When AI Turns Insider: 2026’s Fastest-Learning Phishing Crew

A 2024 MITRE ATT&CK-style phishing exercise at a large enterprise showed that the first successful lure did not need to be clever; it only needed to look like the employee’s normal workflow. That should worry you more than the usual “AI makes phishing better” headline, because Foresiet’s 2026 incident roundup points to something nastier: attackers are now using AI to rewrite lures mid-campaign, in real time, based on who opens, who replies, and what role the target actually has.

That changes the game. Static phishing templates and annual awareness slides were already weak against Microsoft 365, Okta, and Google Workspace environments where identity is the real perimeter. They look downright quaint when the malicious email can borrow your project names, your ticketing language, and your manager’s tone before you finish your coffee.

AI phishing is now adaptive identity abuse

Foresiet’s 2026 write-up describes attackers using AI to tune lures after every interaction, which means the message in your inbox is no longer a fixed artifact. It is a moving target. That matters because the old detection model assumed phishing was repeatable, noisy, and easy to catch with signatures. LLMs killed that assumption by making personalization cheap.

The practical example is ugly but simple. A finance employee clicks a fake invoice link, the attacker learns the vendor name, then the next message references the real ERP workflow, the right approver, and the exact month-end cadence. That is not “better spam”; it is workflow impersonation. If your controls still key off bad grammar, awkward tone, or known-bad subject lines, you are defending against 2017 with a 2026 budget.

The real target is the session, not the inbox

The most dangerous part of these campaigns is not the email itself. It is the credential, token, or session that falls out the other side. Midnight Blizzard/Nobelium proved in 2024 that legacy authentication gaps and weak tenant hygiene can hand attackers access to corporate email and source code without any cinematic zero-day drama. The same lesson applies here: once a user is nudged into a fake login or OAuth consent flow, the inbox is just the delivery truck.

That is why the detections that still matter are the boring ones: impossible travel for fresh sessions, anomalous OAuth grants, token replay, mailbox rule creation, and sign-ins from infrastructure that does not match the user’s normal device posture. Microsoft Defender for Office 365, Okta, and Google Workspace all give you telemetry that matters more than the content of the lure. If your threat model stops at the message body, it is not a threat model; it is a filing system.

Static email rules are losing to dynamic content

Traditional mail gateways and regex-heavy filters were built for known bad indicators: domains, attachments, URLs, and a few cursed keywords. AI-generated phishing breaks that model by mutating wording, structure, and even attachment text fast enough to evade brittle rules. ProxyShell in Microsoft Exchange was a different class of problem, but it taught the same lesson: once attackers can chain weaknesses faster than defenders can patch assumptions, the calendar becomes their ally.

The non-obvious point is that content inspection is now a support control, not the main event. You still want SPF, DKIM, DMARC, URL rewriting, sandboxing, and attachment detonation, but the better signal is behavioral: who is asking for what, at what time, through which channel, and whether that request matches prior business context. A fake “urgent DocuSign” email is less interesting than a new sender asking for a session reset followed by a mailbox rule and a forwarding address to an external domain. That sequence is the smoke.

What still works when every lure is rewritten

You need detections that survive message mutation. Least privilege, segmented admin paths, and audit logs are still the cheapest wins because they limit what a phished identity can touch after compromise. If your users can approve payments, reset MFA, and grant app access from the same account, the attacker only needs one convincing paragraph and a browser.

Red-team your own AI integrations too, because the same LLMs helping your analysts can be abused to generate internal-looking lures, malicious support chats, and convincing helpdesk scripts. If your threat model does not include your own supply chain, your SaaS integrations, and the prompts sitting inside them, you are leaving the side door open and calling it innovation. Apache Struts CVE-2017-5638 and the Equifax breach were a reminder that one overlooked path can expose 147 million records; AI phishing just makes the overlooked path look more polished.

Bottom line

Foresiet’s 2026 incidents are not a warning about “smarter phishing” in the abstract; they are proof that identity abuse now adapts faster than user training ever will. The controls that still matter are the dull ones: session telemetry, least privilege, segmentation, and logs that tell you when a message became an access event. Start by hunting for anomalous OAuth grants, mailbox rule creation, token replay, and sign-ins that do not match the user’s normal device posture. Then make sure the people who can approve payments, reset MFA, or grant app access are not all sitting in the same blast radius.