AI Phishing Is No. 1 With a Bullet for Cyberattackers - Dark Reading

CYBER RISK CYBERSECURITY OPERATIONS INSIDER THREATS VULNERABILITIES & THREATS NEWS AI Phishing Is No. 1 With a Bullet for Cyberattackers In the past six months, companies have seen a significant influx of AI-powered phishing, as cyberattackers progress from small campaigns to 1-to-1 personalized attacks. Robert Lemos,Contributing Writer April 24, 2026 4 Min Read SLEEPYELLOW VIA ALAMY Powered by attackers' AI usage, phishing attacks have surged back to become the top vector for initial access in incident-response engagements during the first quarter of the year, overtaking exploitation of external vulnerabilities as the top method of compromise. That's according to Cisco Talos' "IR Trends Q1 2026" report, published this week, which found that, overall, more than a third of compromises (35%) the team investigated last quarter started as successful phishing attacks. Attackers used valid accounts in 24% of cases and exploited public-facing applications in another 18%, according to data from the report. The data highlights the effectiveness of email lures written, and usually personalized, by AI systems, says Nick Biasini, senior technical leader at Cisco Talos. "We gave everyone the ability to write very convincing phishing emails all of a sudden, and not just very convincing emails, but very convincing emails in a wide variety of languages," he explains. "That is really starting to show up in a lot of our data." Related:Checkbox Assessments Aren't Fit to Measure Risk Cisco is not the only company to see the surge in AI-powered phishing attacks. In December 2025, human-risk management platform Hoxhunt saw the AI-generated share of phishing attacks jump from 4% to 56% during the holiday season, dropping only slightly, to 40%, in January, according to a report published by the firm. AI has resulted in more native sounding email lures, greater personalization, and cleaner formatting, making both filtering and human detection more difficult, says Mika Aalto, co-founder and CEO at the Helsinki-based firm. "No question, the threat landscape has shifted," he says. More Signs of AI Tooling in Cyberattack Infection Flows Incident responders have also seen more diversity in phishing lures. A year ago, cyberattackers would send the same email to 10 different people before switching it up and changing the content of the email — and usually, those changes were only slight. Now, that number is down to 1.8 emails per campaign, according to Erich Kron, chief information security officer (CISO) adviser at human-risk management firm KnowBe4. Rapidly changing emails, known as polymorphic phishing, has become turbo-charged as attackers increasingly adopt AI tools, he says. "We're attributing this absolutely to AI," he says. "Nobody's sitting back at their keyboard [manually] changing payloads on every single message they're sending out."   Microsoft data meanwhile also shows that AI has led to more convincing phishing attacks. The company has seen clickthrough rates for AI-assisted phishing reach 54%, up from an average of 12%. Related:Research Hub Bridges Cybersecurity Gap for Under-Resourced Organizations Often, the targets of a phishing attack are the legitimate credentials of privileged users: both Cisco Talos and KnowBe4 have seen an increase in phishing messages that specifically target privileged users, such as system administrators, executives, and accounting teams. "Identity is a huge, huge target," Biasini says. "As an adversary, I don't want to use an exploit. I would much rather compromise your email account or compromise your credentials, get into your environment and be able to operate in a much more covert manner, to hopefully inflict some financial gain." Google Mandiant's investigations, for example, found that 83% of initial-access vectors exploited identity in some way, including a third of attacks using phishing techniques. Cyberattacker Crosshairs on Vulnerable Infrastructure The abuse of legitimate services — from Gmail accounts to Docusign, from Outlook to Salesforce — has also made phishing harder to discern from legitimate email. Usually, phishing emails come from domains that have implemented email authentication technology, such as Domain-based Message Authentication, Reporting and Conformance (DMARC), giving the message a veneer of legitimacy. Thus, attackers bypass the initial defenses, says Hoxhunt's Aalto. Related:Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk "Hiding malicious links and messages in notifications from legitimate platforms is getting increasingly popular because it's effective and harder to detect," he says. "When phishing links lead to trusted cloud tools, collaboration platforms, or no-code services, the activity looks normal on the surface. That makes detection harder because users are no longer looking for red flags in grammar and mismatched URLs." While multifactor authentication (MFA) is a critical component of protecting workers' online identities and access, companies should not rely on it exclusively. More than a third of attacks (35%) investigated by Cisco Talos involved MFA weaknesses, the company stated in its report. To help improve defenses, companies should experiment with and invest in deploying AI wherever it makes sense, Cisco's Biasini says. "If your attackers are going to be leaning heavily on AI, you need to probably do the same," he says. "Start looking for those weaknesses, leverage your own AI capabilities to start fixing the problems that potentially could be there, because if one AI agent can find it, then multiple AI agents theoretically could find it as well." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS