Understanding the Threat Posed by an AI-Powered Spear Phishing Attack


Spear phishing attacks rose in prominence following organizations’ transition to remote work. More than half (65%) of IT security professionals said that their companies had experienced a spear phishing incident in the first half of 2021, according to Cybersecurity Dive. Half of surveyed experts went on to say that spear phishing had increased in the past year, with 39% of personnel experiencing spear phishing attempts in their organizations on a weekly basis.

A Limiting Factor

One thing that’s traditionally held spear phishers back is the amount of time it takes to craft a targeted campaign. First, they need to gather background information on their target. CSO notes that this stage can involve harvesting email addresses from data breaches; using LinkedIn and Twitter to map roles, responsibilities, and relationships of relevant personnel; and learning about processes, suppliers, and technology solutions from the target’s website.

Second, attackers need to use all that information to craft a convincing lure. They need to leverage personalization strategically so that their attack attempt will appear legitimate to their target, for instance. The same goes for whatever message they wish to say and the language with which they choose to state it.

But Things Are Changing…

New technologies are helping to reshape threats like spear phishing. Such is the case with artificial intelligence (AI). Just as organizations are using “defensive AI” to protect against a spear phishing email, attackers are turning to “offensive AI” to automate the attack process.

Offensive AI can help spear phishers in two ways. First, it can reduce the time necessary for them to conduct reconnaissance and craft convincing messages. WIRED ran through one such scenario where attackers incorporated a malicious AI toolkit into their spear phishing campaign.

Aimed at mimicking the company’s CMO, the AI analyzed her social media feeds and emails in both professional and social interactions, developing an incredibly precise understanding of the CMO’s everyday communication. It replicates the CMO’s language almost perfectly.

The malicious AI toolkit does this work automatically, allowing attackers to spend their time elsewhere. That includes setting up multiple AI services to work together in a way that helps attackers to streamline their spear phishing operations.

At the Black Hat and DEF CON security conferences in Las Vegas, for example, a team from Singapore's Government Technology Agency shared the results of a phishing experiment involving 200 of their colleagues. The researchers wrote some of those phishing attempts themselves, while they used an AI platform to generate the rest. Both types of emails contained links that tracked the clickthrough rates of the experiment’s participants.

The AI-generated messages recorded a higher clickthrough rate than the human-generated attack attempts by a significant margin. WIRED explained in another article how the researchers did it.

“The researchers used [deep learning language model] OpenAI's GPT-3 platform in conjunction with other AI-as-a-service products focused on personality analysis to generate phishing emails tailored to their colleagues' backgrounds and traits,” the magazine explained. “Machine learning focused on personality analysis aims to be predict a person's proclivities and mentality based on behavioral inputs. By running the outputs through multiple services, the researchers were able to develop a pipeline that groomed and refined the emails before sending them out.”

Defending Against Increasingly Sophisticated Spear Phishing Attacks

The threat of AI-powered spear phishing highlights the need for organizations to enlist the help of sophisticated email threat protection and a layered email security approach. Indeed, one level of email analysis won’t do. Organizations need multiple levels of threat detection including advanced link protection, attachment sandboxing, quarantine, and message retraction, among other capabilities.

Learn how you can layer your email security to break the cyber threat lifecycle and protect your organization from email threats.