Overview

The widespread availability of uncensored large language models (LLMs) has fundamentally altered the threat landscape for phishing attacks. Campaigns previously limited to sophisticated actors with native English-speaking team members now achieve near-perfect language quality at any volume, collapsing the traditional grammar-error detection heuristic.

What Has Changed

Before LLM-assisted phishing: - Grammar and spelling errors were reliable low-confidence indicators - Personalisation was limited to name/company insertion via bulk templates - Campaign production required skilled social engineers

After LLM-assisted phishing: - Grammatically flawless, culturally appropriate content at any language/locale - Deep personalisation from OSINT (LinkedIn, company websites, press releases) - Non-technical actors can produce polished, convincing lures in minutes

Observed Campaigns

Researchers have identified campaigns using LLM-generated content for: - Business Email Compromise (BEC): CFO impersonation emails referencing real recent transactions scraped from public sources - IT helpdesk impersonation: Password reset and MFA enrollment lures indistinguishable from legitimate IT communications - Executive spear-phishing: Emails referencing real board members, upcoming events, and accurate org structure

Detection Strategies

Traditional filters relying on grammar analysis are largely ineffective. Effective countermeasures include:

  1. DMARC/DKIM/SPF enforcement: Reject unauthenticated email at the gateway — LLM quality doesn't help if the domain is wrong.
  2. Link and attachment sandboxing: Behaviour-based analysis of payloads rather than content analysis of lure text.
  3. User training reframing: Shift from "look for errors" to "verify via secondary channel for any sensitive request."
  4. AI-based detection: Vendors (Abnormal Security, Material Security) use LLMs to detect LLM-written phishing by analysing structural and metadata signals.
  5. Hardware MFA: Phishing-resistant FIDO2/passkeys eliminate credential theft as a phishing outcome.

Source: ThreatPulse intelligence synthesis from 20 years of historical threat data.