AI Phishing: Email Filters Left in the Dark

5 Min. Reading Time

The spear phishing email that passed through a mid-sized DACH company’s mail gateway last week was grammatically flawless, contextually precise, and contained not a single heuristic marker that Proofpoint, SpamAssassin, or Microsoft Defender would recognize as suspicious. It was written by an LLM, instructed by a threat actor with thirty minutes of research on the recipient’s role. The detection layer, built on pattern matching and URL reputation for twenty years, no longer catches such emails, and CISOs must rethink their architecture in 2026, rather than escalating filter updates.

May 10, 2026

Key Takeaways

Heuristics Break Down: LLM-rewritten phishing emails provide no typos, no template fingerprints, and no recurring phrases. Three of the most common detection layers (Gmail, SpamAssassin, Proofpoint standard profiles) lose 60 to 80 percent of their hit rate against AI phishing in independent tests.
URL Reputation No Longer Suffices: Attackers use fresh domains with valid certificates that are not yet in threat feeds at the time of the click. Those relying on URL reputation as a second layer have also lost that layer.
Behavioral Analytics is the New Mandatory Layer: Sender DNA, recipient behavior anomalies, and LLM-based classification on email content close the gap. Proofpoint, Mimecast, and Abnormal have built dedicated agents for this, with a response time of two seconds per email.

Where the Classic Mail Filter Fails Today

What is AI Phishing? AI phishing is a class of phishing attacks where content (emails, pretext, links, and attachments) is generated or rewritten by a large language model like GPT-5, Claude 4.7, or a fine-tuned open-source model. The goal is to evade pattern-based detection, which has been trained on typing errors, template fingerprints, and suspicious phrases for years.

The first independent tests from threat reports by Mimecast, Proofpoint, and Group-IB show a clear pattern. A handwritten phishing email is stopped by standard profiles with a 70 to 85 percent probability, while a LLM-rewritten variant of the same email is only stopped in 15 to 35 percent of cases. This is not a tuning problem, but an architecture problem, as the filters simply no longer see suspicious markers.

Additionally, there is an asymmetry on the attacker’s side. A threat actor can generate fifty variants of the same pretext with thirty minutes of research on the recipient’s role, each formulated slightly differently. Anyone who doesn’t recognize this on a behavioral level, but on a pattern level, fails mathematically.

Threat Indicator

80 %

of social engineering emails in Q1 2026 were AI-supported, with the proportion doubling currently per quarter. The detection response time must drop from minutes to seconds.

Source: Proofpoint State of the Phish 2026 + Mimecast Threat Intelligence Q1

What the New Detection Layer Really Needs

The detection architecture shifts to three parallel layers, each of which is necessary but not sufficient on its own.

Layer 1: Sender DNA

SPF, DKIM, and DMARC remain mandatory. Fresh domains, reputation fluctuations, and sender behavior changes are the early indicators that must now trigger immediately.

Layer 2: Behavioral Baseline

What does the sender usually write to whom, in what tone, with which attachments? Anomalies against the individual recipient baseline are the most important new detection lever.

Layer 3: LLM Classification

Specialized classification models (Proofpoint, Abnormal, Microsoft Defender for Office) read the email content itself and evaluate intent against the recipient’s behavioral baseline model.

The open question in most mid-market setups is not the tool choice, but integration. Anyone measuring sender DNA in the mail platform, behavioral analytics in the SIEM, and LLM classification in the EDR has three data silos that don’t talk to each other. This gap is precisely what the ITDR architecture shift describes: Identity detection as a central layer that looks across mail, endpoint, and cloud.

Who Will Upgrade First in 2026, and Who Will Wait

In the pilot setups of the past few months, three profiles have been notably quick to move. Insurers and financial service providers who already need to implement BAFIN-driven MaRisk requirements and see the AI-phishing wave as a logical extension. Healthcare systems under external audit observation following the data leaks of 2024 and 2025. And IT service providers with clients in the public sector, whose contracts demand concrete response times for detecting spear-phishing.

Three more profiles are moving slower than they should. Traditional medium-sized industrial companies without BSI-relevant supply chains that consider the mail filter update a cosmetic issue. Family-owned and owner-managed businesses that leave the matter to their external IT service provider. And IT maintenance departments that, in Outlook-centric setups, pursue a Microsoft-only strategy, thereby reducing it to a layer that has isolated gaps.

These two movements will converge in 2026 with cyber insurance policies. Cyber insurers are now scrutinizing the detection stack in detail, and an unanswered questionnaire on mail-phishing defense will cost an additional 8 to 15 percent of the policy premium in 2026. The parallel pressure from the Linux kernel area, such as after the AI Agent Zero-Day discovery in May, is only accelerating this trend.

90-Day Plan for CISOs

Those who don’t want to wait can have a measurably better layer in one quarter.

90-Day Plan: Detection Against AI-Phishing

Week 1 to 2

Measure the status quo. Check SPF/DKIM/DMARC coverage, analyze the quarantine rate of the last 90 days, and evaluate the employee click rate from the last phishing simulation. Baseline figures for the executive presentation.

Week 3 to 5

Introduce a behavioral layer. Pilot Abnormal, Proofpoint Nexus AI, or Mimecast CyberGraph on 200 mailboxes, with a 14-day learning phase, followed by a comparison against the classic filter.

Week 6 to 8

Integrate with SIEM and EDR. Bring sender DNA anomalies, behavioral triggers, and EDR process telemetry onto a detection platform, and test correlation.

Week 9 to 12

Roll out to the entire organization, brief employees, update the cyber insurance questionnaire. Establish a quarterly review.

Frequently Asked Questions

Is it enough to update the existing mail gateway?

In most cases, no. Pattern-based filters need an architectural update to behavioral analytics, which is more than just a patch. Those relying on Proofpoint, Mimecast, or Microsoft Defender should actively enable their AI modules and take the learning phase seriously; otherwise, the second layer will remain idle.

What role does recipient training still play?

It remains important, but expectations must be adjusted. If the email is grammatically clean and contextually appropriate, employees don’t consider it phishing. Training focus in 2026 should be on behavioral anomalies (unusual requests, urgency, unusual channels), not on detecting typos.

How does AI phishing relate to NIS2 reporting requirements?

NIS2 requires an initial report within 24 hours of a significant incident. If a successful spear phishing attack is only detected after days due to a lack of behavioral analytics, the deadline is mechanically missed. This is an operational trigger, not just a compliance point.

What does a behavioral layer cost in the mid-market?

Market prices in 2026 for Abnormal, Proofpoint Nexus AI, and Mimecast CyberGraph range between 4 and 9 euros per mailbox per month in mid-market setups (200 to 2,000 mailboxes). That’s 9,600 to 216,000 euros per year, depending on size. Cyber insurers factor this into policy negotiations.

About the Author

Tobias Massow is CEO of Evernine Media GmbH and publisher of MBF Media Magazines. He observes detection reality through email, SOC, and CISO conversations that the magazine conducts daily and writes from this observation, not from tool marketing.