Detecting AI-generated phishing emails with Egress Defend

Cybercriminals can use chatbots to write phishing emails, which Egress Defend can detect in the same way that it detects ones written by people.
by Jack Chapman
Published on 27th Feb 2023

With the launch of ChatGPT, concerns have been growing around the use of AI in phishing.

The concerns are founded: AI can write phishing emails. It’s not the only tool in a hacker’s toolkit either - cybercriminals can use many different technologies to build a phishing campaign and send phishing emails. Many, like chatbots, are widely available for consumer and business use.

AI chatbots can help cybercriminals to scale the production of phishing emails, and as ChatGPT, has shown, these can be well-written and formatted. They can also generate new payloads to evade signature-based detection.

The good news for our customers, however, is that it doesn’t matter whether a phishing email is written by a person or a chatbot, it encompasses the same building blocks. These building blocks include everything about the email, including how it is sent, the text within it, and the payload. As a result, Egress Defend’s intelligent detection capabilities work exactly the same.

AI will use the same tactics and linguistic techniques that a person can. Every phishing campaign will include a request, often in the first email sent - whether that’s clicking a link, opening an attachment, paying an invoice, sharing credentials, etc. Frequently this request will be unexpected and not something the sender would normally ask. A common social engineering tactic is to pressure the target into taking that action, for example using words like “urgent”, and a consequence for not complying. Salutations, sign-offs, and other language choices might also not align with normal behavior, particularly if the phishing email is sent from a compromised legitimate email address.

Additionally, an AI-generated email will need to be sent in exactly the same way as one authored by a person. In tandem with its linguistic analysis, Defend inspects the technical markers of every inbound email for indicators of risk such as newly created or spoofed domains.

Our commitment to our customers also remains that we will continue to innovate, so Defend will protect their organizations against current and future threats.