With a career spent defending multinational corporations from the ever-evolving tactics of cybercriminals, Malik Haidar has a unique vantage point on the digital battlefield. His expertise lies where analytics, intelligence, and business strategy converge to form a robust defense against modern threats. Today, we delve into the new era of email security, exploring how artificial intelligence is no longer a futuristic concept but a core tool for attackers. Our conversation will cover the shocking acceleration of phishing campaigns, the rise of hyper-personalized and polymorphic attacks that change for each victim, and the insidious growth of link-less, conversational phishing. We’ll also examine how threat actors are co-opting legitimate tools and rapidly shifting domains, making it clear why the fight against phishing has moved from the network perimeter to the user’s inbox itself.
We’ve seen phishing detections more than double recently, with one now caught every 19 seconds. Beyond just volume, how is AI fundamentally changing the speed and tactical nature of these campaigns? Please share a specific example of this new velocity in action.
It’s a startling escalation, and you’re right to focus on the speed. We’ve moved from seeing a phishing email every 42 seconds just a year ago to one every 19 seconds now. This isn’t just an increase; it’s a complete change in operational tempo. Threat actors are no longer just experimenting with AI in isolated cases; they’ve integrated it as a core capability. Imagine a campaign that used to take days to craft and test. Now, AI can generate, test, and deploy thousands of variants in minutes. This means by the time a security team identifies and blocks one version of an attack, hundreds of others, each slightly different, have already been launched. The velocity is breathtaking and forces us to rethink our entire defensive posture.
With 76% of initial infection URLs now being unique, polymorphism is clearly the new standard. How does AI enable threat actors to dynamically alter elements like logos and wording for each victim? Can you walk us through how such a personalized attack is constructed?
Polymorphism is the new default, and it’s incredibly effective. The fact that three-quarters of the initial URLs we see are unique tells you everything. An attacker using AI can set up a campaign that scrapes publicly available data about a target company or individual. The AI then constructs the email on the fly: it might pull the correct company logo, use the right internal jargon, and dynamically alter the signature and wording to match a specific department’s style. The phishing website it links to is just as adaptive. We’ve seen campaigns where the site delivers a different payload depending on whether you access it from a Windows PC or a mobile device, or even serves up different spoofed brands based on your browser type. It’s no longer a one-size-fits-all lure; it’s a bespoke trap, custom-built for each click.
Conversational phishing, which relies on text alone without malicious links, now accounts for nearly a fifth of all attacks. How has AI’s ability to create flawless, localized language contributed to this rise? What does this mean for traditional email security filters that hunt for suspicious attachments?
This is one of the most significant shifts we’re seeing. That 18% figure for conversational attacks is deeply concerning because it represents a major blind spot for traditional security. For years, we trained filters to hunt for bad links, malicious attachments, or QR codes. These new attacks have none of that. Instead, AI generates a perfectly composed, grammatically flawless email in the local language, often mimicking the tone of a senior executive or a trusted colleague. It might be a simple “Are you available?” message that initiates a back-and-forth, building trust before making the fraudulent request. For a static, perimeter-based filter, there’s nothing to flag. The email looks clean, which is why this tactic, a hallmark of Business Email Compromise, has become so dangerously effective.
Detections of remote access tools surged over 100% last year, often involving legitimate software. How are attackers using AI and social engineering together to trick users into installing these tools, and what makes this approach so effective at bypassing traditional security controls?
The 105% annual increase in RAT detections is a testament to the attackers’ ingenuity. They’re not always using illicit malware; instead, they’re weaponizing legitimate software like ConnectWise or GoTo. The attack often starts with an AI-driven, socially engineered phone call or email, where the attacker poses as IT support for a non-existent issue. They then guide the user to download the legitimate remote access tool. Because the software itself is trusted and signed, it sails right past many security controls. Once the user grants access, the attacker has a direct line into the system. AI helps them automate and scale these campaigns, allowing them to manage a large number of infected systems simultaneously and efficiently.
The use of .es domains for credential phishing reportedly grew 19-fold in a single quarter. What makes a specific top-level domain suddenly so attractive to attackers, and what steps can organizations take to defend against these rapidly shifting TLD-based threats?
That 19-fold explosion in the use of .es domains is a perfect example of how quickly threat actors pivot. They are always looking for the path of least resistance. A specific TLD might suddenly become popular because of a lax registration policy, a temporary promotion making it cheap, or simply because it’s not yet on the radar of many security filters. They abuse one TLD until it gets a bad reputation and defenses adapt, then they move on to the next. For organizations, this means static blocklists are useless. You need an intelligence-driven approach that can identify and adapt to these rapid shifts, analyzing the reputation and context of domains in real-time rather than just blocking a TLD after it’s already been widely abused.
Malware-delivering phishing emails saw a 204% increase last year. Considering this, why is it critical to analyze threats after they’ve been delivered to an inbox? Please describe the role human validation and behavioral context play in catching what automated perimeter defenses miss.
That staggering 204% jump in malware-laden phishing underscores a critical truth: perimeter defenses are no longer sufficient. With AI making attacks so polymorphic and convincing, some will inevitably slip through. That is precisely why the analysis must happen after delivery, inside the inbox environment. This is where behavioral context becomes key. An automated system might miss a cleverly worded email, but a trained employee will sense that a request is unusual. Combining this human validation with technology that analyzes behavior—like who is emailing whom, about what, and at what time—exposes threats that static controls miss. It’s this combination of human instinct and post-delivery analysis that catches the most sophisticated attacks.
What is your forecast for phishing?
Looking ahead, I see phishing becoming even more deeply integrated with AI, leading to campaigns that are not just automated but truly autonomous. We will see attacks that learn and adapt in real-time based on a victim’s responses, changing tactics mid-conversation without human intervention. The line between a real and a fake interaction will become almost impossible to discern for the untrained eye. Consequently, our defense will have to shift from a purely preventative model to one of continuous, resilient detection and response, with a much greater emphasis on training our people to be the final, and most important, line of defense. The human element will be more critical than ever.
