Our threat research team has observed a rise in polymorphic phishing campaigns being launched on a much larger scale than before. We found a 17% increase in phishing emails in February 2025 compared to the previous six months. Last year, at least one polymorphic feature was present in 76%of all phishing attacks.
Understanding Polymorphic Phishing
Polymorphic phishing is an advanced form of phishing campaign that randomizes the components of emails, such as their content, subject lines, and senders’ display names, to create several almost identical emails that only differ by a minor detail. In combination with AI, polymorphic phishing emails have become highly sophisticated, creating more personalized and evasive messages that result in higher attack success rates. Of all phishing emails we analyzed, 82% contained some form of AI usage, a 53% year-over-year increase.
Traditional detection systems group phishing emails together to enhance their detection efficacy based on commonalities in phishing emails, such as payloads or senders’ domain names. The use of AI by cybercriminals has allowed them to conduct polymorphic phishing campaigns with subtle but deceptive variations that can evade security measures like blocklists, static signatures, secure email gateways (SEGs), and native security tools. For example, cybercriminals modify the subject line by adding extra characters and symbols, or they can alter the length and pattern of the text.
Most polymorphic phishing attacks use compromised accounts (52%), followed by phishing domains (25%) and webmail (20%) to send phishing emails that can bypass domain authentication checks.
The standard way of grouping individual attacks into campaigns to improve detection efficacy will become irrelevant by 2027. Organizations need to find alternative measures to detect polymorphic phishing campaigns that don’t rely on blocklists and that can identify the most advanced attacks.
AI-Powered Polymorphic Phishing Attacks Are Raising the Stakes
The role of AI in the proliferation and increasing dangers of polymorphic phishing attacks is increasingly apparent. Here are some ways in which AI models are powering up polymorphic phishing:
Bypassing Traditional Defenses: AI-powered polymorphic phishing campaigns use advanced evasion techniques, such as dynamic URLs, payload adjustments or delivery method modifications to elude security detection and constantly adapting strategies by learning from failed phishing attempts to bypass defenses.
Dynamic Email Content: AI can prevent two emails from being identical by creating distinct email content for every recipient. This makes it hard for security tools, like Secure Email Gateways (SEGs), to identify patterns or signatures applied to detect phishing attacks.
Enhanced Personalization: AI can rapidly search enormous volumes of public data for victim information, such as social media profiles and messages, online accounts, and compromised databases, to produce extremely customized phishing emails.
Continuous Adaptation: AI-based polymorphic phishing attacks can adjust in real time to the behavior, actions, or preferences of victims, modifying the content or their actions for a successful attack. For instance, if a victim clicks on a link but does not complete the field where their credentials are asked for, AI may send a believable follow-up message to establish trust or instill a sense of urgency.
Improved Persuasion: AI has the ability to craft convincing and personalized emails that closely imitate the tone and style of trusted individuals or organizations, making them feel authentic and more likely to deceive the recipient.
Spear Phishing: AI is used by attackers to target high-value targets with access to sensitive data and control over critical systems. AI scans publicly available data on the victim’s role, interests, and communication style to send a personalized and convincing message. The sender in this case may be a known contact, mentioning a particular project or an urgent task in the phishing email. At times, synthetic voice or video messages created through deepfakes are attached to the message. Attackers send follow-up emails through various channels to build legitimacy and urgency.
Protection Against AI-Based Polymorphic Phishing
Just as AI enables the evolution of polymorphic phishing, it can be used to build a defensive strategy against such threats. Here are some effective strategies:
Make Emails Secure: Verify the authenticity of senders with email authentication protocols such as SPF, DKIM, and DMARC. Using techniques of natural language processing (NLP) and pattern recognition, AI-based defense systems analyze the structure and content of emails to identify legitimate emails over spam.
Keep Security Systems Updated: Regularly update your security controls, such as email protections and other relevant systems, to stay prepared for new and emerging threats.
Train Employees on Security Awareness: Use simulation platforms to educate employees on polymorphic phishing attacks in a real-world-like environment. This will enable employees to more readily identify polymorphic phishing and report it instantly.
Implement Strict Access Controls: Use multi-factor authentication to provide an extra security layer while accessing sensitive data and systems. Apply the least privilege access approach, which limits access to critical systems and sensitive data based on an employee’s specific role and needs.
Develop a Strong Security Culture: Engage employees to report security incidents or suspicious emails to the IT security team immediately without fear of blame or reprisal. By informing users of the situation and actions taken, security teams can create a culture of trust and teamwork. This will help develop continuous security vigilance against attacks.
AI-Powered Defenses: Proactively defend against deceptive attacks using techniques such as natural language processing and anomaly detection to block threats at they occur. AI-powered defenses continuously learn from new data and incidents and improve their detection capabilities to protect organizations against newly evolving threats. They can see the bigger threat picture by correlating data from emails and network activities, user endpoints and servers, to address immediate threats and underlying vulnerabilities.
The ability of AI-based polymorphic phishing attacks to evolve, customize, and bypass email gateways is a paradigm shift in the world of cybersecurity threats. Through the use of AI for sophisticated defense technology and through employee awareness and education, organizations can safeguard themselves against this new threat.
