.png)
.png)
Generative AI has enabled attacks that are both sophisticated and high-volume, necessitating a shift from strictly perimeter-based defense to a holistic security strategy focused on preventing attacks while detecting and responding to threats across the cloud office environment.
Introduction
There has always been a relatively simple economics to phishing. There are opportunity costs to the approach an attacker takes: if you focus on crafting very persuasive, personalized attacks, they’ll have to be low-volume. If you spray and pray, the emails will be generic and you’ll get a low hit rate.
The rise of generative AI has changed the model–on a certain level, we’re in a post-scarcity world for attackers. It’s now possible to generate persuasive, sophisticated attacks at scale. This isn’t a reason for panic: it’s a reason for pragmatism and a clear-headed evaluation of what effective email security looks like.
The old economics of an effective phish
Up until recently, there was a pretty predictable trade-off for malicious emails. Attackers could choose scale or sophistication, but rarely both in the same attack campaign.
Widespread, low-effort campaigns could target thousands of people, but often with the telltale signs that we’ve all been trained to spot: clumsy grammar and generic high-urgency requests, all wrapped up with a general lack of authenticity.
The truly convincing spear phishing attacks, on the other hand, were artisanal. They were tailored to their targets by attackers who knew what those targets were likely to expect. They were expensive to produce and therefore reserved for high-value targets.
In order to craft convincing spear-phishing emails in the past, attackers had to invest time in research, scouring LinkedIn, company websites, and social media to understand relationships, reporting structures, and internal jargon. Strong language skills were needed in order to craft convincing emails in the target’s native language, mimicking the tone of the setting the email was meant to be originating from. And it all had to be wrapped in a plausible narrative, with a reason for an urgent request that wouldn’t immediately set off alarm bells.
That all took time, effort, and skill. It required a human to dedicate hours or days to a single target or small group. The inherent cost of that acted as a natural limit on the volume of sophisticated attacks.
Phishing in the age of generative AI
Today’s LLMs remove a great deal of the manual effort needed to produce sophisticated attacks. Of course contemporary generative AI isn’t perfect, but today’s models are nevertheless incredibly powerful, and can save an attacker immense amounts of time crafting unique attacks.
This has been a buzzword for security companies for the last couple of years, but initially there was some skepticism about how frequently AI was being used in successful attacks. Now we’re starting to see tangible proof. In its 2025 Cost of a Data Breach Report, IBM found that 1 in 6 breaches involved AI-driven attacks–and the majority of those were AI-generated phishing attacks and deepfake impersonations.
Anyone using AI in their day-to-day work can see why. From open-source intelligence gathering to drafting the emails themselves in whatever language the target speaks, LLMs cut the amount of time needed to generate sophisticated attacks by orders of magnitude. With a bit of planning and careful prompting, sophisticated attacks can be generated at previously-impossible scales.
When the perimeter becomes porous
The new reality of phishing attacks puts immense pressure on email defenses.
Inbound threat protection systems like secure email gateways (SEGs), integrated cloud email security (ICES), and native security are designed to spot known bad patterns: malicious URLs, weaponized attachments, and content that matches known previous phishing campaigns.
AI-generated content often bypasses these filters: the content is novel, the language is clean and unique, and many of the most effective Business Email Compromise (BEC) attacks are nothing but text, carrying no payload for a scanner to find. (And when a malicious payload is present, we’re seeing evidence of attackers using AI to generate and morph malware, making it even harder to detect).
And at the same time, these new attacks are making it harder for the human firewall to do its job. We’ve spent years training employees to spot phishing attacks by looking for certain telltales which, for the most part, are no longer there. Typos, generic greetings, awkward phrasing: sure, we all still get those from time to time, but assuming any email that doesn’t fit that mold is safe is dangerously outdated advice.
New questions demand new answers
As LLMs make detecting inbound threats significantly harder for both man and machine, the industry must evaluate the logic of relying on inbound threat detection as the primary means of email security. Email has been the most frequent threat vector for years: the rise of AI has now given attackers previously-impossible economies of scale.
In the face of intensifying attacks on a threat surface the industry has struggled to protect, we need to look to expand the scope of our defenses, across the inbox and the connected cloud office.
A comprehensive defense strategy is just that: a holistic approach that combines cutting-edge inbound protections with data protection, account security, and proactive cloud office posture management. It treats the arrival of an email as one chapter of the story, not the end. Instead of making a simple allow/block decision based on a snapshot in time, the approach analyzes the full context of communications, behaviors, and settings within the cloud workspace to keep sensitive information secure and deliver account takeover resilience.
It’s one thing to detect the attack itself, but beyond that, modern email security must also be able to monitor the behavior within the environment and respond appropriately. It must be able to answer a range of questions beyond simply “is this email malicious,” including:
- Did anyone click on links or interact with files in malicious emails before they were detected and remediated?
- Is an account showing unusual behavior, such as irregular data access patterns, email forwarding, abnormal lateral movement patterns?
- How much sensitive data does the account have access to–both within the inbox and in shared drives–and what would be the blast radius of the account being compromised?
Combining sophisticated inbound threat protection with visibility, and control across the cloud office allows email, data, and identity security to take advantage of the context and signals coming from each area. Strengthening the protections, decreasing the noise, and providing meaningful improvements to security posture and the efficiency of security operations.
A pragmatic response to a new reality
From the moment AI became the new buzzword, the rise of LLM-generated phishing attacks was inevitable. And though it poses new risks, it’s not a reason to panic: it’s a demand for pragmatism.
The security industry already had clear signal that the old methods aren’t sufficient, and these new sophisticated attacks only reinforce this. While still critical, perimeter inbound email security is not sufficient. The economics of the attack have changed, and our approach to defense must change with it.
Continuing to invest solely in higher, thicker walls is a strategy of diminishing returns. The future of email security is in gaining visibility over the entire cloud office environment and controlling access to the email, files, and accounts within it.