Full Report
AI tools can help attackers to develop and launch more attacks, more frequently, and to make these attacks more evasive, convincing and targeted. But to what extent are they doing these things?
Analysis Summary
# Tool/Technique: AI-Assisted Phishing/BEC Attacks
## Overview
The use of generative Artificial Intelligence (AI), specifically Large Language Models (LLMs), by cyber attackers to create and launch more frequent, evasive, convincing, and targeted email-based threats, including spam and Business Email Compromise (BEC).
## Technical Details
- Type: Technique (Leveraging external AI tools)
- Platform: Email systems (targeting recipients across various platforms)
- Capabilities: Generating high-quality text content, improving linguistic sophistication, refining communication tactics, and increasing attack volume.
- First Seen: Increased adoption noted after the public release of ChatGPT in November 2022.
## MITRE ATT&CK Mapping
*(As the report discusses the adoption of a capability rather than a specific threat tool, primary mappings focus on the resulting communication/delivery aspects.)*
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- T1566.003 - Email Collection (potentially aiding targeted content development)
- T1067 - Defense Evasion (by creating more fluent/professional content that bypasses language heuristics)
## Functionality
### Core Capabilities
- **Increased Volume:** AI enables the mass generation of emails, significantly increasing the sheer quantity of spam distributed.
- **Linguistic Improvement:** Generates emails exhibiting higher levels of formality, greater linguistic sophistication, and fewer grammatical errors compared to human-written malicious emails, especially beneficial for non-native speaking attackers targeting English-speaking regions.
- **Testing/Refinement:** Attackers use AI to test wording variations (similar to A/B testing) to maximize effectiveness against detection systems and recipient engagement.
### Advanced Features
- **Enhanced Credibility:** The professional and error-free nature of AI-generated text makes malicious emails appear more credible and trustworthy to recipients, potentially fooling adversaries who might otherwise flag poor grammar.
- **Targeted Content:** While urgency tactics remained consistent, AI is being used to refine the *wording* of BEC requests to better target senior personnel.
## Indicators of Compromise
*(Note: Since this describes a technique leveraging external LLMs, specific IoCs relate to the resulting email artifacts, not the LLM environment itself.)*
- File Hashes: N/A (Focus is on text content)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The technique itself does not define C2; the *resulting* phishing emails would contain malicious links or attachment fingerprints.)
- Behavioral Indicators: Emails exhibiting unusually high linguistic fluency, formal structure, and high volume/low human review (particularly in spam).
## Associated Threat Actors
- General cybercriminals (across both high-volume spam operations and targeted BEC actors).
## Detection Methods
- **Signature-based detection:** Traditional reliance on known malicious links or files is insufficient.
- **Behavioral detection:** Advanced email security solutions employing **AI/ML-enabled, multilayered detection** are crucial to identify stylistic and structural differences indicative of LLM generation.
- **YARA rules:** Not explicitly mentioned, but LLM-generated text patterns could theoretically inform future rule development.
## Mitigation Strategies
- **Advanced Email Security:** Implementing advanced email security solutions equipped with multilayered, AI/ML-enabled detection capabilities.
- **Security Awareness Training:** Investing heavily in training to help employees recognize the latest threats, emphasizing the subtle professional polish that AI can lend to scams.
- **Reporting:** Encouraging employees to report suspicious emails.
## Related Tools/Techniques
- Generative AI (LLMs) utilized generically for content creation.
- Spearphishing (T1566).
- Business Email Compromise (BEC).