Hackers Are Using AI to Make Phishing Emails Smarter – What Businesses Need to Know
All dispatches
Cyber Security2025-09-2911 min read

Hackers Are Using AI to Make Phishing Emails Smarter – What Businesses Need to Know

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

September 29, 2025

At Black Sheep Support, we are constantly tracking the evolving tactics cybercriminals deploy against UK small and medium-sized enterprises (SMEs). In an increasingly sophisticated threat landscape, one of the most significant and worrying developments is the weaponisation of artificial intelligence (AI) by malicious actors. This isn't merely a theoretical concern; AI is already fundamentally reshaping the nature of cyberattacks, making them more convincing, scalable, and difficult to detect. Attackers are no longer just leveraging AI to craft grammatically perfect and contextually relevant phishing messages – they are also using it to embed and conceal malicious code within attachments in ways that bypass traditional security measures. Understanding these new threats and implementing robust, proactive defences is no longer optional; it's a critical imperative for every business operating in today's digital world.

The AI Revolution in Phishing: A Deeper Dive

The core problem is that AI provides cybercriminals with unprecedented capabilities. What once required significant human effort, skill, and time can now be automated and perfected by AI tools, making sophisticated attacks accessible to a broader range of malicious actors.

How AI Elevates Phishing Sophistication

  • Hyper-Realistic Language Generation: AI models excel at generating natural language. This means phishing emails are no longer plagued by obvious grammatical errors or awkward phrasing that often served as red flags. AI can craft messages that perfectly mimic legitimate business communications, adopting specific tones, jargon, and even referencing real-world events or internal company structures if the AI has been fed relevant data.
  • Contextual Impersonation: Beyond just language, AI can analyse vast amounts of public data (from social media, company websites, news articles) to create highly personalised phishing attempts. Imagine an email seemingly from a supplier, referencing a recent project or a specific employee's role, making it incredibly difficult to distinguish from genuine correspondence.
  • Dynamic Content Creation: AI can generate multiple variations of a phishing email or landing page instantly, enabling attackers to conduct A/B testing to see which versions are most effective. This iterative improvement cycle means attacks constantly become more potent.
  • Stealthy Code Obfuscation: As highlighted by recent Microsoft findings, AI isn't just about the message. Attackers are using AI to hide malicious code within seemingly innocuous files. In one campaign, hackers sent emails with what appeared to be a standard PDF. In reality, it was an SVG file – a type of graphic that can carry hidden scripts – designed to steal login credentials. The attackers cleverly avoided traditional obfuscation methods, instead embedding malicious code within common business terms like "revenue," "shares," "operations," and "risk." To a casual review, or even some automated scanners, this looked like harmless corporate data, making detection incredibly challenging. Microsoft's analysis suggested AI likely helped generate this code due to its unusual complexity and verbosity.

This isn't an isolated incident. Our recent article on PromptLock, the first known AI-powered ransomware, underscored how attackers are experimenting with AI to strengthen their entire attack chains. The SVG phishing campaign is yet another stark reminder that these powerful tools are being weaponised in new and deeply concerning ways, increasing the risk for UK SMEs significantly.

The Anatomy of an AI-Enhanced Attack

To truly grasp the threat, it's helpful to understand the flow of such an attack, as revealed in the Microsoft campaign:

  1. Initial Compromise: A small business email account was initially compromised, likely through an earlier, less sophisticated phishing attempt or weak credentials.
  2. Internal Phishing Launch: Phishing emails were then sent back from that compromised account, leveraging its legitimacy. Real targets were quietly added in the BCC field to avoid immediate detection by the compromised account holder. This technique, known as "internal spear phishing," is highly effective as emails from internal sources are often trusted implicitly.
  3. Deceptive Attachment: The email included an attachment that claimed to be a six-page PDF but was actually an SVG file. SVG files are XML-based vector image formats that can contain embedded scripts.
  4. Malicious Execution: When opened, the SVG file showed only blank charts, providing a plausible but ultimately misleading user experience. Meanwhile, hidden scripts silently redirected users to a fake login page, meticulously crafted to mimic a legitimate service (e.g., Microsoft 365, SharePoint, or a corporate VPN portal).
  5. Credential Harvesting: Unsuspecting users, believing they needed to re-authenticate to view the "document," entered their login details onto the fake page. These credentials were then harvested by the attackers.
  6. AI-Driven Obfuscation: The critical element here was how the malicious code was hidden. Instead of using typical obfuscation techniques that security tools might flag, the AI likely generated code that interspersed the malicious logic with common business terminology. This made the code appear as if it were a legitimate part of a business document or report, bypassing many automated content analysis systems.

This sophisticated multi-stage attack highlights how AI makes phishing more convincing at every step, from the initial email to the stealthy execution of the payload.

Proactive Defence Strategies for UK SMEs

While the threat is significant, UK SMEs are not powerless. Implementing a multi-layered defence strategy is crucial.

1. Fortify Your Email Gateways

Your email system is the primary entry point for phishing attacks. Robust configuration is non-negotiable.

  • SPF (Sender Policy Framework): Specifies which mail servers are authorised to send email on behalf of your domain. This helps prevent spammers from sending messages with forged "From" addresses in your domain.
  • DKIM (DomainKeys Identified Mail): Adds a digital signature to outgoing emails, allowing the recipient's server to verify that the email was sent by an authorised server and that it hasn't been tampered with in transit.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Builds on SPF and DKIM, telling recipient servers how to handle emails that fail authentication checks (e.g., quarantine, reject) and providing reporting on these failures. Implementing DMARC with a strict policy (e.g., p=reject) is one of the most effective ways to prevent impersonation and brand abuse, crucial for UK businesses subject to GDPR.
  • Advanced Threat Protection (ATP): Utilise email security solutions that offer advanced features like sandboxing attachments, URL rewriting (to detect malicious links), and AI-driven anomaly detection to catch sophisticated phishing attempts that bypass basic filters.

2. Implement Strong Authentication

Even if credentials are stolen, a second layer of defence can prevent access.

  • Multi-Factor Authentication (MFA): This is arguably the single most effective control against credential theft. MFA requires users to provide two or more verification factors to gain access to an account (e.g., something they know like a password, something they have like a phone or token, something they are like a fingerprint). Implement MFA on all critical business accounts, including email, cloud services (Microsoft 365, Google Workspace), VPNs, and financial applications. The UK's National Cyber Security Centre (NCSC) strongly advocates for MFA as a baseline security measure.

3. Enhance Endpoint Security

Your devices are the last line of defence before an attack can cause damage.

  • Next-Generation Antivirus (NGAV) / Endpoint Detection and Response (EDR): Go beyond traditional antivirus. NGAV and EDR solutions use AI and behavioural analysis to detect and block sophisticated threats, including fileless malware and ransomware, even if they've bypassed email filters.
  • Regular Software Updates and Patch Management: Keep all operating systems, applications, and web browsers up to date. Exploits often target known vulnerabilities that have already been patched.
  • Web Filtering: Implement solutions that block access to known malicious websites and categorise content, preventing users from inadvertently navigating to phishing sites.

4. The Human Firewall: Training and Awareness

Your employees are both your biggest vulnerability and your strongest defence.

  • Comprehensive Security Awareness Training: Conduct regular, engaging training sessions for all staff.
    • Recognising Red Flags: Teach employees to spot suspicious sender addresses, unusual grammar (even with AI, subtle inconsistencies can exist), unexpected requests, and a sense of urgency.
    • Attachment Scrutiny: Emphasise extreme caution with attachments, especially those with unusual file types (like SVG, ZIP, ISO) or from unexpected senders.
    • Link Verification: Train staff to hover over links (without clicking) to reveal the true URL and to be wary of shortened links.
    • Reporting Protocol: Establish a clear and easy process for employees to report suspicious emails immediately, without fear of reprimand. Encourage a culture of "if in doubt, report it."
  • Simulated Phishing Exercises: Regularly test your employees with simulated phishing emails. This provides practical experience in identifying threats and helps reinforce training, identifying areas where further education is needed.
  • Zero-Trust Mindset: Foster a culture where employees are encouraged to question unexpected requests, even if they appear to come from a trusted source, and verify them through an alternative, secure channel (e.g., a phone call to a known number, not replying to the email).

5. Robust Backup and Recovery

In the event of a successful attack, a solid backup strategy is your lifeline.

  • Regular, Automated Backups: Implement automated backups of all critical data and systems.
  • Offsite and Immutable Backups: Store backups offsite and ensure they are immutable (cannot be altered or deleted) to protect against ransomware encrypting or deleting your backups.
  • Tested Recovery Plan: Regularly test your backup restoration process to ensure you can recover quickly and efficiently.

UK Regulatory Landscape and the Impact of Phishing

For UK SMEs, the consequences of a successful phishing attack extend beyond immediate financial loss or operational disruption.

  • GDPR Compliance: A phishing attack often leads to a data breach, potentially exposing personal data of customers or employees. Under GDPR, this can result in significant fines (up to 4% of global annual turnover or €20 million, whichever is higher) and mandatory reporting to the Information Commissioner's Office (ICO) within 72 hours of discovery.
  • Reputational Damage: A data breach can severely damage your business's reputation, eroding customer trust and leading to long-term financial repercussions.
  • Cyber Essentials: The UK government-backed Cyber Essentials scheme provides a baseline of cybersecurity controls. Many of the proactive measures listed above (MFA, patch management, secure configuration) are core requirements of Cyber Essentials, demonstrating their importance in mitigating common cyber threats, including phishing. Adhering to Cyber Essentials not only protects your business but also demonstrates a commitment to security, often a requirement for government contracts and increasingly for private sector partnerships.

Partnering for Advanced Cybersecurity

For many UK SMEs, keeping pace with the rapidly evolving threat landscape, especially with AI-powered attacks, is a significant challenge. Internal IT teams may lack the specialised expertise or resources to implement and manage the necessary advanced security measures.

This is where partnering with a managed IT and cybersecurity provider like Black Sheep Support becomes invaluable.

  • Expert Analysis and Guidance: We track the latest cyber threats, including AI-driven phishing, and provide tailored advice on how to protect your specific business. If you receive a suspicious email, you can forward it to us for safe analysis.
  • Proactive Security Implementation: We can implement and manage advanced security controls like SPF, DKIM, DMARC, next-gen email filtering, and MFA across your organisation.
  • Staff Training and Awareness: We develop and deliver effective cybersecurity awareness training programs and conduct simulated phishing exercises to build your "human firewall."
  • 24/7 Monitoring and Incident Response: Our team can provide continuous monitoring of your systems for suspicious activity and offer rapid incident response in the event of a breach, helping to minimise damage and recovery time.
  • Compliance Support: We help ensure your cybersecurity posture aligns with UK regulatory requirements like GDPR and Cyber Essentials.

Together, we can ensure that AI works for your business, enhancing productivity and innovation, rather than being weaponised against it.

Key Takeaways

  • AI is a game-changer for cybercriminals: It enables more convincing, scalable, and harder-to-detect phishing attacks, both in message content and malicious code obfuscation.
  • Multi-Factor Authentication (MFA) is non-negotiable: It's your strongest defence against stolen credentials. Implement it everywhere.
  • Email authentication (SPF, DKIM, DMARC) is vital: These protocols prevent domain impersonation, a common tactic in sophisticated phishing.
  • The human element is crucial: Regular, effective staff training and simulated phishing exercises are essential to build a vigilant workforce.
  • Advanced endpoint and email security: Go beyond basic antivirus; utilise solutions with AI-driven threat detection and sandboxing.
  • UK SMEs face specific compliance risks: A successful phishing attack can lead to GDPR breaches, ICO fines, and reputational damage. Adhere to Cyber Essentials.
  • Don't go it alone: Partnering with a specialist cybersecurity provider offers expert guidance, proactive defence, and rapid response capabilities.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch