A malicious phishing email now reaches organizations every 19 seconds, a clear indicator of how artificial intelligence (AI)-based tools and techniques redefined cybercrime in 2025.
New threat intelligence from Cofense showed this pace more than doubled from one attack every 42 seconds in 2024, suggesting a substantial change in how email-based threats operate at scale.
The report highlighted the way AI tools have shifted from being an experimental capability for attackers to core infrastructure. This enables them to perform automated reconnaissance, generate realistic content, and rapidly adjust campaigns after delivery.
The transition has turned phishing from a relatively intermittent problem into a constant, adaptive threat that puts traditional email security models at risk.
Attackers also increasingly relied on publicly available information like social media-generated content and organizational data, to customize messages for individual victims. Combined with AI-generated language, these emails lack the spelling errors and generic phrasing that once made phishing easier to spot.
Five Trends Defining AI-Powered Phishing in 2025
In their new report published on Wednesday, Cofense identified several patterns that illustrate how automated tools are changing phishing operations:
- 76% of initial infection URLs were unique, and 82% of malicious attachments had distinct file hashes, reducing the effectiveness of signature-based detection.
- The same phishing site can deliver Windows executables, macOS installers, or mobile credential-harvesting pages based on a visitor’s device and browser.
- Text-only phishing now accounts for 18% of malicious emails, fueling business email compromise (BEC) campaigns that impersonate colleagues or executives.
- The use of trusted remote access software increased by 900% by volume, allowing attackers to blend into normal IT activity.
- Credential phishing using .es domains grew 51 times year over year, moving the domain from 56th to the third most abused top-level domain.
Josh Bartolomie, Chief Security Officer at Cofense, said AI has fundamentally altered phishing economics. “Threat actors are now using AI as core infrastructure, not just to craft highly personalized emails, but to dynamically adapt phishing pages based on the victim’s device, generate thousands of unique variants of the same attack, and manage infected systems at scale.” Bartolomie said, commenting on the report..
“Traditional perimeter defenses can’t keep pace with threats that shape-shift after delivery. Organizations need post-delivery visibility, human intelligence, and context-aware detection to identify and remediate what gets through.”
