Report reveals as attackers use AI to generate thousands of unique variants, weaponize trusted tools, and blend seamlessly into business workflows
LEESBURG, Va.--(BUSINESS WIRE)--Cofense, the leading provider of intelligence-driven post-perimeter phishing defense, today released its latest threat intelligence report, The New Era of Phishing: Threats Built in the Age of AI, revealing how AI technologies are now central to how threat actors operate, fundamentally transforming the speed, scale, and sophistication of modern phishing attacks.
In 2025, Cofense analysts documented a watershed moment in cyber defense: a malicious email attack every 19 seconds - more than doubling from 2024’s pace of one every 42 seconds. This dramatic escalation underscores how AI has shifted phishing from a periodic nuisance to a continuous, adaptive threat. The data reveals that AI is no longer an experimental tool for attackers but rather an operational requirement that enables them to generate, test, and deploy campaigns at unprecedented speed and scale while continuously evolving their tactics to evade detection.
"AI has fundamentally changed the economics and effectiveness of phishing," said Josh Bartolomie, Chief Security Officer at Cofense. "Threat actors are now using AI as core infrastructure, not just to craft highly personalized emails, but to dynamically adapt phishing pages based on the victim's device, generate thousands of unique variants of the same attack, and manage infected systems at scale. Traditional perimeter defenses can't keep pace with threats that shape-shift after delivery. Organizations need post-delivery visibility, human intelligence, and context-aware detection to identify and remediate what gets through."
The report outlines five critical trends defining the AI-powered phishing landscape:
-
Polymorphic attacks become the default delivery model: 76% of initial infection URLs identified in phishing attacks were unique and had not appeared in any other campaigns across the customer base, and 82% of malicious files had unique hashes, which traditional pattern-matching fails to detect. Attackers leverage publicly available data, home addresses, organizational charts, and social media activity to personalize each message, making every phishing email appear distinct and credible.
-
Adaptive, analysis-aware phishing pages: Threat actors now deploy dynamic websites that deliver different payloads based on the victim's browser, operating system, and device characteristics. The same phishing site delivers Windows executables to PC users and macOS packages to Mac users, while mobile visitors receive optimized credential harvesting pages. Advanced kits detect security tools and redirect analysts to legitimate websites, evading investigation.
-
AI-powered attacks perfects the art of impersonation: Business email compromise (BEC) surged as AI eliminated traditional warning signs. Conversational attacks now comprise 18% of all malicious emails, featuring grammatically perfect, contextually accurate messages that closely mimic legitimate internal communications. These text-only attacks bypass most security controls and exploit trust at the organizational level.
-
Legitimate tools weaponized at an unprecedented scale: Abuse of legitimate remote access tools exploded 900% by volume, with attackers leveraging ConnectWise ScreenConnect, GoTo Remote Desktop, and similar IT management software as remote access trojans. Files are hosted on trusted platforms like Dropbox and AWS, signed with valid certificates, and communicate through established domains, making every stage appear legitimate to endpoint detection systems.
-
Mass migration to underutilized domains: Credential phishing campaigns using .es domains increased 51 times year-over-year, with the top-level domain (TLD) jumping from 56th to the 3rd most-abused. This dramatic shift reflects AI-enabled phishing kits that automatically generate domains, deploy subdomains, and launch advanced credential harvesting at scale with minimal human intervention.
As threat actors integrate AI into every phase of the attack lifecycle, from reconnaissance to evasion, organizations must adopt defenses that evolve just as quickly. Effective protection requires a post-delivery defense that pairs real-world threat insights with expert human context and automation to rapidly identify novel, constantly changing attacks. This approach enables a action in minutes, not hours. Success depends on unifying employee-reported intelligence, expert oversight, and automated remediation to shorten response times and limit the window of exposure.
To access the full report, The New Era of Phishing: Threats Built in the Age of AI report, visit: https://cofense.com/getmedia/89b0baae-8730-4188-a87f-91328e716b67/Cofense-Annual_Report_2026.pdf
About Cofense
Cofense is the leading cybersecurity provider focused exclusively on stopping phishing—the most persistent and evolving cyber threat. Our AI-driven platform combines human intelligence from over 35 million global users with purpose-built detection and response tools to catch what traditional defenses miss. Cofense reduces false positives, remediates threats in minutes, and strengthens the human layer with real-world phishing simulations. Purpose-built for accuracy, speed, and scale, Cofense helps organizations close email security gaps, reduce analyst workload, and build lasting resilience against phishing attacks. Our analysts process over 9 million high-risk emails annually so we can deliver 24/7 actionable intelligence to help our customers, like Mastercard, UniCredit Bank, and Blue Cross Blue Shield, outpace cyber threats.
Cofense helps enterprises reduce risk, meet compliance demands, and empower their people to become an active line of defense.
Smarter phishing defense. Stronger human security.
Contacts
Cheyenne Wells
cofense@10fold.com
