• by Ray Schultz , Columnist, October 2, 2023

No tool exists that can precisely tell whether a phishing email was written by an AI chatbot. This is one of the depressing highlights of Phishing Threat Trends Report, a study released Monday by cyber security company Egress.

Most detection tools utilize large language models (LLMs). But these tend to be most accurate with longer sample sizes — say, 250 characters. 

But 44.9% of phishing meetings do not meet that limit. And 26.5% fall below 500. 

The result: 71.4% of attacks cannot be reliably be detected.

“Without a doubt chatbots or large language models (LLM) lower the barrier for entry to cybercrime, making it possible to create well-written phishing campaigns and generate malware that less capable coders could not produce alone,” says Jack Chapman, vice president of threat intelligence, Egress.

Chapman adds: “Within seconds a chatbot can scrape the internet for open-source information about a chosen target that can be leveraged as a pretext for social engineering campaigns, which are growing increasingly common.”

Here’s another problem: 55.2% of phishing emails utilize obfuscation techniques to avoid detection. 

Want to try this yourself? Here’s a little how-to on the popular techniques:

• Left-to-right override — This disguises attachment types or tricks NLP detection within body copy. 
• Whitespace — Use a white font on a white background to disguise the characters in a phishing email. 
• Homoglyphs (lookalike characters)—This uses similar or identical characters or exploits UNIcode to mimic Latin characters. 
• Image-based—This is where the body of the email is an image—no text is written in. 
• Hijacking legitimate hyperlinks — The cyber felon hosts a malicious payload on a legitimate site or uses a legit website link to mask the ultimate destination. 
• HTML smuggling — In this worst practice, the attacker ‘smuggles’ an encoded malicious script in an HTML attachment. 
• Encloding — Content in an attachment is rendered unreadable by detection technologies. 

This year, 54.5% of phishing emails got through secure email gateways, versus 42.3% in 2022.  In addition, 38.8% have made it through Microsoft defenses, up from 31% last year, the study states.

Here are two more details:

• Phishing links to websites account for 45% of payloads, up from 35% in 2022.
• And, 34% of mail flow is “graymail,” which is tied to the number of phishing emails a person receives. 

It’s not a pretty picture.