PromptRiskDBThreat intelligence atlas

Phishing - AI Security Technique

AI Security Technique

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Generative AI, includin...

Overview

A source-backed snapshot of this AI security technique.

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Generative AI, including LLMs that generate synthetic text, visual deepfakes of faces, and audio deepfakes of speech (See Generate Deepfakes), is enabling adversaries to scale targeted phishing campaigns (See Spearphishing via Social Engineering LLM). LLMs can interact with users via text conversations and can be programmed with a system prompt to phish for sensitive information. Deepfakes can also be used in Impersonation as an aid to phishing.

Tactics2Attacker goals connected to this method.
Mitigations2Defenses that may help against this attack.
AI risks9Research-backed risks connected to this topic.

Technique details

Identifiers, maturity, and source taxonomy for this technique.

ATLAS ID
AML.T0052
Maturity
realized
ATT&CK external ID
T1566
Priority score
101
ATLAS tactics
Initial AccessLateral Movement

Attack flow

How to read the public records connected to this technique.

1. TechniqueRead the ATLAS description and evidence level.
2. TacticsSee which attacker goals this method supports.
3. ExamplesCheck whether public case studies mention it.
4. DefensesReview safeguards mapped by ATLAS.
5. SourcesOpen the original public records and references.

Impact

Why this technique may deserve attention in the current dataset.

  • Evidence levelrealized
  • Mapped defenses2 ATLAS mitigation records
  • Public examples2 linked case study records
  • Research risks9 related MIT AI Risk records above the confidence threshold
  • Vulnerabilities0 linked CVE records

Mitigations

Defenses that may help against this attack.

AML.M0034 - Deepfake Detection

Deepfake detection can be used to identify and block phishing attempts that use generated content.

LifecycleDeployment + 3 moreCategoryTechnical - ML
DeploymentMonitoring+2 more

AML.M0018 - User Training

Train users to identify phishing attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

LifecycleBusiness and Data Understanding + 5 moreCategoryPolicy
B&D UnderstandingData Preparation+4 more

Case studies

Examples from public reports and exercises.

LAMEHUG: Malware Leveraging Dynamic AI-Generated Commands

In July 2025, Ukrainian authorities reported the emergence of LAMEHUG, a new AI-powered malware attributed to the Russian state-backed threat actor APT28 (also tracked as Forest Blizzard or UAC-0001). LAMEHUG uses a large language model (LLM) to dynamically generate commands on the infected hosts.

The campaign began with a phishing attack leveraging a compromised government email account to deliver a malicious ZIP archive disguised as Appendix.pdf.zip. The archive contained the LAMEHUG malware, a Python-based executable, packed with PyInstaller. When executed, the malware, makes calls to an LLM endpoint to generate malicious from natural language prompts. Dynamically generated commands may make the malware harder to detect. LAMEHUG was configured to collect files from the local system and exfiltrate them.

Date2025-06-03
incident

Attempted Evasion of ML Phishing Webpage Detection System

Adversaries create phishing websites that appear visually similar to legitimate sites. These sites are designed to trick users into entering their credentials, which are then sent to the bad actor. To combat this behavior, security companies utilize AI/ML-based approaches to detect phishing sites and block them in their endpoint security products.

In this incident, adversarial examples were identified in the logs of a commercial machine learning phishing website detection system. The detection system makes an automated block/allow determination from the "phishing score" of an ensemble of image classifiers each responsible for different phishing indicators (visual similarity, input form detection, etc.). The adversarial examples appeared to employ several simple yet effective strategies for manually modifying brand logos in an attempt to evade image classification models. The phishing websites which employed logo modification methods successfully evaded the model responsible detecting brand impersonation via visual similarity. However, the other components of the system successfully flagged the phishing websites.

Date2022-12-01
incident

Source evidence

Original public records and references for this page.