Back to blog
How Attackers Use AI in Cyberattacks (and How to Defend)
Written by
Brightside Team
Published on
A few years ago, a convincing spear phishing email took a skilled operator real time to write. They had to research the target, mimic a plausible sender, get the tone right, and fix the grammar. That effort is why high-quality spear phishing used to be reserved for high-value targets. In a 2026 human-subject study, a fully automated AI system produced spear phishing emails that achieved a 54% click-through rate, matching human experts, at a cost of roughly four cents per email. The expensive part of the attack became cheap.
That single shift explains most of what is happening with AI and cybercrime right now. It is tempting to picture an autonomous AI hacker inventing attacks no human has seen. The evidence points somewhere more practical and, for defenders, more demanding. Attackers are using AI to do familiar things faster, cheaper, in more languages, and at greater scale. This article walks through how attackers actually use AI across the attack chain, and what companies can do to keep their margin from disappearing.
What AI Actually Changes About Attacks
The clearest way to think about AI in offensive operations is as a force multiplier, not a new attack category. The UK's National Cyber Security Centre frames it well: AI is expected to make intrusion operations more effective and efficient, increase the frequency and intensity of attacks, and widen the gap between organizations that keep pace and those that do not. It compresses the things that used to slow attackers down, including reconnaissance time, writing effort, language barriers, exploit adaptation, and coordination overhead.
Most observed misuse still maps to known techniques. The 2026 Verizon Data Breach Investigations Report frames current AI impact as operational acceleration rather than novel tradecraft. Google's threat intelligence reaches a similar conclusion: across the campaigns it has tracked, generative AI has mostly helped adversaries move faster and at higher volume rather than produce genuinely new capabilities. Both observations should temper the hype.
Neither should be read as reassurance. Cybersecurity is already a speed contest, and AI shortens the attacker's side of it. If reconnaissance, phishing, exploit adaptation, and post-compromise scripting all get faster, the defender's window to detect and respond shrinks even when the underlying techniques look the same. There is a real tension in the source material here, and it is worth stating plainly: AI has clearly changed attacker economics, but how much it changes any given company's breach probability depends on whether that company's defenses can keep pace operationally. The World Economic Forum's 2026 outlook found that the overwhelming majority of surveyed leaders now see AI as the single most significant driver of change in cybersecurity. The pressure is real even if the mechanics are familiar.
How Attackers Use AI for Social Engineering
The most immediate enterprise risk is not exotic. It is AI-enabled social engineering, because the bottleneck in most campaigns has never been exploit engineering. It is believable interaction with people. The 2026 DBIR found the human element present in 62% of breaches, and ENISA's 2025 threat landscape places social engineering at roughly 60% of observed initial access. AI makes every part of that more scalable.
Spear phishing moves from boutique to mass production. The study cited at the top is the cleanest evidence: automated AI spear phishing matched human experts on click-through at a fraction of the cost. AI handles the research, drafts in fluent local language, infers the target's role, and tests message variants. The limiting factor stops being writing skill and becomes target data and delivery infrastructure. The volume numbers reflect that shift. Microsoft's threat intelligence reported roughly 8.3 billion email-based phishing threats in the first quarter of 2026 alone, with QR-code phishing up 146% in the same window and business email compromise accounting for millions of attacks. Hoxhunt has reported that the share of phishing attacks showing signs of AI generation rose sharply across late 2025, though vendor figures like these are best read as reported observations rather than settled measurements.
Voice and video join the email. Voice phishing, or vishing, has become one of the most effective channels because phone calls carry an implicit trust that inboxes have lost. AI voice cloning needs only a short sample to produce a convincing executive or help-desk voice in real time. Deepfake video has moved from demonstration to fraud: in a widely reported 2024 case, an employee at the engineering firm Arup authorized transfers totaling roughly $25 million after a video call populated with deepfaked colleagues. Synthetic media also defeats identity checks. In a case decided by the Amsterdam District Court in June 2026, a man used face-swap imagery to beat a bank's selfie-versus-ID onboarding check and opened dozens of fraudulent accounts, having used a chatbot to research how to bypass identity verification.
The help desk is now a primary target. Several of 2026's most damaging intrusions started with a phone call, not a payload. The ShinyHunters cluster vished employees and help desks for single sign-on and OAuth access, then exfiltrated CRM data and extorted victims. Scattered Spider used help-desk social engineering against UK retailers including Marks & Spencer, talking support staff into resetting credentials or removing MFA, then escalating to ransomware with major operational cost. The Silent Ransom Group ran invoice-themed emails followed by fake IT-support callbacks against US law firms, installing remote-access tools and stealing documents within an hour. In each case, AI-grade pretexts and the attacker's willingness to pick the channel with the weakest verification mattered more than any technical exploit.
How Attackers Use AI on the Technical Side
The technical half of the chain is changing too, though more slowly and with important limits.
Vulnerability research and exploit development get an accelerant. NCSC identifies AI-assisted vulnerability research and exploit development as the most significant near-term technical development to watch. AI can help triage disclosures, interpret patches, adapt proof-of-concept code, and write the glue code around an exploit. The practical effect lands first on n-day exploitation: the window between a patch being published and that vulnerability being weaponized keeps shrinking, which punishes slow patch cycles.
The capability is real but uneven, and overclaiming it costs credibility with a technical audience. Benchmarks like VulDetectBench show that current models do well at higher-level vulnerability identification and classification but poorly at detailed root-cause analysis, key functions, and trigger points. In other words, AI today is a junior-to-midlevel accelerator working under human supervision, not a standalone expert exploit developer.
Agentic workflows are emerging, with caveats. Research on multi-agent systems, where one agent plans and others specialize in tasks like SQL injection or cross-site scripting, has shown non-trivial success against real-world web vulnerabilities in controlled benchmarks. That is a meaningful signal about the direction of travel. It should be read carefully. As critical reviews of these testbeds point out, most lack active defenders, realistic enterprise noise, and messy dependencies, so the results indicate trajectory rather than predicting breach rates. Fully autonomous, end-to-end advanced intrusion remains unlikely in the near term, consistent with NCSC's assessment. The realistic picture is autonomous components, such as recon, phishing setup, exploit adaptation, and data triage, rather than autonomous campaigns.
The barrier to entry drops. Purpose-built malicious models marketed under names like WormGPT and FraudGPT strip the safety guardrails off language models and sell the result on criminal forums. They do not give a novice elite capability, but they lower the floor, which means more actors can produce decent phishing content and basic scripts without skill or scruples.
Why the Human and Technical Sides Reinforce Each Other
Treating "human" and "technical" risk as separate programs is the mistake AI punishes most, because it links them into a loop.
It runs like this. AI improves social engineering, which yields credentials, session tokens, OAuth grants, or a help-desk reset. That identity access opens up SaaS systems, cloud consoles, code repositories, and internal documentation, and at that point the attacker often does not need an exploit. Identity is the exploit. The internal context they collect, including org charts, email threads, vendor relationships, and ticket histories, makes the next round of social engineering far more credible, and AI can summarize that material and generate tailored pretexts in minutes. From there, vulnerabilities and misconfigurations expand the blast radius, and stolen data feeds extortion and fraud. A technical vulnerability becomes social engineering material; a social engineering success becomes a technical intrusion. AI reduces the friction at every handoff. The defensive implication is that identity, endpoint, help-desk process, and SaaS telemetry have to be managed as one connected problem.
Your Own AI Is a New Attack Surface
There is a second surface that phishing-focused coverage tends to skip: the AI your own organization is adopting.
The most discussed risk is prompt injection, where instructions hidden in content the model reads, such as a web page, a document, or an email, hijack its behavior. Indirect prompt injection is especially relevant once an AI agent is connected to tools. A chatbot that can only talk is an information risk. An agent that can read mailboxes, open tickets, query databases, or call cloud APIs is an execution risk, and the question shifts from "can the model say something wrong" to "what can the model do when manipulated."
Then there is shadow AI. The 2026 DBIR's findings on unsanctioned AI use are pointed: employees regularly use non-corporate AI accounts on work devices, and source code is among the most common data types submitted to external AI tools. Sensitive business context can leave the organization before security has any logging, retention, or contractual control in place. That makes AI governance a data-security issue, not just an innovation-policy one.
What Companies Can Do to Defend
None of this calls for panic, and none of it is solved by a single product. It calls for tightening the controls that AI-accelerated attacks press on hardest. The following is a practical order of operations.
Harden identity against AI-enabled social engineering
If identity is the exploit, identity is the priority. Roll out phishing-resistant MFA, such as passkeys or hardware security keys, for administrators, finance, help desk, developers, cloud operators, and executives first, and reduce dependence on SMS and push approvals that social engineering can defeat. Just as important is process: enforce out-of-band verification for help-desk password and MFA resets, control OAuth consent and device-code flows, and shorten session lifetimes. The CISA, NSA, FBI, and MS-ISAC guidance on stopping intrusions at initial access lands on the same point, that phishing is now an identity, SaaS, and help-desk control problem, not only an email problem.
Rebuild vulnerability management around exploit speed
Because AI compresses the time from disclosure to exploitation, monthly patch cycles without compensating controls carry more real exposure than they used to. Maintain an accurate inventory of internet-facing assets, rank vulnerabilities by exploitability and active exploitation rather than raw CVSS, and define emergency and virtual-patching paths using WAF and EDR mitigations when immediate patching is not possible. Track the metric that matters: time from disclosure to verified exposure reduction.
Govern enterprise AI use as data security
Inventory the AI tools actually in use, sanctioned or not, and control AI browser extensions and plugins. Define what data may be submitted to external models, require enterprise accounts with logging and retention controls, and extend data-loss monitoring to cover source code, secrets, and customer data flowing into GenAI tools.
Treat AI agents as privileged applications
Any AI system with access to email, files, code, cloud APIs, or workflow automation deserves the controls you would put on a privileged account: least privilege, scoped tools, rate limits, logging, and explicit human confirmation for high-impact actions. Test these systems for direct and indirect prompt injection before you connect them to anything that matters.
Use AI defensively, but validate its output
The same acceleration is available to defenders. AI helps with phishing analysis, alert triage, detection engineering, vulnerability prioritization, and incident summaries, and the point is to cut time spent on repetitive analysis, not to remove human judgment. Outputs still need verification, provenance, and accountability, particularly given the SOC-focused benchmarks showing that unguided models still miss most malicious activity in realistic threat-hunting tasks.
Move beyond annual awareness training
Training matters, but the research is honest about its limits. A meta-analysis of end-user security training finds a positive overall effect, with behavioral change smaller than the change in knowledge or attitude, and weak long-term evidence. The practical signals are familiar to anyone who runs a program: Fortinet's 2025 survey found that while 94% of organizations run regular training, only 6% achieve full completion and roughly 69% still feel their people lack adequate awareness. What moves behavior is point-of-error reinforcement, with one body of research associating just-in-time, point-of-failure training with around a 40% reduction in susceptibility. Pair training with the controls above, with easy reporting, and with verification workflows for payment changes and unusual requests, so that a single human mistake is not the whole defense.
What AI-Grade Spear Phishing Training Has to Simulate Now
That last point has a specific consequence. If attackers run personalized, multi-channel spear phishing for four cents a message, then training built around generic, link-only email tests is rehearsing for the wrong attack. Useful simulation in 2026 has to look like what people actually face: phishing personalized from real role and tooling context, voice and vishing scenarios including cloned-voice pretexts, and deepfake awareness. It has to scale difficulty realistically, measure behavior rather than only click rate, and trigger follow-up at the moment someone fails. Those criteria are a reasonable lens for evaluating the platforms below.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 5100 5100" xmlns="http://www.w3.org/2000/svg"><path d="M 2500.024 0 C 2553.328 0 2595.834 43.879 2595.834 97.125 L 2595.834 1876.506 L 3119.201 176.066 C 3134.891 125.086 3188.553 96.12 3239.425 112.351 C 3290.111 128.521 3317.762 183.113 3302.122 233.925 L 2779.762 1931.097 L 3779.21 461.931 L 3779.21 461.931 C 3809.253 417.765 3869.112 406.54 3912.791 437.34 C 3956.212 467.961 3966.827 528.293 3936.952 572.213 L 2940.571 2036.873 L 4325.625 929.91 C 4367.382 896.541 4427.806 904.057 4460.434 946.369 C 4492.863 988.434 4485.764 1049.285 4444.263 1082.452 L 3060.321 2188.526 L 4709.544 1539.817 C 4759.253 1520.266 4814.696 1545.603 4833.629 1595.492 L 4834.055 1596.658 C 4852.106 1646.063 4827.965 1701.593 4778.86 1720.913 L 3133.595 2368.073 L 4897.112 2235.63 C 4950.287 2231.63 4995.887 2272.239 4999.739 2325.374 L 4999.739 2325.374 C 5003.591 2378.46 4964.398 2425.357 4911.272 2429.348 L 3146.284 2561.899 L 4871.594 2956.552 C 4923.482 2968.425 4955.466 3020.57 4943.999 3072.498 C 4932.513 3124.564 4881.447 3157.944 4829.411 3146.042 L 3104.198 2751.408 L 4635.446 3637.4 C 4681.451 3664.017 4697.226 3723.193 4671.331 3769.585 L 4671.331 3769.585 C 4645.308 3816.215 4586.707 3832.86 4540.454 3806.104 L 3005.937 2918.221 L 4209.67 4218.413 C 4245.476 4257.082 4244.03 4317.683 4206.57 4354.549 L 4205.679 4355.411 C 4167.427 4392.128 4107.211 4390.593 4070.811 4352.262 L 4069.949 4351.351 L 2863.424 3048.138 L 3632.211 4648.15 C 3655.046 4695.671 3636.222 4753.253 3589.443 4777.295 L 3588.334 4777.86 C 3540.507 4801.675 3483.064 4781.335 3459.942 4733.221 L 2689.559 3129.881 L 2954.004 4888.23 C 2961.916 4940.841 2926.469 4990.659 2873.852 4998.868 C 2821.132 5007.086 2772.499 4970.211 2764.574 4917.511 L 2500.003 3158.32 L 2235.433 4917.511 C 2227.506 4970.211 2178.874 5007.086 2126.154 4998.868 C 2073.538 4990.659 2038.091 4940.841 2046.004 4888.23 L 2310.449 3129.871 L 1540.054 4733.221 C 1516.934 4781.335 1459.495 4801.675 1411.666 4777.86 C 1364.085 4754.154 1344.776 4696.048 1367.789 4648.15 L 2136.531 3048.237 L 930.091 4351.351 C 893.789 4390.564 832.92 4392.415 794.361 4355.411 C 756.039 4318.634 754.286 4257.389 790.37 4218.413 L 790.37 4218.413 L 1994.186 2918.132 L 459.517 3806.104 C 413.263 3832.86 354.662 3816.215 328.639 3769.585 C 302.745 3723.193 318.529 3664.017 364.525 3637.4 L 1895.723 2751.438 L 170.629 3146.042 C 118.603 3157.944 67.537 3124.564 56.04 3072.498 C 44.584 3020.57 76.568 2968.425 128.455 2956.552 L 1853.763 2561.899 L 88.728 2429.348 C 35.602 2425.357 -3.591 2378.45 0.261 2325.364 C 4.103 2272.239 49.713 2231.63 102.888 2235.621 L 1866.342 2368.063 L 221.081 1720.903 C 171.59 1701.435 147.458 1645.18 166.322 1595.487 C 185.106 1545.988 239.826 1520.657 289.238 1539.361 L 290.397 1539.811 L 290.397 1539.812 L 1939.997 2188.674 L 555.875 1082.452 C 514.375 1049.285 507.275 988.434 539.705 946.369 C 572.333 904.057 632.766 896.541 674.514 929.91 L 2059.407 2036.744 L 1063.117 572.213 C 1033.242 528.293 1043.857 467.961 1087.279 437.34 C 1130.957 406.54 1190.816 417.766 1220.86 461.932 L 2220.177 1930.909 L 1697.876 233.925 C 1682.237 183.113 1709.887 128.521 1760.574 112.351 C 1811.446 96.12 1865.108 125.086 1880.799 176.066 L 2404.214 1876.665 L 2404.214 97.125 C 2404.214 43.879 2446.718 0 2500.024 0 Z" fill="rgb(165, 140, 255)" height="5000.014289657591px" id="KrZEL4sI2" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="bevel" stroke-width="50" stroke="rgb(165, 140, 255)" transform="translate(50 50)" width="5000px"/></svg>)
Try our vishing simulator
Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.
Top AI-Powered Spear Phishing Training Platforms
The platforms here all run phishing simulations with some degree of AI personalization. They differ in how far they extend beyond email, how they measure behavior, and how much they fit a broader compliance suite versus a focused simulation tool. Vendors are listed alphabetically. Verify current feature details and pricing directly, since these products change quickly.
Brightside
Brightside is a Swiss simulation-first platform built specifically around AI-era social engineering. Alongside structured courses, it runs AI-powered spear phishing simulations that personalize templates from a target's role, department, tools, and tenure, aligned to the NIST Phish Scale for difficulty. Its most distinctive piece is the AI vishing simulator, which generates a caller persona and opening message, recommends a social-engineering strategy built from tactics like pretexting and authority impersonation, and conducts a live, adaptive call using preset or cloned voices in English, French, German, and Italian. It also runs deepfake simulations and hybrid attacks that pair a live call with a tracked phishing email in one workflow, with a preview-before-launch option for admins. This makes it a strong fit for teams that want to rehearse email, voice, and deepfake attacks in one place, especially European buyers with multilingual needs.
Pros
Multi-vector simulation in one platform: AI spear phishing, live AI vishing, deepfake, and hybrid voice-plus-email
AI-generated caller persona, opening message, and recommended attack strategy reduce admin effort
Custom voice cloning and NIST-aligned difficulty for realistic, targeted scenarios
Multilingual (EN/FR/DE/IT) with Swiss data and compliance positioning
Cons
Course content is scripted rather than live AI, and there is no real-time behavioral monitoring or live feedback
Narrower training-content library and less HRM workflow breadth than the largest suites
Younger and smaller than the incumbent platforms, with less third-party market validation
Hoxhunt
Hoxhunt is an enterprise human risk platform known for adaptive, individualized phishing simulations and a gamified, behavior-change approach driven by a large training data set. It tunes difficulty to each user over time and connects reporting into SOC remediation workflows, which makes it appealing to large organizations that want to drive measurable improvement in reporting rates rather than just track clicks.
Pros
Strong adaptive personalization and difficulty tuning per user
Behavior-change focus with engagement and reporting-rate improvements
SOC-connected reporting and remediation workflows
Cons
Premium, enterprise-oriented positioning and pricing
Primarily email-centric; less specialized on live voice and deepfake simulation
Depth can be more than smaller teams need
KnowBe4
KnowBe4 is the largest security awareness platform by adoption, with a vast content and template library, broad language coverage, and AIDA, its AI-driven engine for more personalized, automated phishing campaigns. For organizations that want one established vendor covering compliance training, phishing simulation, and reporting at scale, its breadth and maturity are the main draw.
Pros
Very large content and phishing-template library with wide language coverage
Mature automation (AIDA) and extensive integrations
Broad compliance and awareness coverage in one suite
Cons
Breadth can come at the expense of realism, and some templates feel generic
Less specialized in live AI vishing and deepfake simulation
Large suite can be heavier to administer than a focused tool
Proofpoint
Proofpoint offers phishing simulation and adaptive learning as part of a broader human-centric security suite tied to its threat intelligence. Features like very-attacked-people identification and risk-based auto-enrollment let teams direct training toward the users most targeted in the wild, which is most valuable when an organization already runs Proofpoint email security.
Pros
Simulations informed by real threat intelligence and attacked-user data
Risk-based targeting and adaptive learning paths
Deep integration for existing Proofpoint customers
Cons
Greatest value is tied to adopting the wider Proofpoint stack
Less of a simulation-first, multi-vector specialist
Customization can be limited compared with focused tools
SoSafe
SoSafe is a European human risk platform built on behavioral science, with personalized phishing simulations, strong engagement design, and compliance breadth suited to NIS2 and DORA contexts. It is a solid fit for EU organizations that put regulatory alignment, manager workflows, and measurable behavior change across a large workforce first.
Pros
Behavioral-science-driven design with strong engagement
European scale and compliance alignment (NIS2, DORA)
Personalized simulations with manager-facing workflows
Cons
Less specialized in live voice and deepfake simulation vectors
Broad-suite focus rather than deep simulation realism
Some advanced capabilities depend on higher tiers
Choosing among these comes back to the criteria above. If the priority is rehearsing the full range of AI-grade social engineering, including voice and deepfakes, a simulation-first specialist will go deeper. If the priority is broad awareness content and compliance coverage for a large workforce, an established suite may fit better. Either way, the simulation is one control in a set, most effective when it sits behind phishing-resistant identity and fast exposure management rather than standing in for them.
