforms, or no-code services, the activity looks normal on the surface. That makes detection harder because users are no longer looking for red flags in grammar and mismatched URLs." While multifactor authentication (MFA) is a critical component of protecting workers' online identities and access, companies should not rely on it exclusively. More than a third of attacks (35%) investigated by Cisco Talos involved MFA weaknesses, the company stated in its report. To help improve defenses, companies should experiment with and invest in deploying AI wherever it makes sense, Cisco's Biasini says. "If your attackers are going to be leaning heavily on AI, you need to probably do the same," he says. "Start looking for those weaknesses, leverage your own AI capabilities to start fixing the problems that potentially could be there, because if one AI agent can find it, then multiple AI agents theoretically could find it as well." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST More Webinars White Papers Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Reinventing the SOC with agentic AI Explore More White Papers