Security filters caught one phishing email every 19 seconds in 2025, more than double the rate a year previously, Cofense has revealed.
AI technology is helping threat actors to increase the speed and scale of attacks, to the point where detected phishing emails last year far outstripped 2024 figures of one every 42 seconds, the cybersecurity firm claimed.
The security vendor’s latest report, The New Era of Phishing: Threats Built in the Age of AI, is based on its own threat intelligence.
“Threat actors no longer experiment with AI in isolated ways. Instead, they use it as a core capability to generate, test, and deploy phishing campaigns at scale,” the report warned.
“The result is phishing that is faster, more adaptive, and more convincing than ever before, giving rise to polymorphic, multi-channel campaigns that continuously change their appearance while preserving the same malicious intent.”
Read more on phishing: AI-Generated Code Used in Phishing Campaign Blocked by Microsoft.
AI is helping threat actors in several ways, the report claimed. Most obvious is the ability it gives them to compose emails in near-flawless local languages.
Cofense said that “conversational” phishing emails (ie those not including malicious attachments, QR codes or links) accounted for 18% of the total. That speaks to the growth of business email compromise (BEC) attacks.
Other trends include:
- Highly personalized campaigns: Cofense observed a rise in campaigns where the same phishing website delivered different payloads depending on the type of machine/device it was accessed from. AI might also be helping campaigns to serve up different spoofed brands depending on the browser, or optimize credential harvesting pages specifically for mobile users, among other things
- Polymorphism by default: AI is helping threat actors to dynamically alter logos, signatures, wording, and URLs and files according to the specific victim. Three-quarters (76%) of initial infection URLs identified by Cofense were unique. AI is also scraping publicly available data from the web in order to personalize attacks
A Surge in RATs
Cofense also reported a 105% annual increase in detections of legitimate and malicious remote access tools (RATs) in 2025.
Software like ConnectWise ScreenConnect and LogMeIn’s GoTo Remote Desktop can be used to bypass traditional security. It is often combined with social engineering, whereby a user is tricked into downloading the tool to give an attacker access to ‘fix’ a non-existent issue.
“To continue to execute campaigns involving a large number of systems infected by legitimate RATs, threat actors increasingly rely on automation and AI in their workflows,” the report noted.
Another trend is of attackers flocking to the .es TLD for credential phishing. Cofense observed use of .es domains in these attacks increase 19-fold from the fourth quarter of 2024 to the first quarter of 2025. That makes the domain the third-most commonly abused.
The report also recorded a 204% increase in phishing emails delivering malware last year, compared to 2024.
“Together, these patterns demonstrate why phishing must be analyzed after delivery, where behavioral context and human validation expose threats that evade static, perimeter-based controls,” Cofense claimed.